From bcb29c8f6b06349a42a03a0c90abc51e082e64d5 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 9 May 2025 09:48:35 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2025-31161 rule --- .../crowdsecurity/vpatch-CVE-2025-31161.yaml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2025-31161.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-31161.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-31161.yaml new file mode 100644 index 00000000000..2e12e742269 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-31161.yaml @@ -0,0 +1,42 @@ +## autogenerated on 2025-05-09 09:48:32 +name: crowdsecurity/vpatch-CVE-2025-31161 +description: 'Detects authentication bypass in CrushFTP via crafted Authorization header and specific endpoint.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /webinterface/function/ + - zones: + - ARGS + variables: + - command + transform: + - lowercase + match: + type: equals + value: getuserlist + - zones: + - HEADERS + variables: + - authorization + transform: + - lowercase + match: + type: contains + value: aws4-hmac-sha256 credential=crushadmin/ + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'CrushFTP - Authentication Bypass' + classification: + - cve.CVE-2025-31161 + - attack.T1190 + - cwe.CWE-287 From 1cd1f4c17a5d5f8858f46e7991286d5f75307fd9 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 9 May 2025 09:48:37 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2025-31161 test config --- .appsec-tests/vpatch-CVE-2025-31161/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-31161/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-31161/config.yaml b/.appsec-tests/vpatch-CVE-2025-31161/config.yaml new file mode 100644 index 00000000000..0119fab4356 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-31161/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2025-05-09 09:48:32 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-31161.yaml +nuclei_template: CVE-2025-31161.yaml From f5a9b2325d812da5b62c0ef8446d6d9d59edac5b Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 9 May 2025 09:48:39 +0200 Subject: [PATCH 3/4] Add CVE-2025-31161 test --- .../vpatch-CVE-2025-31161/CVE-2025-31161.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-31161/CVE-2025-31161.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-31161/CVE-2025-31161.yaml b/.appsec-tests/vpatch-CVE-2025-31161/CVE-2025-31161.yaml new file mode 100644 index 00000000000..2148fab7acd --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-31161/CVE-2025-31161.yaml @@ -0,0 +1,20 @@ +## autogenerated on 2025-05-09 09:48:32 +id: CVE-2025-31161 +info: + name: CVE-2025-31161 + author: crowdsec + severity: info + description: CVE-2025-31161 testing + tags: appsec-testing +http: + - raw: + - | + GET /WebInterface/function/?command=getUserList&serverGroup=MainUsers&c2f=1234 HTTP/1.1 + Cookie: CrushAuth=1234567890123_abcdefghijklmnopqrstuvwxyz1234; currentAuth=1234 + Host: {{Hostname}} + Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/ + cookie-reuse: true + matchers: + - type: status + status: + - 403 From db22ffba8647cb9cb856ccf46ac04f425dfc2052 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 9 May 2025 09:48:40 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2025-31161 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index be69426f031..9b2f69552c2 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -90,6 +90,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2024-27292 - crowdsecurity/vpatch-CVE-2025-24893 - crowdsecurity/vpatch-CVE-2021-43798 +- crowdsecurity/vpatch-CVE-2025-31161 author: crowdsecurity contexts: - crowdsecurity/appsec_base