top of page
Search

MOVEit SQLi Vulnearbility - CVE-2023-34326

Hello Everyone.

Welcome to Bug XS Blog.

In this blog we will be having a look on the CVE-2023-34362 which was reported recently (May-2023) .


CVE-2023-34362 in a nutshell

This vulnerability has been discovered in MOVEit Transfer, a file transfer software, which could result in escalated privileges and unauthorized access to the system. This means that an attacker could gain higher levels of control and potentially compromise the environment.

It is crucial for MOVEit Transfer customers to take immediate action to protect their systems. This may involve applying security patches or following specific instructions provided by the software vendor. By addressing this vulnerability promptly, customers can minimize the risk of unauthorized access and safeguard their MOVEit Transfer environment.


SQL INJECTION

An SQL injection vulnerability has been found in MOVEit transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database .

An attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database which results in getting the backdoor/payload


What is happening behind the scene?

In simple words the attackers take advantage of this vulnerability to create a file named "human2.aspx" within the "C:\MOVEitTransfer\wwwroot" directory (the exact path may vary in different installations). This file is used to set up a SQL database account, which the attackers can then use to gain further unauthorized access and perform malicious activities.


Video PoC


Review of the “human2.aspx” file


Probable Steps attacker used to exploit MOVEit Software


  1. App check - GET / - on port 443

  2. Health check - POST /guestaccess.aspx - on port 443

  3. Check token - POST /api/v1/token - on port 443

  4. Check folder - GET /api/v1/folders - on port 443

  5. Upload file - POST /api/v1/folders/[PATH]/files uploadType=resumable - on port 443

  6. Post data - POST /machine2.aspx on port 80

  7. Perform SQL injection - POST /moveitisapi/moveitisapi.dll - on port 443

  8. Prepare session - POST /guestaccess.aspx - on port 443

  9. Upload file - PUT /api/v1/folders/[PATH]/files uploadType=resumable&fileId=[FILEID] - on port 443

  10. Post data - /machine2.aspx - on port 80

  11. Access WebShell - GET /human2.aspx - on port 443


Versions Affected

This MOVEit Transfer critical vulnerability exploit impacts the following versions of the software

  • MOVEit Transfer 2023.0.0

  • MOVEit Transfer 2022.1.x

  • MOVEit Transfer 2022.0.x

  • MOVEit Transfer 2021.1.x

  • MOVEit Transfer 2021.0.x

  • MOVEit Transfer 2020.1.x

  • MOVEit Transfer 2020.0.x

Organisations affected ?

Although the exact number of affected organizations remains uncertain, available data suggests that numerous prominent institutions have fallen victim to this vulnerability.


The illicit backdoor, referred to as a web shell, was most likely planted as a result of successfully exploiting CVE-2023-34362. This backdoor was identified through a public file scanning service operating in the United States, the United Kingdom, Germany, Italy, India, and Pakistan. Consequently, it is highly probable that potential targets are located within these countries.


Indicators of compromise (IOCS)

Indicators of Compromise (IOCs) are pieces of evidence or artifacts that suggest a computer system or network has been compromised or breached by malicious actors. IOCs can be used to identify and investigate security incidents .Here are few of the indicators for this vulnerability.




If you cannot notice any indicators from the above mentioned screenshot then visit https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 for further information


Mitigations:

  1. Apply the patches to their respective versions. We can always look up to the documentation https://community.progress.com/s/products/moveit/product-lifecycle

  2. If updating with the above patch is not feasible for your organization, their suggested mitigation is to disable HTTP(s) traffic to MOVEit Transfer by adding firewall deny rules to ports 80 and 443. Note that this will essentially take your MOVEit Transfer application out of service.

  3. Remove all the active sessions

  4. Remove any unauthorized user

References


  1. https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/

  2. https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response

  3. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a


Thank you for your time.


Until next time...


Bug XS Team


204 views0 comments

Recent Posts

See All

تعليقات


bottom of page