Hello Everyone.
Welcome to Bug XS Blog.
In this blog we will be having a look on the CVE-2023-34362 which was reported recently (May-2023) .
CVE-2023-34362 in a nutshell
This vulnerability has been discovered in MOVEit Transfer, a file transfer software, which could result in escalated privileges and unauthorized access to the system. This means that an attacker could gain higher levels of control and potentially compromise the environment.
It is crucial for MOVEit Transfer customers to take immediate action to protect their systems. This may involve applying security patches or following specific instructions provided by the software vendor. By addressing this vulnerability promptly, customers can minimize the risk of unauthorized access and safeguard their MOVEit Transfer environment.
SQL INJECTION
An SQL injection vulnerability has been found in MOVEit transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database .
An attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database which results in getting the backdoor/payload
What is happening behind the scene?
In simple words the attackers take advantage of this vulnerability to create a file named "human2.aspx" within the "C:\MOVEitTransfer\wwwroot" directory (the exact path may vary in different installations). This file is used to set up a SQL database account, which the attackers can then use to gain further unauthorized access and perform malicious activities.
Video PoC
Review of the “human2.aspx” file
Probable Steps attacker used to exploit MOVEit Software
App check - GET / - on port 443
Health check - POST /guestaccess.aspx - on port 443
Check token - POST /api/v1/token - on port 443
Check folder - GET /api/v1/folders - on port 443
Upload file - POST /api/v1/folders/[PATH]/files uploadType=resumable - on port 443
Post data - POST /machine2.aspx on port 80
Perform SQL injection - POST /moveitisapi/moveitisapi.dll - on port 443
Prepare session - POST /guestaccess.aspx - on port 443
Upload file - PUT /api/v1/folders/[PATH]/files uploadType=resumable&fileId=[FILEID] - on port 443
Post data - /machine2.aspx - on port 80
Access WebShell - GET /human2.aspx - on port 443
Versions Affected
This MOVEit Transfer critical vulnerability exploit impacts the following versions of the software
MOVEit Transfer 2023.0.0
MOVEit Transfer 2022.1.x
MOVEit Transfer 2022.0.x
MOVEit Transfer 2021.1.x
MOVEit Transfer 2021.0.x
MOVEit Transfer 2020.1.x
MOVEit Transfer 2020.0.x
Organisations affected ?
Although the exact number of affected organizations remains uncertain, available data suggests that numerous prominent institutions have fallen victim to this vulnerability.
The illicit backdoor, referred to as a web shell, was most likely planted as a result of successfully exploiting CVE-2023-34362. This backdoor was identified through a public file scanning service operating in the United States, the United Kingdom, Germany, Italy, India, and Pakistan. Consequently, it is highly probable that potential targets are located within these countries.
Indicators of compromise (IOCS)
Indicators of Compromise (IOCs) are pieces of evidence or artifacts that suggest a computer system or network has been compromised or breached by malicious actors. IOCs can be used to identify and investigate security incidents .Here are few of the indicators for this vulnerability.
If you cannot notice any indicators from the above mentioned screenshot then visit https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 for further information
Mitigations:
Apply the patches to their respective versions. We can always look up to the documentation https://community.progress.com/s/products/moveit/product-lifecycle
If updating with the above patch is not feasible for your organization, their suggested mitigation is to disable HTTP(s) traffic to MOVEit Transfer by adding firewall deny rules to ports 80 and 443. Note that this will essentially take your MOVEit Transfer application out of service.
Remove all the active sessions
Remove any unauthorized user
References
https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/
https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a
Thank you for your time.
Until next time...
Bug XS Team
Comments