Exploit Released for Critical MOVEit Transfer RCE Vulnerability

On May 31, 2023, Progress Software Corporation released a security advisory for its MOVEit Transfer application. The advisory centered on a severe SQL injection vulnerability (CVE-2023-34362) leading to remote code execution.

Progress urged its customers to update to the latest version of the application as the vulnerability was reportedly exploited as a 0-day, dating back at least 30 days. 

However, various threat intelligence companies indicated that the exploitation dated further back, with GreyNoise noticing activity 90 days prior and Kroll tracing similar activity back to 2021. The attacks were attributed to the cl0p ransomware gang, which is known for several other recent 0-day ransomware campaigns.

After analyzing the differences between the vulnerable and patched versions, Horizon3 researcher founds three key areas of interest emerged:

1. UserGetUsersWithEmailAddress(): The function had an updated SQL query from a concatenated string of several arguments passed in, to a safer looking SQL builder utility. Interestingly, this function was reachable from several unauthenticated paths.
2. SetAllSessionVarsFromHeaders(): The patched version removed this entire function and its only caller from the machine2.aspx handler.
3. GetFileUploadInfo(): The patched version introduced a statement that changes the way the uploadState is set.

According to the technical details of Horizon3, the potential SQL injection attack surfaced through an unauthenticated call to guestaccess.aspx. It led to the vulnerable function, UserGetUsersWithEmailAddress(), which built a SQL query that left an opportunity for SQL injection.

Horizon3 noted that a special request in Python set the right session variables via a request to the action=m2 endpoint and then a request to the guestaccess.aspx endpoint was able to trigger the SQL injection.

Python script excerpt to perform SQL injection

Exploiting the SQL injection vulnerability, leading to the ability to manipulate data within the MOVEit database, the attackers aimed for elevated permissions. The attackers targeted the session_grant=external_token authentication flow, used when MOVEit Transfer is configured for federated logins. Using the SQL injection from the previous paths, they manipulated the database to accept their identity provider URL, ultimately obtaining an access token for the sysadmin user.

Achieving Remote Code Execution

The attackers targeted file upload handlers within MOVEit.DMZ.WebApi, eventually reaching the function GetFileUploadInfo(). A combination of a classic .NET deserialization vulnerability and the SQL injection allowed the attackers to manipulate the field from which a crucial variable (_uploadState) was set. 

This resulted in remote code execution. The Horizon3 team has shared the Python PoC code on GitHub, which you can get from here.

Post Exploitation by Horizon3

Interestingly, on some MOVEit Transfer servers deployed via the Azure Marketplace, cleartext credentials for the provisioned sysadmin account, database credentials, and service credentials were found. This reveals additional vulnerabilities for potential lateral movement.

CVE-2023-34362 is not alone

The Progress Software Corporation announced on June 9, 2023, that multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. 

In the meantime, the CVE id for the newly discovered vulnerabilities is been pending and credited to Cybersecurity firm Huntress for their help to uncover additional vulnerabilities that could potentially be used by a bad actor to stage an exploit.