Cybersecurity researchers are diving into the vulnerability of the moment: the bug in Progress Software’s MOVEit Transfer file transfer application that could lead to remote code execution by attackers.
Researchers at Horizon3ai and Rapid7 independently released proof-of-concepts for the SQL injection that has been exploited by the Clop ransomware gang in the wild, with some believing the vulnerability was being tested by the crime group as far back as 2021.
Progress Software disclosed and issued a patch for the vulnerability on May 31, and disclosed a second vulnerability and released another patch for MOVEit while investigating the first bug.
The critical flaw is tracked as CVE-2023-34362 and allows an unauthenticated attacker to gain unauthorized access to the MOVEit database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of content. All versions of MOVEit Transfer are affected by this vulnerability.
On June 9, Horizon3ai’s Zach Hanley compared the patched and unpatched versions, saying there were three areas of note. The first was an updated SQL query from a concatenated string of several arguments in “UserGetUsersWithEmailAddress ()” to a safer-looking SQL builder utility. The second difference removed the entire function “SetAllSessionVarsFromHeadres ()” and “removes the only caller of that function from the machine2.aspx handler, “SILMachine2, when the received “Transaction” is “session_setvars.” The final difference was in “GetFileUp.oadInfo ()” and added a single statement changing the way “uploadState” is set by first checking if the “State” is null before using a new decryption helper “DecryptBytesForDatabase.”
Horizon3ai was able to develop their own path to exploitation, but Hanley noted it was just one of several likely paths that would be available to attackers, one one of several different places defenders might look to discover indicators of compromise (IOC). The Horizon3ai POC can be found at GitHub.
"[L]ooking at public threat intelligence about the series of endpoints being hit and the types of indicators of compromise, we aren’t entirely sure the path we’ve found is the exact same abuse of the patched functionality mixed with abuse of intended functionality," Hanley wrote. "There are likely several paths to exploitation – there are many like it, but this one is ours."
Rapid7 researchers published their own POC and IOC here. They were also able to find a number of different ways to weaponize the SQL injection, with the technical analysis noting that "there were many ways to proceed" and after developing an initial solution, they have "since developed a better one."