06-13-2023, 12:28 AM
POC for CVE-2023-34362 affecting MOVEit Transfer
Technical Analysis
A technical root cause analysis of the vulnerability can be found on our blog: https://www.horizon3.ai/moveit-transfer-...ompromise/
Summary
This POC abuses an SQL injection to obtain a sysadmin API access token and then use that access to abuse a deserialization call to obtain remote code execution.
This POC needs to reach out to an Identity Provider endpoint which hosts proper RS256 certificates used to forge arbitrary user tokens - by default this POC uses our IDP endpoint hosted in AWS.
By default, the exploit will write a file to C:\Windows\Temp\message.txt. Alternative payloads can be generated by using the ysoserial.net project.
https://github.com/horizon3ai/CVE-2023-34362
Technical Analysis
A technical root cause analysis of the vulnerability can be found on our blog: https://www.horizon3.ai/moveit-transfer-...ompromise/
Summary
This POC abuses an SQL injection to obtain a sysadmin API access token and then use that access to abuse a deserialization call to obtain remote code execution.
This POC needs to reach out to an Identity Provider endpoint which hosts proper RS256 certificates used to forge arbitrary user tokens - by default this POC uses our IDP endpoint hosted in AWS.
By default, the exploit will write a file to C:\Windows\Temp\message.txt. Alternative payloads can be generated by using the ysoserial.net project.
https://github.com/horizon3ai/CVE-2023-34362
You search a DB? Send a PM maybe i have it.