漏洞描述
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.
CVE-2023-40044: WS_FTP Server - Insecure Deserialization
PoC代码[已公开]
id: CVE-2023-40044
info:
name: WS_FTP Server - Insecure Deserialization
author: 0x_Akoko
severity: critical
description: |
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.
reference:
- https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044
- https://censys.com/cve-2023-40044/
- https://www.progress.com/ws_ftp
- https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/
- https://www.theregister.com/2023/10/02/ws_ftp_update/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2023-40044
cwe-id: CWE-502
epss-score: 0.94436
epss-percentile: 0.99986
cpe: cpe:2.3:a:progress:ws_ftp_server:*:*:*:*:*:*:*:*
metadata:
verified: true
shodan-query: title:"Ad Hoc Transfer"
max-request: 1
vendor: progress
product: ws_ftp_server
tags: cve,cve2023,ws_ftp,kev,passive,vkev
http:
- method: GET
path:
- "{{BaseURL}}/AHT/AHT_UI/public/js/app.min.js"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- '/\*! fileTransfer \d+-(0[1-9]|1[0-2])-(19\d{2}|20[01]\d|202[0-2]) \*/'
- '/\*! fileTransfer \d+-(0[1-8])-2023 \*/'
condition: or
- type: status
status:
- 200
extractors:
- type: regex
part: body
regex:
- '\d+-(0[1-9]|1[0-2])-(19\d{2}|20[01]\d|202[0-2])'
- '\d+-(0[1-8])-2023'
# digest: 4b0a00483046022100f2a7d1180f3a248a54aa908c88962b8e7edf20c6143cd93db6778722d4063efc022100ef533aa8f2466fd82dff9b564fc954fa206be2d1dd355d926f8ac7eb35b46508:922c64590222798bb761d5b6d8e72950