Deep-Dive: Up close and personal with the MOVEit zero-day vulnerability
Deep-Dive: Up close and personal with the MOVEit zero-day vulnerability
Software supply chain cyberattacks are becoming increasingly common, sparking a flurry of legislative changes at the US government level, while enterprises scramble to mitigate their expansive risk profile and rapidly improve software quality. There have been three zero-day vulnerabilities linked to file-sharing services this year alone, with the largest and most destructive coming in the form of the MOVEit mass exploit.
Spearheaded by the CL0P ransomware group, the MOVEit incident has dominated cybersecurity news for some time, with more than 1,000 organizations impacted. This number is set to keep growing, rendering this one of the most potent software supply chain attacks since Solarwinds in 2021.
The catalyst for this widespread breach was a cluster of SQL injection vulnerabilities, ultimately receiving a severity score of 9.8 out of 10 from MITRE. SQL injection has been the bugbear of security professionals since the late 90s, and despite being a fairly straightforward fix, it continues to find its way into modern software and provide a red carpet to sensitive data for threat actors.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here:
>>> PLAY THE MOVEit MISSION
The vulnerability: SQL injection
How exactly was SQL injection used to exploit Progress Software’s MOVEit file transfer application?
CL0P ransomware group was able to exploit SQL injection vulnerability CVE-2023-34362, granting them unrestricted and unauthorized access to MOVEit’s database. From there, they were able to install LEMURLOOT, a web shell that would ultimately allow them to run several high-risk, critical processes like retrieval of system settings, enumerating the SQL database, file retrieval from the MOVEit Transfer system, and creating a new account with full administration privileges.
Needless to say, this attack vector may be the result of a relatively simple error - one that could be put down to the perpetual use of poor coding patterns - but its potential to cause ongoing problems at the enterprise level is immense.
Comparable to the MOVEit exploit, let’s take a look at this SQLi explainer, which simulates the method of injecting and executing malicious SQL:
This query string and variable:
string emailAddress = "contact@scw.com";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
will result in the following query:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'";
… and with malicious crafted input:
string emailAddress = "contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
it will become:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--'";
How does that look in flight?
Note that due to the string concatenation, the input is being interpreted as SQL syntax. First, a single quote is added to make sure the SELECT statement is valid SQL syntax. Next, a semicolon is added in order to terminate the first statement.
Once this is in place, a valid DELETE statement is added, followed by two hyphens to comment out any trailing characters (the single quote). An UPDATE statement could just as easily be added, for example, if the malicious SQL was to update users' roles or passwords.
Try it out for yourself in this playable mission:
While relatively straightforward, SQLi remains a powerful attack vector, and one that is all too common. In the case of MOVEit, this exploit made way for a damaging backdoor installation, and a group of further attacks of similar severity.
How can you mitigate SQL injection risk?
For any companies utilizing MOVEit as part of their business operations, it is imperative that they follow the recommended remediation advice from Progress Software. This includes but is not limited to applying security patches as an emergency-level priority.
For SQL injection in general, check out our comprehensive guide.
Want to learn more about how to write secure code and mitigate risk? Try out our SQL injection challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding best practices.
Laura Verheyde
Laura Verheyde is a software developer at Secure Code Warrior focused on researching vulnerabilities and creating content for Missions and Coding labs.
Related Articles We Recommend
Related Articles We Recommend
Dive into onto our latest secure coding insights on the blog.
Our extensive resource library aims to empower the human approach to secure coding upskilling.
Get the latest research on developer-driven security
Our extensive resource library is full of helpful resources from whitepapers to webinars to get you started with developer-driven secure coding. Explore it now.
Deep-Dive: Up close and personal with the MOVEit zero-day vulnerability
Software supply chain cyberattacks are becoming increasingly common, sparking a flurry of legislative changes at the US government level, while enterprises scramble to mitigate their expansive risk profile and rapidly improve software quality. There have been three zero-day vulnerabilities linked to file-sharing services this year alone, with the largest and most destructive coming in the form of the MOVEit mass exploit.
Spearheaded by the CL0P ransomware group, the MOVEit incident has dominated cybersecurity news for some time, with more than 1,000 organizations impacted. This number is set to keep growing, rendering this one of the most potent software supply chain attacks since Solarwinds in 2021.
The catalyst for this widespread breach was a cluster of SQL injection vulnerabilities, ultimately receiving a severity score of 9.8 out of 10 from MITRE. SQL injection has been the bugbear of security professionals since the late 90s, and despite being a fairly straightforward fix, it continues to find its way into modern software and provide a red carpet to sensitive data for threat actors.
The MOVEit scenario is a little different from what many developers and AppSec professionals may have previously experienced, and you can test your SQLi-slaying skills in a live simulation right here:
>>> PLAY THE MOVEit MISSION
The vulnerability: SQL injection
How exactly was SQL injection used to exploit Progress Software’s MOVEit file transfer application?
CL0P ransomware group was able to exploit SQL injection vulnerability CVE-2023-34362, granting them unrestricted and unauthorized access to MOVEit’s database. From there, they were able to install LEMURLOOT, a web shell that would ultimately allow them to run several high-risk, critical processes like retrieval of system settings, enumerating the SQL database, file retrieval from the MOVEit Transfer system, and creating a new account with full administration privileges.
Needless to say, this attack vector may be the result of a relatively simple error - one that could be put down to the perpetual use of poor coding patterns - but its potential to cause ongoing problems at the enterprise level is immense.
Comparable to the MOVEit exploit, let’s take a look at this SQLi explainer, which simulates the method of injecting and executing malicious SQL:
This query string and variable:
string emailAddress = "contact@scw.com";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
will result in the following query:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'";
… and with malicious crafted input:
string emailAddress = "contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--";
var query = $"SELECT u.UserName From Users as u WHERE u.Email = '{emailAddress}'";
it will become:
var query = $"SELECT u.UserName From Users as u WHERE u.Email = 'contact@scw.com'; DELETE FROM Invoices WHERE Id = 2;--'";
How does that look in flight?
Note that due to the string concatenation, the input is being interpreted as SQL syntax. First, a single quote is added to make sure the SELECT statement is valid SQL syntax. Next, a semicolon is added in order to terminate the first statement.
Once this is in place, a valid DELETE statement is added, followed by two hyphens to comment out any trailing characters (the single quote). An UPDATE statement could just as easily be added, for example, if the malicious SQL was to update users' roles or passwords.
Try it out for yourself in this playable mission:
While relatively straightforward, SQLi remains a powerful attack vector, and one that is all too common. In the case of MOVEit, this exploit made way for a damaging backdoor installation, and a group of further attacks of similar severity.
How can you mitigate SQL injection risk?
For any companies utilizing MOVEit as part of their business operations, it is imperative that they follow the recommended remediation advice from Progress Software. This includes but is not limited to applying security patches as an emergency-level priority.
For SQL injection in general, check out our comprehensive guide.
Want to learn more about how to write secure code and mitigate risk? Try out our SQL injection challenge for free.
If you’re interested in getting more free coding guidelines, check out Secure Code Coach to help you stay on top of secure coding best practices.
