GoAnywhere Managed File Transfer Vulnerability Debugging Environment Setup
0x00 Preface
This article records the details of building a GoAnywhere Managed File Transfer vulnerability debugging environment from scratch.
0x01 Overview
This article will cover the following content:
GoAnywhere Managed File Transfer Installation
GoAnywhere Managed File Transfer Vulnerability Debugging Environment Configuration
Database Operations
0x02 GoAnywhere Managed File Transfer Installation
References: https://static.fortra.com/goanywhere/pdfs/guides/ga6_8_6_installation_guide.pdf
Download Link: https://www.goanywhere.com/products/goanywhere-free/download
Need to register an account to obtain a license
GoAnywhere Managed File Transfer can be installed on Windows and Linux operating systems respectively.
Default Web Path on Windows System: C:\\Program Files\\HelpSystems\\GoAnywhere\\tomcat\\webapps\\ROOT
Default Web Path on Linux System: /usr/local/HelpSystems/GoAnywhere/tomcat/webapps/ROOT
1. Enable remote debugging feature
Achieve this by enabling Tomcat's debugging feature; the method to enable Tomcat's debugging feature is as follows:
Switch to the bin directory
Execute the command: catalina jpda start
After Tomcat's debugging feature is enabled, it listens on the local port 8000 by default
For GoAnywhere Managed File Transfer, the method to enable the debugging feature is as follows:
(1) Debugging on Windows
Modify the file properties of C:\Program Files\HelpSystems\GoAnywhere\tomcat\bin\GoAnywhere.exe
Double-click the file C:\Program Files\HelpSystems\GoAnywhere\tomcat\bin\GoAnywhere.exe, switch to the Java tab, and add the following to Java Options: -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8090, as shown in the figure below
Restart the GoAnywhere service
(2) Debugging on Linux
Modify the file: /opt/HelpSystems/GoAnywhere/tomcat/bin/start_tomcat.sh, change exec "$PRGDIR"/"$EXECUTABLE" start "$@" to exec "$PRGDIR"/"$EXECUTABLE" jpda start "$@"
Modify the file: /opt/HelpSystems/GoAnywhere/tomcat/bin/goanywhere_catalina.sh, change JPDA_ADDRESS="localhost:8000" to JPDA_ADDRESS="*:8090"
Note:
The default debugging port 8000 of Tomcat conflicts with the web port of GoAnywhere Managed File Transfer, so we choose to modify Tomcat's default debugging port to 8090 here
Open the firewall to allow external access to port 8090: iptables -I INPUT -p tcp --dport 8090 -j ACCEPT
Start the GoAnywhere process: /opt/HelpSystems/GoAnywhere/goanywhere.sh start
0x03 Database Operations
GoAnywhere Managed File Transfer uses the Apache Derby database
The default database storage location under Windows is: C:\Program Files\HelpSystems\GoAnywhere\userdata\database\goanywhere
The default database storage location under Linux is: /opt/HelpSystems/GoAnywhere/userdata/database/goanywhere/
Implementation details of database operations can be obtained from ga_classes.jar in the lib folder
From this, we can get the implementation details of Web user password encryption, corresponding location: C:\Program Files\HelpSystems\GoAnywhere\lib\ga_classes.jar!\com\linoma\ga\ui\admin\action\user\ChangeUserPasswordAction.class
The extracted Java implementation code is as follows:
1. Read Derby Database
(1) Command Line Implementation
Use Apache Derby, download address: https://archive.apache.org/dist/db/derby/db-derby-10.14.2.0/db-derby-10.14.2.0-bin.zip
Run ij.bat in the bin directory
Connect to the database: connect 'jdbc:derby:C:\Program Files\HelpSystems\GoAnywhere\userdata\database\goanywhere;';
Query user configuration: SELECT * FROM DPA_USER;
(2) GUI Implementation
Use DBSchema, download link: https://dbschema.com/download.html
After launching DBSchema, select to connect to the Derby database, choose derbytools.jar org.apache.derby.jdbc.EmbeddedDriver as the JDBC Driver, and select C:\Program Files\HelpSystems\GoAnywhere\userdata\database\goanywhere for the Folder
Query the user data table as shown in the following figure
You can see there are three default users as follows:
Administrator, not enabled
root, not enabled
admin, default user
2. Modify the Database
The Derby database of GoAnywhere Managed File Transfer uses embedded mode, which is inaccessible to other applications, so there are two methods to modify the data as follows:
(1) GoAnywhere Managed File Transfer is running
Database modification can be achieved by writing a JSP file
(2) GoAnywhere Managed File Transfer is shut down
You can choose Apache Derby or DBSchema to open the database folder and modify it directly
Example commands for modifying the database:
Enable root user: UPDATE APP.DPA_USER SET ENABLED='1' WHERE USER_NAME='root';
Set root user password: UPDATE APP.DPA_USER SET USER_PASS='$5$mpoe6zI4B6+LHRMdbFKr8g==$RnAILbYe9KDauKE3wXTFVvlXQNZeM4Z2c7x1aEtME/U=' WHERE USER_NAME='root';
0x04 Summary
After setting up the GoAnywhere Managed File Transfer vulnerability debugging environment, we can proceed to learn about the vulnerability.