Technical Analysis of "Diffing Patches for MOVEit Transfer: A Journey of Discovery"

Overview:
The blog post from Assetnote covers the author's exploration of vulnerabilities in MOVEit Transfer by diffing patches. Through reverse engineering and meticulous analysis, the author uncovers multiple security flaws, including SQL Injection (SQLi) and File Upload vulnerabilities. Their approach highlights the importance of understanding patch diffing for discovering zero-day vulnerabilities.

Key Technical Details:

  1. Initial Setup and Patch Diffing:
  2. The author downloaded the MOVEit Transfer patches and set up a controlled testing environment. Tools like dnSpy were used to decompile and inspect the binaries (.dll files).
  3. By comparing the patched and unpatched versions of the code, the author aimed to identify changes that addressed vulnerabilities.

  4. Identification of SQL Injection Vulnerabilities:

  5. The diffing process revealed changes in SQL query structures. In particular, vulnerable SQL queries that lacked parameterized queries were modified to include parameterized statements in the patched version.
  6. Technical Insight:

    • SQL Injection can be exploited by inserting malicious SQL statements through input fields that directly interact with the database.
    • Parameterized queries are essential to prevent SQLi, as they use placeholders for user input, effectively separating code from data.
  7. File Upload Vulnerability:

  8. The patch analysis highlighted modifications in the file upload functionality. The previous version lacked proper file type validation, while the patched version introduced MIME type checks and restrictions on allowable file types.
  9. Technical Insight:

    • File upload vulnerabilities can be critical, allowing attackers to upload malicious files that may be executed on the server.
    • Proper validation involves checking the file’s MIME type, size, and extension, against a whitelist of allowed types to prevent arbitrary file uploads.
  10. Bypassing Client-Side Protection:

  11. During his analysis, the author noted that initial protections were implemented on the client-side using JavaScript, which can be easily bypassed by disabling or modifying the client-side scripts.
  12. Technical Insight:

    • Client-side protections are inherently insecure, as they operate within the user's control and can be manipulated. Protections should always be enforced on the server-side.
  13. Reflected Cross-Site Scripting (XSS):

  14. The diff revealed changes in HTML output sanitization. Previous versions were vulnerable to XSS due to improper encoding of user input embedded in the HTML content.
  15. Technical Insight:

    • Reflected XSS occurs when user input is reflected back into the web page without proper sanitization or encoding, leading to script execution in the user's browser.
    • Effective defenses include using frameworks or libraries that automatically escape variables and ensuring all dynamic content is safely encoded.
  16. Methodology of Patch Diffing:

  17. The author advocated for a systematic approach to patch diffing: identifying different binary files, decompiling them, and performing line-by-line comparisons to spot security-relevant changes.
  18. Tools and techniques discussed include using version control systems for diffing files and automated scripts to highlight significant changes.

Key Takeaways:

Conclusion:

The post offers a detailed exploration into the process of diffing patches to discover vulnerabilities. Through systematic analysis, the author demonstrates how security flaws, such as SQLi and file upload vulnerabilities, are identified and mitigated. This case study reiterates the crucial role of secure coding practices and the necessity of server-side validations.

For the full details, check the original blog post here.