Comprehensive Technical Analysis of EUVD-2023-44651 (CVE-2023-40044)

WS_FTP Server .NET Deserialization Remote Code Execution (RCE) Vulnerability

1. Vulnerability Assessment and Severity Evaluation

Overview

EUVD-2023-44651 (CVE-2023-40044) is a critical pre-authentication remote code execution (RCE) vulnerability in Progress Software’s WS_FTP Server, stemming from an unsafe .NET deserialization flaw in the Ad Hoc Transfer module. The vulnerability allows unauthenticated attackers to execute arbitrary commands on the underlying operating system with the privileges of the WS_FTP Server process.

CVSS v3.1 Severity Breakdown

Metric	Value	Explanation
Base Score	10.0 (Critical)	Highest possible severity due to pre-auth RCE with full impact.
Attack Vector (AV)	Network (N)	Exploitable remotely over the internet.
Attack Complexity (AC)	Low (L)	No special conditions required; straightforward exploitation.
Privileges Required (PR)	None (N)	No authentication needed.
User Interaction (UI)	None (N)	No user action required.
Scope (S)	Changed (C)	Exploitation affects components beyond the vulnerable module (OS-level impact).
Confidentiality (C)	High (H)	Attacker can exfiltrate sensitive data.
Integrity (I)	High (H)	Attacker can modify or delete files, install malware.
Availability (A)	High (H)	Attacker can crash the server or disrupt services.

EPSS Score (92%)

The Exploit Prediction Scoring System (EPSS) score of 92% indicates an extremely high likelihood of exploitation in the wild, aligning with observed attack trends post-disclosure.

---

2. Potential Attack Vectors and Exploitation Methods

Root Cause Analysis

The vulnerability arises from unsafe .NET deserialization in the Ad Hoc Transfer module, which processes user-supplied input without proper validation. Specifically:

• The IHttpModule in WS_FTP Server deserializes untrusted JSON data (e.g., via HTTP requests) using System.Web.Script.Serialization.JavaScriptSerializer or similar .NET deserialization mechanisms.
• Attackers can craft malicious serialized payloads (e.g., ObjectDataProvider gadgets) to trigger arbitrary code execution during deserialization.

Exploitation Workflow

1. Reconnaissance

   • Attacker identifies a vulnerable WS_FTP Server instance (e.g., via Shodan, Censys, or manual probing).
   • Checks for exposed Ad Hoc Transfer endpoints (typically /AHT/ or /AdHocTransfer/).

2. Payload Crafting

   • Attacker constructs a malicious HTTP POST request containing a serialized .NET payload (e.g., using ysoserial.net or custom gadgets).
   • Example payload may leverage TypeConfuseDelegate, ObjectDataProvider, or WindowsIdentity gadgets to achieve RCE.

3. Exploitation

   • The server deserializes the payload, leading to arbitrary code execution in the context of the WS_FTP Server process (typically NT AUTHORITY\SYSTEM or a high-privilege service account).
   • Attacker gains full control over the host, enabling:
     • Data exfiltration (e.g., FTP credentials, sensitive files).
     • Lateral movement (e.g., deploying ransomware, backdoors).
     • Persistence mechanisms (e.g., scheduled tasks, WMI subscriptions).

4. Post-Exploitation

   • Attacker may disable logging, escalate privileges, or move laterally within the network.
   • Common follow-up actions include:
     • Ransomware deployment (e.g., LockBit, BlackCat).
     • Data theft (e.g., exfiltrating FTP-stored files).
     • Supply chain attacks (if WS_FTP is used for software distribution).

Proof-of-Concept (PoC) Availability

• Public PoCs exist (e.g., PacketStorm, AssetNote).
• Metasploit modules have been developed, lowering the barrier to exploitation.
• Automated exploit tools (e.g., Nuclei templates) are circulating in underground forums.

---

3. Affected Systems and Software Versions

Vulnerable Versions

Product	Affected Versions	Fixed Versions
WS_FTP Server	8.7.0 – 8.7.3	8.7.4
WS_FTP Server	8.8.0 – 8.8.1	8.8.2

Deployment Scenarios at Risk

• On-premises WS_FTP Server (Windows-based deployments).
• Cloud-hosted WS_FTP instances (if not patched).
• Third-party integrations (e.g., WS_FTP used in CI/CD pipelines, file transfer workflows).

Detection Methods

• Network-based detection:
  • Snort/Suricata rules (e.g., detecting .NET deserialization payloads in HTTP traffic).
  • WAF rules (e.g., ModSecurity rules blocking suspicious POST /AHT/ requests).
• Host-based detection:
  • Windows Event Logs (e.g., unexpected w3wp.exe child processes).
  • EDR/XDR solutions (e.g., detecting unusual process execution from WS_FTP.exe).

---

4. Recommended Mitigation Strategies

Immediate Actions (Critical Priority)

1. Apply Patches Immediately

   • Upgrade to WS_FTP Server 8.7.4 or 8.8.2 (or later).
   • Patch management priority: Tier 0 (Critical) – deploy within 24-48 hours.

2. Workarounds (If Patching is Delayed)

   • Disable the Ad Hoc Transfer module (if not in use):

     # Disable via IIS Manager or appcmd
     %windir%\system32\inetsrv\appcmd set config "WS_FTP Server" -section:system.webServer/modules /-[name='AdHocTransferModule']
     

   • Restrict access to /AHT/ endpoints via:
     • IP whitelisting (e.g., via IIS IP Restrictions).
     • WAF rules (e.g., block all POST requests to /AHT/).
   • Enable .NET deserialization protections (if possible):
     • Configure TypeNameHandling.None in Web.config:

       <system.web.extensions>
         <scripting>
           <webServices>
             <jsonSerialization maxJsonLength="..." typeNameHandling="None" />
           </webServices>
         </scripting>
       </system.web.extensions>
       

3. Network-Level Protections

   • Isolate WS_FTP Server in a DMZ with strict firewall rules.
   • Disable unnecessary ports (e.g., restrict FTP/SFTP to trusted IPs).
   • Deploy IDS/IPS to detect exploitation attempts.

4. Monitoring and Detection

   • Enable Windows Event Logging for:
     • Process creation (Event ID 4688).
     • PowerShell execution (Event ID 4104).
   • Deploy EDR/XDR to detect:
     • Unusual child processes of WS_FTP.exe.
     • Suspicious network connections (e.g., reverse shells).
   • SIEM alerts for:
     • Multiple failed deserialization attempts.
     • Unexpected POST requests to /AHT/.

5. Incident Response Preparedness

   • Assume breach if unpatched systems are exposed.
   • Isolate affected hosts and conduct forensic analysis.
   • Rotate credentials (FTP, database, service accounts).
   • Review logs for signs of exploitation (e.g., unexpected cmd.exe or powershell.exe processes).

---

5. Impact on the European Cybersecurity Landscape

Threat Landscape in Europe

• High Exploitation Rates: Post-disclosure, mass scanning and exploitation were observed across Europe (e.g., Germany, France, UK).
• Targeted Sectors:
  • Government & Defense (FTP used for secure file transfers).
  • Healthcare (HIPAA-compliant file sharing).
  • Financial Services (SWIFT, payment processing).
  • Critical Infrastructure (energy, transportation).
• Ransomware & APT Activity:
  • LockBit, BlackCat, and Conti affiliates have weaponized CVE-2023-40044.
  • State-sponsored APTs (e.g., APT29, Turla) may exploit unpatched systems for espionage.

Regulatory and Compliance Implications

• GDPR (EU 2016/679): Unpatched systems risk data breaches, leading to fines up to 4% of global revenue.
• NIS2 Directive (EU 2022/2555): Critical infrastructure operators must patch within 24 hours or face penalties.
• DORA (Digital Operational Resilience Act): Financial entities must demonstrate vulnerability management to avoid sanctions.

Supply Chain Risks

• Third-party vendors using WS_FTP may unknowingly expose clients to RCE.
• Managed Service Providers (MSPs) must audit all WS_FTP deployments to prevent lateral movement.

---

6. Technical Details for Security Professionals

Exploitation Deep Dive

Vulnerable Code Path

The flaw resides in the AdHocTransferModule, which processes HTTP requests via:

// Vulnerable deserialization in WS_FTP Server
var serializer = new JavaScriptSerializer();
var payload = serializer.Deserialize<AdHocTransferRequest>(request.InputStream); // UNSAFE!

• No type checking is performed, allowing arbitrary object instantiation.
• Gadget chains (e.g., ObjectDataProvider, WindowsIdentity) can be used to execute commands.

Exploit Payload Example (Conceptual)

{
  "$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework",
  "MethodName": "Start",
  "MethodParameters": {
    "$type": "System.Collections.ArrayList, mscorlib",
    "$values": ["cmd.exe", "/c calc.exe"]
  },
  "ObjectInstance": {
    "$type": "System.Diagnostics.Process, System"
  }
}

• When deserialized, this spawns calc.exe (proof-of-concept).
• Real-world attacks replace calc.exe with PowerShell reverse shells or Cobalt Strike beacons.

Post-Exploitation Techniques

• Privilege Escalation:
  • If WS_FTP runs as SYSTEM, no further escalation is needed.
  • If running as a service account, Token Impersonation or Juicy Potato may be used.
• Persistence:
  • Scheduled Tasks: schtasks /create /tn "Backdoor" /tr "powershell -nop -c ..." /sc onstart
  • WMI Event Subscriptions: Set-WmiInstance -Namespace root\subscription -Class __EventFilter
• Lateral Movement:
  • Pass-the-Hash (PtH) or Kerberoasting to move to other hosts.
  • SMB/PSExec for remote execution.

Detection Rules (Sigma/YARA/Snort)

Sigma Rule (Windows Event Logs)

title: WS_FTP Server CVE-2023-40044 Exploitation Attempt
id: 1a2b3c4d-5e6f-7890-1234-56789abcdef0
status: experimental
description: Detects suspicious child processes of WS_FTP.exe, indicative of RCE.
references:
    - https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044
author: EUVD Monitoring Team
date: 2023/09/28
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\WS_FTP Server\WS_FTP.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\rundll32.exe'
    condition: selection
falsepositives:
    - Legitimate administrative scripts
level: critical

Snort Rule (Network Detection)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"CVE-2023-40044 WS_FTP AdHocTransfer RCE Attempt";
flow:to_server,established; content:"/AHT/"; http_uri; content:"POST"; http_method;
pcre:"/\x22\$type\x22\s*:\s*\x22System\.(Windows\.Data|Diagnostics)\./i";
reference:cve,2023-40044; classtype:attempted-admin; sid:1000001; rev:1;)

Forensic Artifacts

Artifact	Location	Description
IIS Logs	%SystemDrive%\inetpub\logs\LogFiles\	Look for POST /AHT/ requests with suspicious payloads.
Windows Event Logs	Security.evtx (Event ID 4688)	Process creation from WS_FTP.exe.
Process Memory	WS_FTP.exe memory dump	Contains deserialized payloads.
Registry Keys	HKLM\SOFTWARE\Progress\WS_FTP	Configuration changes post-exploitation.
Network Traffic	PCAPs	Outbound C2 connections (e.g., Cobalt Strike, Metasploit).

---

Conclusion and Recommendations

Key Takeaways

• CVE-2023-40044 is a 10.0 CVSS vulnerability with active exploitation in the wild.
• Pre-authentication RCE makes it highly attractive to threat actors, including ransomware gangs and APTs.
• European organizations must patch immediately to avoid GDPR/NIS2 violations and supply chain risks.

Action Plan for Security Teams

Priority	Action	Timeline
Critical	Patch all WS_FTP Servers	Within 24 hours
High	Disable Ad Hoc Transfer if unused	Immediately
High	Deploy WAF/IDS rules	Within 48 hours
Medium	Hunt for exploitation artifacts	Ongoing
Low	Review third-party WS_FTP usage	Within 1 week

Long-Term Recommendations

• Replace WS_FTP with modern, secure alternatives (e.g., SFTP/SCP with OpenSSH, AWS Transfer Family).
• Implement Zero Trust for file transfers (e.g., mutual TLS, MFA).
• Enhance threat hunting for .NET deserialization attacks (e.g., Sysmon, EDR).

Final Note: Given the EPSS score of 92%, assume compromise if systems remain unpatched. Immediate action is required to mitigate this critical threat.