www.horizon3.ai
Open in
urlscan Pro
104.197.16.226
Public Scan
URL:
https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29824-deep-dive-ivanti-epm-sql-injection-remote-code-execu...
Submission: On June 18 via api from US — Scanned from DE
Submission: On June 18 via api from US — Scanned from DE
Form analysis
2 forms found in the DOMGET https://www.horizon3.ai/
<form role="search" method="get" class="et_pb_menu__search-form" action="https://www.horizon3.ai/">
<input type="search" class="et_pb_menu__search-input" placeholder="Search …" name="s" title="Search for:">
</form>
GET https://www.horizon3.ai/
<form role="search" method="get" class="et_pb_menu__search-form" action="https://www.horizon3.ai/">
<input type="search" class="et_pb_menu__search-input" placeholder="Search …" name="s" title="Search for:">
</form>
Text Content
* Solutions * NodeZero™ Platform * What is NodeZero? * Internal Pentesting * External Pentesting * Rapid Response * AD Password Audit * Phishing Impact Testing * Who Uses NodeZero? * Schedule A Demo * Documentation * Pentesting for Compliance * Horizon3.ai Pentesting Services for Compliance * PCI Pentesting * Rapid Response * Attack Research * Credential Attacks * Log4Shell * Ransomware Impact * Attack Blogs * Disclosures * Attack Paths * Resources * Verticals * Education * Healthcare * Manufacturing * Public Sector * Resource Center * Whitepapers * Factsheets * Webinar Replays * Videos * Glossary * Forrester TEI Study * 2023 Year in Review * All Resources * Security Strategies * Effective Security * Splunk Logging * Purple Team Culture * Vulnerable ≠ Exploitable * Industry Insights * Customer Stories * Company * About * Our Vision * Meet The Team * Join The Team * Awards * Press Releases * Contact Us * Partners * Partners * MSSPs and MSPs * Partner Portal * Events * Log In * Free Trial * Solutions * NodeZero™ Platform * What is NodeZero? * Internal Pentesting * External Pentesting * Rapid Response * AD Password Audit * Phishing Impact Testing * Who Uses NodeZero? * Schedule A Demo * Documentation * Pentesting for Compliance * Horizon3.ai Pentesting Services for Compliance * PCI Pentesting * Rapid Response * Attack Research * Credential Attacks * Log4Shell * Ransomware Impact * Attack Blogs * Disclosures * Attack Paths * Resources * Verticals * Education * Healthcare * Manufacturing * Public Sector * Resource Center * Whitepapers * Factsheets * Webinar Replays * Videos * Glossary * Forrester TEI Study * 2023 Year in Review * All Resources * Security Strategies * Effective Security * Splunk Logging * Purple Team Culture * Vulnerable ≠ Exploitable * Industry Insights * Customer Stories * Company * About * Our Vision * Meet The Team * Join The Team * Awards * Press Releases * Contact Us * Partners * Partners * MSSPs and MSPs * Partner Portal * Events * Log In * Free Trial * Solutions 3 2 NodeZero™ Platform Pentesting for Compliance WHAT IS NODEZERO? * Internal Pentesting * External Pentesting * Rapid Response * AD Password Audit * Phishing Impact Testing WHO USES NODEZERO? * ITOps and SecOps * Security Teams * Pentesters * Large Organizations * MSSPs and MSPs Schedule a Demo Start a Free Trial DOCUMENTATION PENTESTING SERVICES FOR COMPLIANCE Expert human analysis by Offensive Security Certified Professional (OSCP) pentesters + the NodeZero platform streamlines your compliance process. PENTESTING FOR PCI Fully satisfy your PCI DSS 11.4 requirements * Rapid Response NEW * Attack Research 3 2 ATTACK CONTENT * Credential Attacks * Log4Shell * Ransomware DISCLOSURES EXPLOITING FILE READ VULNERABILITIES IN GRADIO TO STEAL SECRETS FROM HUGGING FACE SPACES This post walks through the vulnerabilities we disclosed affecting Gradio, and our work with Hugging Face to harden the Spaces platform after a recently reported potential breach. ATTACK BLOGS EXPLOITING FILE READ VULNERABILITIES IN GRADIO TO STEAL SECRETS FROM HUGGING FACE SPACES Jun 14, 2024 This post walks through the vulnerabilities we disclosed affecting Gradio, and our work with Hugging Face to harden the Spaces platform after a recently reported potential breach. CVE-2023-48788: REVISITING FORTINET FORTICLIENT EMS TO EXPLOIT 7.2.X Jun 4, 2024 Introduction Our last blog post on the FortiClient EMS SQL injection vulnerability, CVE-2023-48788, as it turns out only worked on 7.0.x versions. This article will discuss the differences in exploitation between FortiClient EMS's two mainline versions: 7.0.x and... ATTACK PATHS Routes and methods NodeZero used to gain unauthorized access to networks ON-PREM MISCONFIGURATIONS LEAD TO ENTRA TENANT COMPROMISE As enterprises continue to transition on-premises infrastructure and information systems to the cloud, hybrid cloud systems have emerged as a vital solution, balancing the benefits of both environments to optimize performance, scalability, and ease of change on users... * Resources 3 2 Verticals EDUCATION HEALTHCARE MANUFACTURING PUBLIC SECTOR RESOURCE CENTER * Blogs * Whitepapers * Factsheets * Videos * Glossary * 2023 Year in Review SECURITY STRATEGIES * Effective Security * Splunk Logging * Purple Team Culture * Vulnerable ≠ Exploitable INDUSTRY INSIGHTS ENHANCING VULNERABILITY MANAGEMENT: INTEGRATING AUTONOMOUS PENETRATION TESTING Jun 17, 2024 Traditional vulnerability scanning tools are enhanced with NodeZero’s autonomous penetration testing, revolutionizing Vulnerability Management by providing comprehensive risk assessment, exploitability analysis, and cross-host vulnerability chaining, empowering organizations to prioritize and mitigate security weaknesses strategically. OUTPACE EMERGING CYBER THREATS WITH HORIZON3.AI RAPID RESPONSE May 16, 2024 In this webinar. Horizon3.ai cybersecurity expert Brad Hong covers our new Rapid Response service. CUSTOMER STORIES THE CRITICAL ROLE OF AUTONOMOUS PENETRATION TESTING IN STRENGTHENING DEFENSE IN DEPTH Jun 10, 2024 NodeZero helps JTI Cybersecurity scale by automating penetration testing, finding vulnerabilities, and enhancing client security efficiently and effectively. ADVANCING EMERGENCY RESPONSE SECURITY WITH AUTONOMOUS PENTESTING May 9, 2024 In an increasingly interconnected world, where digital technologies infiltrate every aspect of society, vulnerabilities in these systems can be exploited by malicious actors to disrupt emergency services, compromise sensitive information, or even endanger lives. * Company 3 2 About Partners Events OUR VISION The future of cyber warfare will run at machine speed MEET THE TEAM Team of Motivated “Learn-it-alls” JOIN THE TEAM We’re a remote-first company with teammates clustered around the globe CONTACT US PRESS RELEASES HORIZON3.AI APPOINTS JILL PASSALACQUA AS CHIEF LEGAL OFFICER Jun 12, 2024 Business Wire 06/12/2024 Horizon3.ai, a leading provider of autonomous security solutions, today announced the appointment of Jill Passalacqua as Chief Legal Officer (CLO), effective immediately. As Chief Legal Officer, Jill leads Horizon3.ai's legal department,... HORIZON3.AI EXPANDS LEADERSHIP TEAM WITH NEW APPOINTMENTS May 21, 2024 Business Wire 05/21/2024 Horizon3.ai, a leader in autonomous security solutions, is pleased to announce the appointments of Erick Dean as Vice President of Product Management and Drew Mullen as Vice President of Revenue Operations. These key executive hires underscore... HORIZON3.AI APPOINTS MATT HARTLEY AS CHIEF REVENUE OFFICER TO SPEARHEAD GROWTH INITIATIVES May 2, 2024 Business Wire 05/02/2024 Horizon3.ai, a leading provider of autonomous security solutions, today announced the appointment of Matt Hartley as Chief Revenue Officer (CRO), effective immediately.Hartley brings over 20 years of sales and operations excellence with a... AWARDS INTELLYX DIGITAL INNOVATOR AWARD RISING CYBER AWARD 2024 VSA TOP INNOVATION AWARD 2024 NODEZERO FOR MSSPS AND MSPS Let Us Be Your Force Multiplier NODEZERO FOR PARTNERS Disruptive Technology That Will Help Drive Revenue PARTNER PORTAL Become a Partner EVENTS Join us at these upcoming cybersecurity events and workshops WEBINAR REPLAYS Unlock expert insights in our cybersecurity webinar series 17 July FIRESIDE CHAT SERIES WITH OUR GUEST KOMORI FIRESIDE CHAT SERIES WITH OUR GUEST KOMORI 2:00 pmZoom Webinar 25 July ELEVATE XCHANGE MASTERMIND COLLABORATION FORUM ELEVATE XCHANGE MASTERMIND COLLABORATION FORUM 3:30 pmStonebriar Country Club 03 August BLACK HAT USA 2024 BLACK HAT USA 2024 8:00 amMandalay Bay Convention Center 06 September THE CYBERSECURITY SUMMIT: CHICAGO THE CYBERSECURITY SUMMIT: CHICAGO 7:30 amMarriott Marquis Chicago * Log In * Free Trial a M * Solutions 3 2 NodeZero™ Platform Pentesting for Compliance WHAT IS NODEZERO? * Internal Pentesting * External Pentesting * Rapid Response * AD Password Audit * Phishing Impact Testing WHO USES NODEZERO? * ITOps and SecOps * Security Teams * Pentesters * Large Organizations * MSSPs and MSPs Schedule a Demo Start a Free Trial DOCUMENTATION PENTESTING SERVICES FOR COMPLIANCE Expert human analysis by Offensive Security Certified Professional (OSCP) pentesters + the NodeZero platform streamlines your compliance process. PENTESTING FOR PCI Fully satisfy your PCI DSS 11.4 requirements * Rapid Response NEW * Attack Research 3 2 ATTACK CONTENT * Credential Attacks * Log4Shell * Ransomware DISCLOSURES EXPLOITING FILE READ VULNERABILITIES IN GRADIO TO STEAL SECRETS FROM HUGGING FACE SPACES This post walks through the vulnerabilities we disclosed affecting Gradio, and our work with Hugging Face to harden the Spaces platform after a recently reported potential breach. ATTACK BLOGS EXPLOITING FILE READ VULNERABILITIES IN GRADIO TO STEAL SECRETS FROM HUGGING FACE SPACES Jun 14, 2024 This post walks through the vulnerabilities we disclosed affecting Gradio, and our work with Hugging Face to harden the Spaces platform after a recently reported potential breach. CVE-2023-48788: REVISITING FORTINET FORTICLIENT EMS TO EXPLOIT 7.2.X Jun 4, 2024 Introduction Our last blog post on the FortiClient EMS SQL injection vulnerability, CVE-2023-48788, as it turns out only worked on 7.0.x versions. This article will discuss the differences in exploitation between FortiClient EMS's two mainline versions: 7.0.x and... ATTACK PATHS Routes and methods NodeZero used to gain unauthorized access to networks ON-PREM MISCONFIGURATIONS LEAD TO ENTRA TENANT COMPROMISE As enterprises continue to transition on-premises infrastructure and information systems to the cloud, hybrid cloud systems have emerged as a vital solution, balancing the benefits of both environments to optimize performance, scalability, and ease of change on users... * Resources 3 2 Verticals EDUCATION HEALTHCARE MANUFACTURING PUBLIC SECTOR RESOURCE CENTER * Blogs * Whitepapers * Factsheets * Videos * Glossary * 2023 Year in Review SECURITY STRATEGIES * Effective Security * Splunk Logging * Purple Team Culture * Vulnerable ≠ Exploitable INDUSTRY INSIGHTS ENHANCING VULNERABILITY MANAGEMENT: INTEGRATING AUTONOMOUS PENETRATION TESTING Jun 17, 2024 Traditional vulnerability scanning tools are enhanced with NodeZero’s autonomous penetration testing, revolutionizing Vulnerability Management by providing comprehensive risk assessment, exploitability analysis, and cross-host vulnerability chaining, empowering organizations to prioritize and mitigate security weaknesses strategically. OUTPACE EMERGING CYBER THREATS WITH HORIZON3.AI RAPID RESPONSE May 16, 2024 In this webinar. Horizon3.ai cybersecurity expert Brad Hong covers our new Rapid Response service. CUSTOMER STORIES THE CRITICAL ROLE OF AUTONOMOUS PENETRATION TESTING IN STRENGTHENING DEFENSE IN DEPTH Jun 10, 2024 NodeZero helps JTI Cybersecurity scale by automating penetration testing, finding vulnerabilities, and enhancing client security efficiently and effectively. ADVANCING EMERGENCY RESPONSE SECURITY WITH AUTONOMOUS PENTESTING May 9, 2024 In an increasingly interconnected world, where digital technologies infiltrate every aspect of society, vulnerabilities in these systems can be exploited by malicious actors to disrupt emergency services, compromise sensitive information, or even endanger lives. * Company 3 2 About Partners Events OUR VISION The future of cyber warfare will run at machine speed MEET THE TEAM Team of Motivated “Learn-it-alls” JOIN THE TEAM We’re a remote-first company with teammates clustered around the globe CONTACT US PRESS RELEASES HORIZON3.AI APPOINTS JILL PASSALACQUA AS CHIEF LEGAL OFFICER Jun 12, 2024 Business Wire 06/12/2024 Horizon3.ai, a leading provider of autonomous security solutions, today announced the appointment of Jill Passalacqua as Chief Legal Officer (CLO), effective immediately. As Chief Legal Officer, Jill leads Horizon3.ai's legal department,... HORIZON3.AI EXPANDS LEADERSHIP TEAM WITH NEW APPOINTMENTS May 21, 2024 Business Wire 05/21/2024 Horizon3.ai, a leader in autonomous security solutions, is pleased to announce the appointments of Erick Dean as Vice President of Product Management and Drew Mullen as Vice President of Revenue Operations. These key executive hires underscore... HORIZON3.AI APPOINTS MATT HARTLEY AS CHIEF REVENUE OFFICER TO SPEARHEAD GROWTH INITIATIVES May 2, 2024 Business Wire 05/02/2024 Horizon3.ai, a leading provider of autonomous security solutions, today announced the appointment of Matt Hartley as Chief Revenue Officer (CRO), effective immediately.Hartley brings over 20 years of sales and operations excellence with a... AWARDS INTELLYX DIGITAL INNOVATOR AWARD RISING CYBER AWARD 2024 VSA TOP INNOVATION AWARD 2024 NODEZERO FOR MSSPS AND MSPS Let Us Be Your Force Multiplier NODEZERO FOR PARTNERS Disruptive Technology That Will Help Drive Revenue PARTNER PORTAL Become a Partner EVENTS Join us at these upcoming cybersecurity events and workshops WEBINAR REPLAYS Unlock expert insights in our cybersecurity webinar series 17 July FIRESIDE CHAT SERIES WITH OUR GUEST KOMORI FIRESIDE CHAT SERIES WITH OUR GUEST KOMORI 2:00 pmZoom Webinar 25 July ELEVATE XCHANGE MASTERMIND COLLABORATION FORUM ELEVATE XCHANGE MASTERMIND COLLABORATION FORUM 3:30 pmStonebriar Country Club 03 August BLACK HAT USA 2024 BLACK HAT USA 2024 8:00 amMandalay Bay Convention Center 06 September THE CYBERSECURITY SUMMIT: CHICAGO THE CYBERSECURITY SUMMIT: CHICAGO 7:30 amMarriott Marquis Chicago * Log In * Free Trial CVE-2024-29824 DEEP DIVE: IVANTI EPM SQL INJECTION REMOTE CODE EXECUTION VULNERABILITY by James Horseman | Jun 12, 2024 | Attack Blogs, Attack Research INTRODUCTION Ivanti Endpoint Manager (EPM) is an enterprise endpoint management solution that allows for centralized management of devices within an organization. On May 24, 2024, ZDI and Ivanti released an advisory describing a SQL injection resulting in remote code execution with a CVSS score of 9.8. In this post we will detail the internal workings of this vulnerability. Our POC can be found here. RECORDGOODAPP Luckily for us, the ZDI advisory told us exactly where to look for the SQL injection. A function named RecordGoodApp. After installation, we find most of the application binaries in C:\Program Files\LANDesk. Searching for RecordGoodApp we find its present in a file named PatchBiz.dll. RecordGoodApp Search We can use JetBrains dotPeek tool to disassemble the PatchBiz.dll C# binary. From there we can search for the RecordGoodApp method. RecordGoodApp Disassembly We can readily see that the first SQL statement in the function is potentially vulnerable to an SQL injection. They use string.Format to insert the value of goodApp.md5 into the SQL query. Assuming we can find a way to influence the value of goodApp.md5 we should be able to trigger the SQL injection. FINDING A PATH TO THE VULNERABLE FUNCTION Next, we would like to see if there are any obvious paths to the RecordGoodApp function that we can use to trigger the vulnerability. Luckily we can use dotPeek again to search for any references to RecordGoodApp. However, to make sure we don’t miss anything, we first want to make sure that we have all potential application binaries loaded into dotPeek. If we don’t, we run the risk of missing a reference to the vulnerable function. We find that RecordGoodApp is first called from AppMonitorAction.RecordPatchIssue. AppMonitorAction.RecordPatchIssue Continuing, we find the AppMonitorAction.RecordPatchIsssue is called by Patch.UpdateActionHistory Patch.UpdateActionHistory We find that UpdateActionHistory is called from three different locations. Patch.UpdateActionHistory Usage This most interesting of these usages is StatusEvents.EventHandler.UpdateStatusEvents. We find that it is annotated with [WebMethod] in the EventHandler class. EventHandler inherits from System.Web.Services.WebService. This strongly indicates that we should be able to hit UpdateStatusEvents over HTTP. UpdateStatusEvents TRIGGERING THE VULNERABLE FUNCTION Now that we have found a viable path to the vulnerable function, our attention turns to triggering the vulnerable function. First, using IIS Manager, we notice that EventHandler.cs is hosted on the /WSStatusEvents endpoint. IIS Manager WSStatusEvents Navigating to the endpoint in a browser, we are led to a page that shows up some example requests and responses. UpdateStatusEvents Examples Now, we can copy these example requests into Burp Suite and begin modifying them to see if we can trigger the exploit. Using dyspy, we attach to the IIS process hosting the vulnerable endpoint and start sending requests. After a little bit more reversing, we come up with a fairly trivial request using xp_cmdshell to gain RCE. Successfully exploiting using Burp Finally, we see notepad.exe running under sqlservr.exe proving that our exploit worked! notepad running under sqlservr.exe INDICATORS OF COMPROMISE The MS SQL logs can be examined for evidence of xp_cmdshell being utilized to obtain command execution. Note that this is likely not the only method for gaining RCE, but it is a popular one. SQL Server logs showing evidence of xp_cmdshell usage. NODEZERO NodeZero Attack Path utilizing CVE-2024-29824 to load a remote access tool and access files Horizon3.ai clients and free-trial users alike can run a NodeZero operation to determine the exposure and exploitability of this issue. SIGN UP FOR A FREE TRIAL AND QUICKLY VERIFY YOU’RE NOT EXPLOITABLE. Start Your Free Trial HOW CAN NODEZERO HELP YOU? Let our experts walk you through a demonstration of NodeZero, so you can see how to put it to work for your company. Schedule a Demo CONTACT US info@horizon3.ai press@horizon3.ai 650-445-4457 FOLLOW US * Follow * Follow * Follow * Follow SUBSCRIBE TO COMMUNITY UPDATES © 2024 All Rights Reserved. | Privacy Policy | Support Policy | Terms of Service | Trust Center We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent. Cookie SettingsAccept All Manage consent Close PRIVACY OVERVIEW This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the ... Necessary Necessary Always Enabled Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously. CookieDurationDescription__cfruidsessionCloudflare sets this cookie to identify trusted web traffic._GRECAPTCHA5 months 27 daysThis cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.cookielawinfo-checkbox-advertisement1 yearSet by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".CookieLawInfoConsent1 yearRecords the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.OptanonConsent1 yearOneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. Functional Functional Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features. CookieDurationDescriptionAnalyticsSyncHistory1 monthLinkedIn - Used to store information about the time a sync took place with the lms_analytics cookiebcookie2 yearsLinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.bscookie2 yearsLinkedIn sets this cookie to store performed actions on the website.langsessionLinkedIn sets this cookie to remember a user's language setting.li_gc2 yearsLInkedIn Used to store consent of guests regarding the use of cookies for non-essential purposeslidc1 dayLinkedIn sets the lidc cookie to facilitate data center selection.UserMatchHistory1 monthLinkedIn sets this cookie for LinkedIn Ads ID syncing. Performance Performance Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors. CookieDurationDescription_calendly_session21 daysCalendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar. Analytics Analytics Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc. CookieDurationDescription_ga2 yearsThe _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors._ga_V462VSRXXS2 yearsThis cookie is installed by Google Analytics.6suuid2 years6sense is a B2B predictive intelligence engine for marketing and sales.CONSENT2 yearsYouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.pardotpastThe pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.visitorId1 yearSalesforce Advertisement Advertisement Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads. CookieDurationDescriptionVISITOR_INFO1_LIVE5 months 27 daysA cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.YSCsessionYSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.yt.innertube::nextIdneverThis cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.yt.innertube::requestsneverThis cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. Others Others Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet. CookieDurationDescriptionlpv97107330 minutesNo description SAVE & ACCEPT Powered by