We initially wrote this post in reference to CVE-2024-29847, however this post actually describes CVE-2023-28324. We had incorrectly assumed that the SU5 update was comprehensive which resulted in us mistaking CVE-2023-28324 for CVE-2024-29847. The content still reflects some references to CVE-2024-29847.

Ivanti Endpoint Manager (EPM) is an enterprise endpoint management solution that allows for centralized management of devices within an organization. On September 12th, 2024, ZDI and Ivanti released an advisory describing a deserialization vulnerability resulting in remote code execution with a CVSS score of 9.8. In this post we detail the internal workings of this vulnerability. Our POC can be found here.

The ZDI advisory told us exactly where to look for the vulnerability. A service named AgentPortal. A quick search shows us that we can find the file at C:\Program Files\LanDesk\ManagementSuite\AgentPortal.exe. Upon further investigation, we find that it is a .NET binary.

AgentPortal.exe Details

After loading AgentPortal.exe into JetBrains dotPeek for decompilation, we find that its not a very complicated program. It’s main responsibility is creating a .NET Remoting service for the IAgentPortal interface.

AgentPortal OnStart

The IAgentPortal interface is pretty simple, it consists of functions to create Requests and other functions to get the results and check the status of those requests. Digging into what kind of requests we can make, we find the ActionEnum enum.

ActionEnum

We are immediately drawn to the RunProgram option. The handler for that option shows a very easy way for an attacker to run an arbitrary program.

ProcessRunProgramAction

This is a pretty straightforward RCE, we wanted to be sure that we were looking at the correctly vulnerability, so we loaded up a patched version of EPM to see if anything changed in AgentPortal.exe.

There are two main fixes we found in the patched version of EPM. The first restricts what kind of programs can be ran by ProcessRunProgramAction to ping.exe and tracert.exe.

ProcessRunProgramAction fix

The second centers around ensuring that AgentPortal service only runs if the Windows Firewall is enabled.

AgentPortal Firewall Fix

This leads us to some caveats about our understanding of this vulnerability.

While we are pretty sure that the vulnerability described in this post is the true CVE-2024-29847. There are two issues that give us pause. The first is that while this vulnerability technically involves deserialization, we feel it would be more accurately described as a command injection. This makes us wonder if there is another aspect of this vulnerability that we may have missed.

The second issue is centered around this vulnerability’s interaction with the firewall. The fix above clearly demonstrates that Ivanti expects the firewall to be enabled in order for this service to function. Additionally, in our lab installations, we had to open up a hole in the Windows Firewall for this exploit to work. If this is the case for most installations of EPM, then this vulnerability would not be that serious as the Windows Firewall would block any exploit attempts. However, when we examined a few live installations of EPM in the field, we found that every instance had the vulnerable port exposed. This discrepancy could be attributed to a few things:

• Our lab installation was not complete and further setup and usage could have led us to opening up the firewall for full functionality.
• Some prod installations of EPM could run with other products that require ephemeral ports to be exposed.
• There could be an additional piece of this exploit that we missed that causes the vulnerable port to become exposed.

The port used by the AgentPortal service can be found in the registry at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\SharedComponents\LANDeskAgentPortal.

Any unexpected connections to the AgentPortal address in your environment should be investigated for malicious activity.