CVE-2024-29824 Deep Dive: Ivanti EPM SQL Injection Remote Code Execution Vulnerability
2024-6-12 22:27:47 Author: www.horizon3.ai(查看原文) 阅读量:34 收藏

Ivanti EPM Cover

Ivanti Endpoint Manager (EPM) is an enterprise endpoint management solution that allows for centralized management of devices within an organization. On May 24, 2024, ZDI and Ivanti released an advisory describing a SQL injection resulting in remote code execution with a CVSS score of 9.8. In this post we will detail the internal workings of this vulnerability. Our POC can be found here.

Luckily for us, the ZDI advisory told us exactly where to look for the SQL injection. A function named RecordGoodApp. After installation, we find most of the application binaries in C:\Program Files\LANDesk. Searching for RecordGoodApp we find its present in a file named PatchBiz.dll.

RecordGoodApp Search

RecordGoodApp Search

We can use JetBrains dotPeek tool to disassemble the PatchBiz.dll C# binary. From there we can search for the RecordGoodApp method.

RecordGoodApp Disassembly

RecordGoodApp Disassembly

We can readily see that the first SQL statement in the function is potentially vulnerable to an SQL injection. They use string.Format to insert the value of goodApp.md5 into the SQL query. Assuming we can find a way to influence the value of goodApp.md5 we should be able to trigger the SQL injection.

Next, we would like to see if there are any obvious paths to the RecordGoodApp function that we can use to trigger the vulnerability. Luckily we can use dotPeek again to search for any references to RecordGoodApp. However, to make sure we don’t miss anything, we first want to make sure that we have all potential application binaries loaded into dotPeek. If we don’t, we run the risk of missing a reference to the vulnerable function. We find that RecordGoodApp is first called from AppMonitorAction.RecordPatchIssue.

AppMonitorAction.RecordPatchIssue

AppMonitorAction.RecordPatchIssue

Continuing, we find the AppMonitorAction.RecordPatchIsssue is called by Patch.UpdateActionHistory

Patch.UpdateActionHistory

Patch.UpdateActionHistory

We find that UpdateActionHistory is called from three different locations.

Patch.UpdateActionHistory Usage

Patch.UpdateActionHistory Usage

This most interesting of these usages is StatusEvents.EventHandler.UpdateStatusEvents. We find that it is annotated with [WebMethod] in the EventHandler class. EventHandler inherits from System.Web.Services.WebService. This strongly indicates that we should be able to hit UpdateStatusEvents over HTTP.

UpdateStatusEvents

UpdateStatusEvents

Now that we have found a viable path to the vulnerable function, our attention turns to triggering the vulnerable function. First, using IIS Manager, we notice that EventHandler.cs is hosted on the /WSStatusEvents endpoint.

IIS Manager WSStatusEvents

IIS Manager WSStatusEvents

Navigating to the endpoint in a browser, we are led to a page that shows up some example requests and responses.

UpdateStatusEvents Examples

UpdateStatusEvents Examples

Now, we can copy these example requests into Burp Suite and begin modifying them to see if we can trigger the exploit. Using dyspy, we attach to the IIS process hosting the vulnerable endpoint and start sending requests. After a little bit more reversing, we come up with a fairly trivial request using xp_cmdshell to gain RCE.

Successfully exploiting using Burp

Successfully exploiting using Burp

Finally, we see notepad.exe running under sqlservr.exe proving that our exploit worked!

notepad running under sqlservr.exe

notepad running under sqlservr.exe

The MS SQL logs can be examined for evidence of xp_cmdshell being utilized to obtain command execution. Note that this is likely not the only method for gaining RCE, but it is a popular one.

SQL Server logs showing evidence of xp_cmdshell usage.

SQL Server logs showing evidence of xp_cmdshell usage.

NodeZero Attack Path utilizing CVE-2024-29824 to load a remote access tool and access files 

Horizon3.ai clients and free-trial users alike can run a NodeZero operation to determine the exposure and exploitability of this issue.

Sign up for a free trial and quickly verify you’re not exploitable.

Start Your Free Trial


文章来源: https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29824-deep-dive-ivanti-epm-sql-injection-remote-code-execution-vulnerability/
如有侵权请联系:admin#unsafe.sh