Ivanti EPM SQL Injection Flaw Let Attackers Execute Remote Code

In May 24, 2024, Zero-Day Initiative released a security advisory for Ivanti EPM which was associated with SQL injection Remote code execution vulnerability.

This vulnerability was assigned with CVE-2024-29824 and the severity was given as 9.6 (Critical).

Though ZDI did not mention any additional information regarding this critical vulnerability, they specified a function name that affected Ivanti EPM which was “RecordGoodApp”.

However, a proof-of-concept for this vulnerability has been published by Horizon3 researchers.

Technical Analysis – Proof Of Concept

According to the reports shared with Cyber Security News, this RecordGoodApp function existed in the PatchBiz.dll file present in the installation folder.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot.

Further, this DLL was dissected using Jetbrains dotPeek tool for further review. This Patchbiz.dll wa a C# binary.

RecordGoodApp Disassembly (Source: Horizon3)

On investigating the SQL statements in this binary, the first SQL statement was found to be vulnerable to SQL injection as it used string.Format for inserting the value of goodApp.md5 into the SQL query.

Additionally, the RecordGoodApp function was first called from the AppMonitorAction.RecordPatchIssue is present inside an IF ELSE statement.

AppMonitorAction.RecordPatchIssue (Source: Horizon3)

Further, the AppMonitorAction.RecordPatchIssue was called by Patch.UpdateActionHistory which was called from three different locations such as LANDesk.ManagementSuite.PatchBiz, LANDesk.ManagementSuite.WSVulnerabilityCore and StatusEvents.

Patch.UpdateActionHistory Usage (Source: Horizon3)

Among these locations, the StatusEvents.EventHandler.UpdateStatusEvents was the most interesting, as it had annotations with [WebMethod] inside the EventHandler class.

This EventHandler class inherits from the System.Web.Services.WebService declares that it can be used to hit UpdateStatusEvents over HTTP.

Triggering The Exploit

As a means of analysing the location of this EventHandler class, an IIS manager was used which provided the exact location of EventHandler.cs that was located in /WSStatusEvents endpoint. Visiting this endpoint provided a list of sample requests and responses.

IIS Manager WSStatusEvents (Source: Horizon3)

Further analysis revealed that this endpoint was sent with requests, finally showing one particular request that used the xp_cmdshell.

This xp_cmdshell can execute commands on the system, which can now be used to achieve Remote Code Execution on vulnerable Ivanti EPM.

Successfully exploiting using Burp (Source: Horizon3)

Horizon3 has released an exploit code to trigger this vulnerability, which is now available on GitHub.

Users can use the MS SQL logs to examine the usage of xp_cmdshell for any malicious purposes.

It is recommended that Ivanti EPM users upgrade their products to the latest version to prevent threat actors from exploiting this vulnerability.

MS SQL Logs as Indicators of Compromise of using xp_cmdshell (Source: Horizon3)

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitive Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from the Indonesian…

7 hours ago

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating system…

9 hours ago

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache…

9 hours ago

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber espionage…

9 hours ago

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

2 days ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

3 days ago