Cyber Security News

Ivanti EPM SQL Injection Flaw Let Attackers Execute Remote Code

In May 24, 2024, Zero-Day Initiative released a security advisory for Ivanti EPM which was associated with SQL injection Remote code execution vulnerability.

This vulnerability was assigned with CVE-2024-29824 and the severity was given as 9.6 (Critical).

Though ZDI did not mention any additional information regarding this critical vulnerability, they specified a function name that affected Ivanti EPM which was “RecordGoodApp”.

However, a proof-of-concept for this vulnerability has been published by Horizon3 researchers.

Technical Analysis – Proof Of Concept

According to the reports shared with Cyber Security News, this RecordGoodApp function existed in the PatchBiz.dll file present in the installation folder.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot.

Further, this DLL was dissected using Jetbrains dotPeek tool for further review. This Patchbiz.dll wa a C# binary.

RecordGoodApp Disassembly (Source: Horizon3)

On investigating the SQL statements in this binary, the first SQL statement was found to be vulnerable to SQL injection as it used string.Format for inserting the value of goodApp.md5 into the SQL query.

Additionally, the RecordGoodApp function was first called from the AppMonitorAction.RecordPatchIssue is present inside an IF ELSE statement.

AppMonitorAction.RecordPatchIssue (Source: Horizon3)

Further, the AppMonitorAction.RecordPatchIssue was called by Patch.UpdateActionHistory which was called from three different locations such as LANDesk.ManagementSuite.PatchBiz, LANDesk.ManagementSuite.WSVulnerabilityCore and StatusEvents.

Patch.UpdateActionHistory Usage (Source: Horizon3)

Among these locations, the StatusEvents.EventHandler.UpdateStatusEvents was the most interesting, as it had annotations with [WebMethod] inside the EventHandler class.

This EventHandler class inherits from the System.Web.Services.WebService declares that it can be used to hit UpdateStatusEvents over HTTP.

Triggering The Exploit

As a means of analysing the location of this EventHandler class, an IIS manager was used which provided the exact location of EventHandler.cs that was located in /WSStatusEvents endpoint. Visiting this endpoint provided a list of sample requests and responses.

IIS Manager WSStatusEvents (Source: Horizon3)

Further analysis revealed that this endpoint was sent with requests, finally showing one particular request that used the xp_cmdshell.

This xp_cmdshell can execute commands on the system, which can now be used to achieve Remote Code Execution on vulnerable Ivanti EPM.

Successfully exploiting using Burp (Source: Horizon3)

Horizon3 has released an exploit code to trigger this vulnerability, which is now available on GitHub.

Users can use the MS SQL logs to examine the usage of xp_cmdshell for any malicious purposes.

It is recommended that Ivanti EPM users upgrade their products to the latest version to prevent threat actors from exploiting this vulnerability.

MS SQL Logs as Indicators of Compromise of using xp_cmdshell (Source: Horizon3)

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,' who claims to have compromised the…

21 hours ago

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users, leading to widespread reports of Blue…

1 day ago

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have drained billions from victims' wallets. This…

1 day ago

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which link to a variety of systems…

2 days ago

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and often have extensive community support, making…

2 days ago

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are largely employed for communication and collaboration,…

2 days ago