Merge pull request #457 from dwisiswant0/add/CVE-2020-15505

Add CVE-2020-15505
2020-09-14 15:58:10 +05:30 · 2020-09-14 15:58:10 +05:30 · 4dbb8317f2
parent 95fe6544d7 f7d2851490
commit 4dbb8317f2
2 changed files with 45 additions and 7 deletions
--- a/cves/CVE-2020-15505.yaml
+++ b/cves/CVE-2020-15505.yaml
@ -0,0 +1,37 @@
+id: CVE-2020-15505
+
+info:
+  name: RCE in MobileIron Core & Connector <= v10.6 & Sentry <= v9.8
+  author: dwisiswant0
+  severity: critical
+
+  # THIS TEMPLATE IS ONLY FOR DETECTING
+  # To carry out further attacks, please see references[2] below.
+  # This template works by passing a Hessian header, otherwise;
+  # it will return a 403 or 500 internal server error. References[3].
+
+  # References:
+  # - [1] https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html
+  # - [2] https://github.com/iamnoooob/CVE-Reverse/tree/master/CVE-2020-15505
+  # - [3] https://github.com/iamnoooob/CVE-Reverse/blob/master/CVE-2020-15505/hessian.py#L10
+  # - [4] https://github.com/orangetw/JNDI-Injection-Bypass
+
+requests:
+  - raw:
+      - |
+        POST /mifs/.;/services/LogService HTTP/1.1
+        Host: {{Hostname}}
+        Referer: https://{{Hostname}}
+        Content-Type: x-application/hessian
+        Connection: close
+
+        {{hex_decode('630200480004')}}
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "application/x-hessian"
+        part: header
+      - type: status
+        status:
+          - 200
--- a/panels/mobileiron-login.yaml
+++ b/panels/mobileiron-login.yaml
@ -2,22 +2,23 @@ id: mobileiron-login

 info:
  name: MobileIron Login
-  author: dhiyaneshDK
+  author: dhiyaneshDK & @dwisiswant0
  Severity: info

 requests:
  - method: GET
    path:
-      - '{{BaseURL}}/mifs/user/login.jsp'
-      - '{{BaseURL}}/mifs/c/d/android.html'
-
+      - "{{BaseURL}}/mifs/login.jsp"
+      - "{{BaseURL}}/mifs/user/login.jsp"
+      - "{{BaseURL}}/mifs/c/d/android.html"
    matchers-condition: and
    matchers:
      - type: word
        words:
-          - MobileIron User Portal
-          - MobileIron Registration
-
+          - "MobileIron Admin Portal"
+          - "MobileIron User Portal"
+          - "MobileIron Registration"
+          - "Mobilizing enterprise applications"
      - type: status
        status:
          - 200