In a recent development on May 24, 2024, a security advisory was issued by Zero-Day Initiative concerning Ivanti EPM, highlighting a critical SQL injection Remote Code Execution vulnerability. This vulnerability was identified as CVE-2024-29824 and scored a severity rating of 9.6, categorizing it as “Critical”.

Zero-Day Initiative, the organization behind the security advisory, pinpointed a specific function within Ivanti EPM named “RecordGoodApp” as the focal point of the vulnerability. Although further details were not provided by ZDI, researchers from Horizon3 took the initiative to release a proof-of-concept outlining the potential risks associated with this SQL injection flaw.

Upon further investigation by Horizon3 researchers, it was revealed that the vulnerable function, RecordGoodApp, resided in the PatchBiz.dll file located within the installation directory. This DLL file, which was a C# binary, was meticulously dissected using the Jetbrains dotPeek tool for a detailed analysis.

The examination of the binary’s SQL statements unearthed that the vulnerability lied in the way the first SQL statement handled the input value of goodApp.md5 using string.Format to insert it into the SQL query. Moreover, the function RecordGoodApp was intricately interlinked within the software, being nested within various functions like AppMonitorAction.RecordPatchIssue, Patch.UpdateActionHistory, and StatusEvents.

Of particular interest was the discovery that the StatusEvents.EventHandler.UpdateStatusEvents contained annotations with [WebMethod] inside the EventHandler class, which implied that it could be leveraged to hit UpdateStatusEvents over HTTP.

To trigger the exploit, researchers utilized the IIS manager to locate the EventHandler.cs within the /WSStatusEvents endpoint. By exploring the endpoint, they were able to identify a specific request that utilized the xp_cmdshell, which could execute commands on the system, potentially leading to Remote Code Execution on the vulnerable Ivanti EPM.

To aid in understanding and testing the vulnerability, Horizon3 made the exploit code available on GitHub for users to analyze and mitigate potential risks. Additionally, users were advised to monitor MS SQL logs for any suspicious activities related to xp_cmdshell and urged to update their Ivanti EPM software to the latest version to prevent cyber threat actors from exploiting this critical vulnerability.

This incident underscores the importance of proactive cybersecurity measures and the significance of promptly addressing and patching critical vulnerabilities to safeguard sensitive information and prevent unauthorized access to systems. It serves as a stark reminder to organizations about the ever-present threat landscape and the need for continuous vigilance to stay ahead of potential security risks.

Source link