High Signal Detection and Exploitation of Ivanti's Pulse Connect Secure Auth Bypass & RCE
Introduction
Last week, Ivanti disclosed two critical vulnerabilities affecting Ivanti Pulse Connect Secure - CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Remote Command Execution).
During the testing of various versions (specifically 9.1R11.4, which was the oldest version we could deploy on Azure), we noticed that all current exploitation payloads that have been published for the authentication bypass do not work. Fortunately, through some testing, we were able to discover a way to abuse the authentication bypass on older versions of Ivanti Pulse Connect Secure.
These emerging threats first came to our attention when reading the research from Volexity and Mandiant, which detailed an extensive exploitation campaign from a sophisticated threat actor in the wild.
Given the nature of these vulnerabilities (the fact that they are critical and actively being exploited), our security research team has been working around the clock to ensure that customers of our Attack Surface Management platform have been notified if they are affected.
In this blog post, we document the process our team took in reverse engineering the vulnerabilities as well as understanding potential gaps in other detection mechanisms and exploit payloads that were published.
When this vulnerability was first disclosed, a number of security researchers were unable to obtain a copy of the VM for Pulse Connect Secure, and this caused frustration within our community. Software that is gated behind a sales process can often be more vulnerable, simply because it has not had the attention from the security research community.
We found that there were several ways to deploy Ivanti Pulse Connect Secure, as we detail below:
- AWS Marketplace: https://aws.amazon.com/marketplace/pp/prodview-2mfgisesavb6g
- Azure Marketplace: https://portal.azure.com/#create/pulse-secure.pulse-connect-secure-vm-templatepcs-byol-3nic
- Ivanti Trial Form, VMWare VM: https://application.ivanti.com/SSG/ICS/ps-ics-vmware-isa-v-22.3r1.0-b1647-package.zip
The marketplace listings only allow you to deploy versions v9.1Rxx, whereas the VM from Ivanti lets us install the latest branch of v22. Given that all of these versions were affected by this vulnerability, we made an effort to test as many versions as possible throughout our research process to ensure that the checks we were building were high signal.
During the testing of various versions (specifically 9.1R11.4, which was the oldest version we could deploy on Azure), we noticed that all current exploitation payloads that have been published for the authentication bypass do not work. Fortunately, through some testing, we were able to discover a way to abuse the authentication bypass on older versions of Ivanti Pulse Connect Secure.
As of writing this blog post, the current exploitation payloads that have been published can be found below:
When reconciling these two payloads with the vast number of Ivanti Pulse Connect Secure instances in the wild, we found that many instances were responding with a 403 with a 0 response body size. This indicated that the patch had not yet been applied, but the payloads shared publicly were not sufficient to prove the authentication bypass vulnerability.
A new payload we introduce as a detection mechanism for CVE-2023-46805 can be found below:
This will work on older versions of Ivanti Pulse Connect Secure, and typically will respond with something like the following:
This new exploit vector only allows access to the cav web application, which is quite small. From source code analysis, we identified an attack vector which can lead to RCE through a zip slip vulnerability:
Unfortunately, at the time of writing this blog post, we have not been able to generate the encrypted file required to reach the vulnerability.
Pulse Connect Secure has the concept of Threatprint databases, which are encrypted tar files that are imported within the application. If any reader has the binary <span class="code_single-line">packencrypt</span>, we would love to hear from you, but we are pretty sure that these files are signed by Ivanti and that the signature is checked, meaning that exploitation is not readily possible.
If you were to successfully encrypt a tar file, you could abuse this functionality to drop a file anywhere on the file system that is writeable.
Filesystem Access
To begin we setup Ivanti Connect Secure (ICS) in a VM and confirmed everything was running correctly. We then powered it off and attached the vmdk to an Ubuntu VM. After attempting to mount the partitions in the disk image, we found that they were LUKS encrypted. Since there was no prompt for a key or password when we ran the ICS virtual machine, the keys would have to be on the boot partition somewhere. Looking in the boot partition we found an initrd filesystem that is normally where these keys would be kept. However, it wasn’t in the usual CPIO archive format and was in fact also encrypted.
To get around this we shutdown our Ubuntu VM and started up the ICS one. In the Grub menu we pressed <span class="code_single-line">e</span> to edit the boot arguments and change the <span class="code_single-line">init</span> argument to <span class="code_single-line">/bin/sh</span>. This would cause the machine to run a shell instead of the default <span class="code_single-line">/sbin/init</span> process on startup. This would allow us to explore the filesystem after the initrd filesystem was decrypted and mounted, but before all of the normal system processes are started.
Following on from Watchtowr’s blog post, we learnt that the kernel image has a specific blacklist against this technique. The command <span class="code_single-line">/bin/sh</span> is specifically blocked, however it can be bypassed with <span class="code_single-line">init=//bin/sh</span>. After doing this we could access the key file at /etc/lvmkey.
We read the file with <span class="code_single-line">cat -vE</span> since it was a binary file. This displayed the file with non-printing characters escaped with either <span class="code_single-line">^</span>, <span class="code_single-line">M-</span> or <span class="code_single-line">$</span> if it was a newline.
Which, when decoded, gave us the following:
We then confirmed this matched with grep.
We then wrote the keys to a file with python.
And used this to decrypt and mount the LUKS volumes.
We now had full access to the filesystem and could begin looking for the authentication bypass.
REST API
The advisory from Ivanti mentioned Admin REST APIs as one of the features that would have reduced functionality after applying the patch, so this is where we decided to start our search. We searched through the filesystem and found a lot of <span class="code_single-line">cfg</span> files in <span class="code_single-line">/root/home/config</span> for various potential services. There were several which included some form of “rest server” in their name. They all ran a uWSGI server, we can see this below from <span class="code_single-line">config_restserver.spec.cfg</span>.
Since these were python services and it ran uWSGI from <span class="code_single-line">venv3</span> we searched this folder for the <span class="code_single-line">restservice</span> package and quickly found it.
We unzipped the egg archive and were able to find a list of API endpoints in <span class="code_single-line">restservice/api/init.py</span>. A snippet of these is shown below.
We pulled out this list and sent each of them through Burp Intruder to see if any were accessible without authentication. We found only two endpoints that did not respond with a 403.
- /api/private/v1/license/watermarks/xxx [302]
- /api/v1/totp/user-backup-code [405]
After looking at the source for each of these we didn’t find anything that looked immediately exploitable. However, since most of the APIs appeared to have no authentication or authorization at all, we decided to dig into why only these ones were accessible. We knew from the config file that the server ran on port 8090, this meant that there was definitely a proxy in front because we were not accessing it on that port.
How Does Auth Work?
Again, we searched through the config files and found <span class="code_single-line">web.spec.cfg</span> which ran <span class="code_single-line">bin/dsstartws</span>. Looking at <span class="code_single-line">dsstartws</span> we found a perl script that ran <span class="code_single-line">bin/web</span>.
We opened <span class="code_single-line">/root/home/bin/web</span> in Ghidra and started looking for our API endpoints. We searched for strings beginning with <span class="code_single-line">/api/v1</span> and found plenty of matches. Looking at <span class="code_single-line">/api/v1/totp/user-backup-code</span> we found it referenced in multiple functions. One of these functions <span class="code_single-line">FUN_000ab66</span> contained multiple debug log statements that included the function name, <span class="code_single-line">doAuthCheck</span>.
Looking at where our endpoint was referenced in this function we found the following.
Although there were additional checks elsewhere for the other endpoints, this one only checked the prefix matched. This meant we could append additional characters to the path and it would pass through our proxy to the python web service. To verify this we picked an easy to call endpoint and verified it ordinarily would be inaccessible.
And then tried accessing it via <span class="code_single-line">/api/v1/totp/user-backup-code</span> with a path traversal.
Now that we had the authentication bypass the next step was to find an endpoint containing the command injection vulnerability mentioned in the advisory.
Command Injection
The command injection vulnerability was easier to find than the authentication bypass. We ran a search for <span class="code_single-line">os.system</span> and <span class="code_single-line">Popen</span> calls made in the <span class="code_single-line">restservice/api</span> directory. Here are some of the results.
There were several vulnerable endpoints, the one we settled on was <span class="code_single-line">/api/v1/license/keys-status/<path:node_name></span>, the vulnerable snippet is shown below.
We can see that <span class="code_single-line">node_name</span> is appended to the command string and shell=True is set. We can append a semicolon and then run any additional commands we like. We used the following payload to create a reverse shell with python.
And sent the following request, containing our URL-encoded payload, to trigger the exploit.
Then caught the reverse shell as follows.
Conclusion
We have shown another example of a secure VPN device expose itself to widescale exploitation as the result of relatively simple security mistakes. An interum mitigation is available from the vendor which blocks access to many of these endpoints, however a full patch is yet to be released. Device integrity checks are also recommended as many devices are already compromised and the mitigation does not appear to remove any persistence mechanisms left by an attacker.
As always, customers of our Attack Surface Management platform were the first to know when this vulnerability affected them. We continue to perform original security research in an effort to inform our customers about zero-day vulnerabilities in their attack surface.
We appreciated the help from Ron Bowes at GreyNoise along the way as we worked through this emerging threat together.
More Like This
Ready to get started?
Get on a call with our team and learn how Assetnote can change the way you secure your attack surface. We'll set you up with a trial instance so you can see the impact for yourself.