Ivanti EPM Remote Code Execution

Overview

In December of 2021, Ivanti announced a remote code execution vulnerability in their Endpoint Manager (EPM) Cloud Appliance in the security advisory https://forums.ivanti.com/s/article/SA-2021-12-02. Later, in March of 2022, Synack Red Team Members collaborated on a working exploit for the vulnerability later released by @dinosyn on Twitter.

The vulnerability itself is very straightforward. The underlying application logic of the EPM tool appears to have been doing an unsafe evaluation of the 'c' cookie value provided which resulted in remote code execution as the user "nobody", a low-privileged user, on the /index/client.php page. I am guessing the code contained an unsafe-eval function on the cookie's value to validate authentication which probably looked something along the lines of the following snippet although I would expect some sort of validation logic to be included:

{$_COOKIE['c'] .= ';';eval($_COOKIE['c']);exit;}

The PHP eval function does as the name implies: evaluates the string value as PHP code. Therefore, if an application uses the eval function without additional validation or sanitization of user input which is passed to the eval string then remote code execution is possible.

Bounties

Because of how simple this vulnerability was to exploit, I knew I would have an extremely small window of opportunity to find some bounties without getting duplicates. I keep all of my recon data on targets for just such occasions. If you aren't holding onto historical data from your bounties, I highly recommend that you do.

I did a little reconnaissance on some EPM instances that were easy to find on the internet via Google and found that the majority of the pages were titled "LANDesk(R) Cloud Services Appliance". I ran through all of the existing data I had on bounty programs for page titles that contained "LAN". I ended up finding 12 targets without any additional recon needed. Turned out that they were all still alive and that they were all vulnerable.

To conduct a proof-of-exploit for these vulnerable targets, I spun up BurpSuite and navigated to the vulnerable target's /index/client.php page. I captured the page in its natural state and then sent the request to the Repeater tab.

In Repeater, I added the following cookie values to demonstrate the RCE: Cookie: ab=ab; c=cGhwaW5mbygpOw==; d=; e=; The 'c' cookie parameter's value is the string phpinfo() base64 encoded. Sending this request through would demonstrate the RCE due to the phpinfo page would be displayed in the background of the /index/client.php page.

That's it, about as simple as an RCE can get.

Vulnerability Remediation and Payouts

Because this vulnerability is a commercial product, I simply recommended that the vulnerable organizations applied the patch provided by Ivanti. Many of the organization's that I submitted the vulnerability to realized that they no longer needed the EPM Cloud Appliance online so they shut it down.

All in all, I submitted 12 vulnerabilities over about 48 hours and netted a total of $6,500 with 3 payouts still pending all these months later (gotta love some program's attentiveness).