Ivanti Endpoint Manager (EPM) is an enterprise endpoint management solution that allows for centralized management of devices within an organization. On September 12th, 2024, ZDI and Ivanti released an advisory describing a deserialization vulnerability resulting in remote code execution with a CVSS score of 9.8. In this post we detail the internal workings of this vulnerability. Our POC can be found here. We would like to credit @SinSinology with the discovery of this vulnerability.
The ZDI advisory told us exactly where to look for the vulnerability. A service named AgentPortal
. A quick search shows us that we can find the file at C:\Program Files\LanDesk\ManagementSuite\AgentPortal.exe
. Upon further investigation, we find that it is a .NET binary.
After loading AgentPortal.exe
into JetBrains dotPeek for decompilation, we find that its not a very complicated program. It’s main responsibility is creating a .NET Remoting service for the IAgentPortal
interface.
The IAgentPortal
interface is pretty simple, it consists of functions to create Requests
and other functions to get the results and check the status of those requests. Digging into what kind of requests we can make, we find the ActionEnum
enum.
We are immediately drawn to the RunProgram
option. The handler for that option shows a very easy way for an attacker to run an arbitrary program.
This is a pretty straightforward RCE, we wanted to be sure that we were looking at the correctly vulnerability, so we loaded up a patched version of EPM to see if anything changed in AgentPortal.exe
.
There are two main fixes we found in the patched version of EPM. The first restricts what kind of programs can be ran by ProcessRunProgramAction
to ping.exe
and tracert.exe
.
The second centers around ensuring that AgentPortal
service only runs if the Windows Firewall is enabled.
This leads us to some caveats about our understanding of this vulnerability.
While we are pretty sure that the vulnerability described in this post is the true CVE-2024-29847. There are two issues that give us pause. The first is that while this vulnerability technically involves deserialization, we feel it would be more accurately described as a command injection. This makes us wonder if there is another aspect of this vulnerability that we may have missed.
The second issue is centered around this vulnerability’s interaction with the firewall. The fix above clearly demonstrates that Ivanti expects the firewall to be enabled in order for this service to function. Additionally, in our lab installations, we had to open up a hole in the Windows Firewall for this exploit to work. If this is the case for most installations of EPM, then this vulnerability would not be that serious as the Windows Firewall would block any exploit attempts. However, when we examined a few live installations of EPM in the field, we found that every instance had the vulnerable port exposed. This discrepancy could be attributed to a few things:
- Our lab installation was not complete and further setup and usage could have led us to opening up the firewall for full functionality.
- Some prod installations of EPM could run with other products that require ephemeral ports to be exposed.
- There could be an additional piece of this exploit that we missed that causes the vulnerable port to become exposed.
The port used by the AgentPortal
service can be found in the registry at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\SharedComponents\LANDeskAgentPortal
.
Any unexpected connections to the AgentPortal
address in your environment should be investigated for malicious activity.
The post CVE-2024-29847 Deep Dive: Ivanti Endpoint Manager AgentPortal Deserialization of Untrusted Data Remote Code Execution Vulnerability appeared first on Horizon3.ai.
*** This is a Security Bloggers Network syndicated blog from Horizon3.ai authored by James Horseman. Read the original post at: https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29847-deep-dive-ivanti-endpoint-manager-agentportal-deserialization-of-untrusted-data-remote-code-execution-vulnerability/