Toot

Written by Will Dormann on 2025-01-17 at 17:28

And from @Rapid7Official 's @stephenfewer we have a (mostly) working exploit:

https://github.com/sfewer-r7/CVE-2025-0282

While my naive attempt to get control of EIP leveraged both a known heap address and a known stack address, I wasn't pretty pleased with it due to the combined entropy of the heap (14 bits) and the stack (12 bits).

Had I tried a bit harder, I could have found the bits that I needed all in a single loaded library (libdsplibs.so). And since it's a 32-bit app, we'll expect to see about 9 bits of entropy, which is very easily brute-forceable in a listening service that re-spawns itself when it crashes.

Tweaks necessary to get this to RCE properly (at least with my VMs):

1. Set keep-alive header

2. Set TLS version 1.2

3. Auto-increment the libdsplibs_base value with each attempt, as at least with my VM, the crashing web server is forked from a parent that does not crash, and as such the ICS web server will have the same memory layout every single time. As such, you can't keep a fixed address and re-try until the server matches what you're guessing. You need to guess a different value each time.

With these tweaks, I can pop my 22.7R2.4 ICS box in seconds. 🎉

The fact that a 2025 Ivanti ICS box has 32-bit binaries, no stack canaries (which is a mitigation that has been around for 20 years), and no official way to determine if a box is compromised that is sound makes it seem that Ivanti does not REALLY care about security. But please, draw your own conclusions here.

=> View attached media | View attached media | View attached media | View attached media

=> More informations about this toot | View the thread | More toots from wdormann@infosec.exchange

Mentions

=> View Rapid7Official@infosec.exchange profile

Tags