Merge remote-tracking branch 'upstream/master'

db/modules_metadata_base.json

@@ -2864,6 +2864,70 @@
 
     ]
   },
+  "auxiliary_admin/http/ivanti_vtm_admin": {
+    "name": "Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593)",
+    "fullname": "auxiliary/admin/http/ivanti_vtm_admin",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2024-08-05",
+    "type": "auxiliary",
+    "author": [
+      "Michael Heinzl",
+      "ohnoisploited",
+      "mxalias"
+    ],
+    "description": "This module exploits an access control issue in Ivanti Virtual Traffic Manager (vTM), by adding a new\n          administrative user to the web interface of the application.\n\n          Affected versions include 22.7R1, 22.6R1, 22.5R1, 22.3R2, 22.3, 22.2.",
+    "references": [
+      "PACKETSTORM-179906",
+      "CVE-2024-7593",
+      "URL-https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593?language=en_US"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 9090,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-08-16 15:43:34 +0000",
+    "path": "/modules/auxiliary/admin/http/ivanti_vtm_admin.rb",
+    "is_install_path": true,
+    "ref_name": "admin/http/ivanti_vtm_admin",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
   "auxiliary_admin/http/jboss_bshdeployer": {
     "name": "JBoss JMX Console Beanshell Deployer WAR Upload and Deployment",
     "fullname": "auxiliary/admin/http/jboss_bshdeployer",
@@ -22815,7 +22879,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-06-06 14:53:28 +0000",
     "path": "/modules/auxiliary/gather/ie_sandbox_findfiles.rb",
     "is_install_path": true,
     "ref_name": "gather/ie_sandbox_findfiles",
@@ -40131,7 +40195,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2024-06-06 14:53:28 +0000",
     "path": "/modules/auxiliary/scanner/http/rails_mass_assignment.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/rails_mass_assignment",
@@ -51906,7 +51970,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2024-06-06 14:53:28 +0000",
     "path": "/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb",
     "is_install_path": true,
     "ref_name": "scanner/sap/sap_icm_urlscan",
@@ -63627,7 +63691,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2024-08-09 12:07:39 +0000",
+    "mod_time": "2024-08-27 10:27:45 +0000",
     "path": "/modules/encoders/php/base64.rb",
     "is_install_path": true,
     "ref_name": "php/base64",
@@ -98872,7 +98936,7 @@
     "needs_cleanup": true
   },
   "exploit_multi/http/apache_ofbiz_forgot_password_directory_traversal": {
-    "name": "Apache OFBiz Forgot Password Directory Traversal",
+    "name": "Apache OFBiz forgotPassword/ProgramExport RCE",
     "fullname": "exploit/multi/http/apache_ofbiz_forgot_password_directory_traversal",
     "aliases": [
 
@@ -98884,11 +98948,12 @@
       "Mr-xn",
       "jheysel-r7"
     ],
-    "description": "Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability. The vulnerable\n          endpoint /webtools/control/forgotPassword allows an attacker to access the ProgramExport endpoint which in\n          turn allows for remote code execution in the context of the user running the application.",
+    "description": "Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability (CVE-2024-32113). The\n          vulnerable endpoint /webtools/control/forgotPassword allows an attacker to access the ProgramExport endpoint\n          which in turn allows for remote code execution in the context of the user running the application. This was\n          patched in 18.12.14.\n\n          It was then discovered that the use of the path traversal vulnerability is not required in order to access\n          the vulnerable endpoint ProgramExport. CVE-2024-38856 was given for this Incorrect Authorization vulnerability\n          and was patched in 18.12.15.\n\n          This module was originally written the exploit CVE-2024-32113, but upon the discovery of CVE-2024-38856 the\n          module updated to not exploit the path traversal vulnerability allowing for exploitation on 18.12.14 as well.",
     "references": [
       "URL-https://github.com/Mr-xn/CVE-2024-32113",
       "URL-https://xz.aliyun.com/t/14733?time__1311=mqmx9Qwx0WDsd5YK0%3Dai%3Dmd7KbxGupD&alichlgref=https%3A%2F%2Fgithub.com%2FMr-xn%2FCVE-2024-32113",
-      "CVE-2024-32113"
+      "CVE-2024-32113",
+      "CVE-2024-38856"
     ],
     "platform": "Linux,Windows",
     "arch": "cmd",
@@ -98912,7 +98977,7 @@
       "Linux Command",
       "Windows Command"
     ],
-    "mod_time": "2024-06-14 16:59:55 +0000",
+    "mod_time": "2024-08-16 12:17:56 +0000",
     "path": "/modules/exploits/multi/http/apache_ofbiz_forgot_password_directory_traversal.rb",
     "is_install_path": true,
     "ref_name": "multi/http/apache_ofbiz_forgot_password_directory_traversal",
@@ -101318,7 +101383,7 @@
     "targets": [
       "CasinoLoader gateway.php"
     ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-06-06 14:53:28 +0000",
     "path": "/modules/exploits/multi/http/dexter_casinoloader_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/dexter_casinoloader_exec",
@@ -257229,7 +257294,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-02-08 13:47:34 +0000",
+    "mod_time": "2024-06-06 14:53:28 +0000",
     "path": "/modules/post/multi/gather/lastpass_creds.rb",
     "is_install_path": true,
     "ref_name": "multi/gather/lastpass_creds",

documentation/modules/auxiliary/admin/http/ivanti_vtm_admin.md

@@ -0,0 +1,65 @@
+## Vulnerable Application
+
+This module exploits an access control issue in Ivanti Virtual Traffic Manager (vTM), by adding a new
+administrative user to the web interface of the application.
+
+Affected versions include:
+* 22.7R1
+* 22.6R1
+* 22.5R1
+* 22.3R2
+* 22.3
+* 22.2
+
+The vendor published an advisory [here]
+(https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593?language=en_US).
+
+A proof-of-concept is available [here](https://packetstormsecurity.com/files/179906).
+
+## Testing
+
+Docker images with the software are available from [here](https://hubgw.docker.com/r/pulsesecure/vtm).
+
+**Successfully tested on**
+
+- 22.7R1 on Ubuntu 20.04.6 LTS
+- 22.6R1 on Ubuntu 20.04.6 LTS
+- 22.5R1 on Ubuntu 20.04.6 LTS
+- 22.3R1 on Ubuntu 20.04.5 LTS
+- 22.2 on Ubuntu 20.04.4 LTS
+
+## Verification Steps
+
+1. Deploy Ivanti Virtual Traffic Manager (vTM)
+2. Start `msfconsole`
+3. `use auxiliary/admin/http/ivanti_vtm_admin`
+4. `set RHOSTS <IP>`
+5. `run`
+6. A new admin user should have been added to the web interface.
+
+## Options
+
+### NEW_USERNAME
+Username to be used when creating a new user with admin privileges.
+
+### NEW_PASSWORD
+Password to be used when creating a new user with admin privileges.
+
+## Scenarios
+
+Running the module against Virtual Traffic Manager (vTM) 22.7R1 should result in an output
+similar to the following:
+
+```
+msf6 > use auxiliary/admin/http/ivanti_vtm_admin 
+msf6 auxiliary(admin/http/ivanti_vtm_admin) > set RHOSTS 172.17.0.2
+msf6 auxiliary(admin/http/ivanti_vtm_admin) > exploit 
+[*] Running module against 172.17.0.2
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version: 22.7R1
+[+] New admin user was successfully added:
+	h4x0r:w00Tw00T!
+[+] Login at: https://172.17.0.2:9090/apps/zxtm/login.cgi
+[*] Auxiliary module execution completed
+```

documentation/modules/exploit/multi/http/apache_ofbiz_forgot_password_directory_traversal.md

@@ -3,6 +3,19 @@ Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulne
 endpoint `/webtools/control/forgotPassword` allows an attacker to access the `ProgramExport` endpoint which in
 turn allows for remote code execution in the context of the user running the application.
 
+It was then discovered that the use of the path traversal vulnerability is not required in order to access
+the vulnerable endpoint ProgramExport. CVE-2024-38856 was given for this Incorrect Authorization vulnerability
+and was patched in 18.12.15.
+
+This module was originally written the exploit CVE-2024-32113, but upon the discovery of CVE-2024-38856 the
+module updated to not exploit the path traversal vulnerability allowing for exploitation on 18.12.14 as well.
+
+CVE-2024-32113, Path Traversal, patched in 18.12.13:
+`/webtools/control/forgotPassword;../ProgramExport`
+
+CVE-2024-38856, Incorrect Authorization, patched in 18.12.14:
+`/webtools/control/forgotPassword/ProgramExport`
+
 ### Description
 The module can exploit Apache OFBiz running on both Windows and Linux. OFBiz has list of `deniedWebShellTokens`
 which includes strings like `curl` and `chmod` which attempts to prevent ProgramExport from being exploited. The list