Merge branch 'master' into securestep9-patch-v0.3.3-1

securestep9 · web-flow · commit 9e1dbca29313 · 2024-01-20T21:58:44.000Z
diff --git a/modules/scan/ivanti_epmm_lastpatcheddate.yaml b/modules/scan/ivanti_epmm_lastpatcheddate.yaml
@@ -0,0 +1,48 @@
+info:
+  name: ivanti_epmm_lastpatcheddate_scan
+  author: OWASP Nettacker Team
+  severity: 3
+  description: Ivanti EPMM Last Patched Date Scan
+  reference:
+  profiles:
+    - scan
+    - http
+    - ivanti
+    - low_severity
+
+payloads:
+  - library: http
+    steps:
+      - method: head
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/mifs/css/pages/userlogin.css"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+        response:
+          condition_type: and
+          log: "response_dependent['headers']['Last-Modified']"
+          conditions:
+            status_code:
+              regex: "200"
+              reverse: false
+            headers:
+              Last-Modified:
+                regex: .*  
+                reverse: false
+              Content-Type:
+                regex: "css"
+                reverse: false  
diff --git a/modules/scan/ivanti_ics_lastpatcheddate.yaml b/modules/scan/ivanti_ics_lastpatcheddate.yaml
@@ -0,0 +1,48 @@
+info:
+  name: ivanti_ics_lastpatcheddate_scan
+  author: OWASP Nettacker Team
+  severity: 3
+  description: Ivanti ICS Last Patched Date Scan
+  reference:
+  profiles:
+    - scan
+    - http
+    - ivanti
+    - low_severity
+
+payloads:
+  - library: http
+    steps:
+      - method: head
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/dana-na/css/ds.js"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+        response:
+          condition_type: and
+          log: "response_dependent['headers']['Last-Modified']"
+          conditions:
+            status_code:
+              regex: "200"
+              reverse: false
+            headers:
+              Last-Modified:
+                regex: .*  
+                reverse: false
+            Content-Type: 
+              regex: "javascript"
+              reverse: false
diff --git a/modules/vuln/ivanti_epmm_cve_2023_35082.yaml b/modules/vuln/ivanti_epmm_cve_2023_35082.yaml
@@ -0,0 +1,53 @@
+info:
+  name: ivanti_epmm_cve_2023_35082_vuln
+  author: OWASP Nettacker team 
+  severity: 9.8
+  description: CVE-2023-35082 is an authentication bypass in Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core
+  reference: 
+    - https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older
+    - https://www.cisa.gov/news-events/alerts/2024/01/18/cisa-adds-one-known-exploited-vulnerability-catalog
+    - https://www.helpnetsecurity.com/2024/01/19/exploited-cve-2023-35082/
+    - https://www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/
+  profiles:
+    - vuln
+    - vulnerability
+    - http
+    - high_severity
+    - cve
+    - ivanti
+    - ivanti_epmm
+    - cisa_kev
+
+payloads:
+  - library: http
+    steps:
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/{{paths}}"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              paths:  
+                - "mifs/asfV3/api/v2/ping"
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+        response:
+          condition_type: and
+          conditions:
+            status_code:
+              regex: "200"
+              reverse: false
+            content:
+              regex: "vspVersion"
+              reverse: false
diff --git a/modules/vuln/ivanti_ics_cve_2023_46805.yaml b/modules/vuln/ivanti_ics_cve_2023_46805.yaml
@@ -22,7 +22,7 @@ payloads:
       - method: get
         timeout: 3
         headers:
-          User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36"
+          User-Agent: "{user_agent}"
         allow_redirects: false
         ssl: false
         url:
@@ -44,8 +44,8 @@ payloads:
           condition_type: and
           conditions:
             status_code:
-              regex: '403'
+              regex: "403"
               reverse: false
             content:
-              regex: '<html>'
+              regex: "<html>"
               reverse: true
