We initially wrote this post in reference to CVE-2024-29847, however this post actually describes CVE-2023-28324. We had incorrectly assumed that the SU5 update was comprehensive which resulted in us mistaking CVE-2023-28324 for CVE-2024-29847. The content still reflects some references to CVE-2024-29847.
Ivanti Endpoint Manager (EPM) is an enterprise endpoint management solution that allows for centralized management of devices within an organization. On September 12th, 2024, ZDI and Ivanti released an advisory describing a deserialization vulnerability resulting in remote code execution with a CVSS score of 9.8. In this post we detail the internal workings of this vulnerability. Our POC can be found here.
The ZDI advisory told us exactly where to look for the vulnerability. A service named AgentPortal
. A quick search shows us that we can find the file at C:\Program Files\LanDesk\ManagementSuite\AgentPortal.exe
. Upon further investigation, we find that it is a .NET binary.
After loading AgentPortal.exe
into JetBrains dotPeek for decompilation, we find that its not a very complicated program. It’s main responsibility is creating a .NET Remoting service for the IAgentPortal
interface.
The IAgentPortal
interface is pretty simple, it consists of functions to create Requests
and other functions to get the results and check the status of those requests. Digging into what kind of requests we can make, we find the ActionEnum
enum.
We are immediately drawn to the RunProgram
option. The handler for that option shows a very easy way for an attacker to run an arbitrary program.
This is a pretty straightforward RCE, we wanted to be sure that we were looking at the correctly vulnerability, so we loaded up a patched version of EPM to see if anything changed in AgentPortal.exe
.
There are two main fixes we found in the patched version of EPM. The first restricts what kind of programs can be ran by ProcessRunProgramAction
to ping.exe
and tracert.exe
.
The second centers around ensuring that AgentPortal
service only runs if the Windows Firewall is enabled.
This leads us to some caveats about our understanding of this vulnerability.
While we are pretty sure that the vulnerability described in this post is the true CVE-2024-29847. There are two issues that give us pause. The first is that while this vulnerability technically involves deserialization, we feel it would be more accurately described as a command injection. This makes us wonder if there is another aspect of this vulnerability that we may have missed.
The second issue is centered around this vulnerability’s interaction with the firewall. The fix above clearly demonstrates that Ivanti expects the firewall to be enabled in order for this service to function. Additionally, in our lab installations, we had to open up a hole in the Windows Firewall for this exploit to work. If this is the case for most installations of EPM, then this vulnerability would not be that serious as the Windows Firewall would block any exploit attempts. However, when we examined a few live installations of EPM in the field, we found that every instance had the vulnerable port exposed. This discrepancy could be attributed to a few things:
The port used by the AgentPortal
service can be found in the registry at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\SharedComponents\LANDeskAgentPortal
.
Any unexpected connections to the AgentPortal
address in your environment should be investigated for malicious activity.