From 32ada7decc1d3a7b050272f27d01c9b5448ff49e Mon Sep 17 00:00:00 2001 From: Sam Stepanyan Date: Tue, 31 Oct 2023 22:47:37 +0000 Subject: [PATCH 01/23] Update version.txt 0.3.2 Signed-off-by: Sam Stepanyan --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 4a1a5cbf0..7ae773097 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -0.3.1 TRENT +0.3.2 TRENT From 2a0727200fff142067b4a875fa694501fbee0a38 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Nov 2023 22:32:36 +0000 Subject: [PATCH 02/23] Bump aiohttp from 3.8.5 to 3.9.1 Bumps [aiohttp](https://github.com/aio-libs/aiohttp) from 3.8.5 to 3.9.1. - [Release notes](https://github.com/aio-libs/aiohttp/releases) - [Changelog](https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst) - [Commits](https://github.com/aio-libs/aiohttp/compare/v3.8.5...v3.9.1) --- updated-dependencies: - dependency-name: aiohttp dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 431e3a6ff..f06740d4e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -2,7 +2,7 @@ argparse==1.4.0 netaddr==0.9.0 ipaddr==2.2.0 requests==2.31.0 -aiohttp==3.8.5 +aiohttp==3.9.1 asyncio==3.4.3 paramiko==3.3.1 texttable==1.6.7 From 7423a7947742d9f9448c1d7bf70597589eb7c7b2 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Tue, 28 Nov 2023 14:51:50 +0000 Subject: [PATCH 03/23] fix: requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6091621 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6091622 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6091623 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 431e3a6ff..122b25daf 100644 --- a/requirements.txt +++ b/requirements.txt @@ -2,7 +2,7 @@ argparse==1.4.0 netaddr==0.9.0 ipaddr==2.2.0 requests==2.31.0 -aiohttp==3.8.5 +aiohttp==3.9.0 asyncio==3.4.3 paramiko==3.3.1 texttable==1.6.7 From bce2c8d442a5ecfaae710f79ffc622cbc81e777c Mon Sep 17 00:00:00 2001 From: Ali Razmjoo Date: Thu, 30 Nov 2023 08:17:20 +0100 Subject: [PATCH 04/23] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 7b501a87b..40c5c78fd 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ OWASP Nettacker project is created to automate information gathering, vulnerabil * How to use the Dockerfile: https://github.com/OWASP/Nettacker/wiki/Installation#docker * OpenHub: https://www.openhub.net/p/OWASP-Nettacker * **Donate**: https://owasp.org/donate/?reponame=www-project-nettacker&title=OWASP+Nettacker +* **Read More**: https://www.secologist.com/open-source-projects ____________ Quick Setup & Run From 3679ac7ec51d1e1e6b8b3950e7a70118b39d4784 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 30 Nov 2023 07:27:46 +0000 Subject: [PATCH 05/23] Bump numpy from 1.26.0 to 1.26.2 Bumps [numpy](https://github.com/numpy/numpy) from 1.26.0 to 1.26.2. - [Release notes](https://github.com/numpy/numpy/releases) - [Changelog](https://github.com/numpy/numpy/blob/main/doc/RELEASE_WALKTHROUGH.rst) - [Commits](https://github.com/numpy/numpy/compare/v1.26.0...v1.26.2) --- updated-dependencies: - dependency-name: numpy dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 122b25daf..ea0c6b2de 100644 --- a/requirements.txt +++ b/requirements.txt @@ -11,6 +11,6 @@ pyOpenSSL==23.2.0 # library_name=OpenSSL flask==3.0.0 SQLAlchemy>=1.4.43 # library_name=sqlalchemy py3DNS==4.0.0 # library_name=DNS -numpy==1.26.0 +numpy==1.26.2 terminable_thread==0.7.1 PyYAML==6.0.1 # library_name=yaml \ No newline at end of file From 458465ac9c1462ae9ecdca067f07072b526d44b9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 30 Nov 2023 22:48:48 +0000 Subject: [PATCH 06/23] Bump ipython from 8.16.1 to 8.18.1 Bumps [ipython](https://github.com/ipython/ipython) from 8.16.1 to 8.18.1. - [Release notes](https://github.com/ipython/ipython/releases) - [Commits](https://github.com/ipython/ipython/commits/8.18.1) --- updated-dependencies: - dependency-name: ipython dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- requirements-dev.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index c02e940c4..d2f086bce 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -1,2 +1,2 @@ flake8==6.0.0 -ipython==8.16.1 \ No newline at end of file +ipython==8.18.1 \ No newline at end of file From 2d5e9285de744ec5acb91ab40cb7bd44004529d6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Dec 2023 22:53:33 +0000 Subject: [PATCH 07/23] Bump github/codeql-action from 2 to 3 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v2...v3) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql-analysis.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 42c73709e..20dfc2ba6 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -42,7 +42,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -56,7 +56,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -69,6 +69,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 with: category: "/language:${{matrix.language}}" From 62c5899f9b69bb4d01531b9dc5a649ba0c5ae712 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Tue, 19 Dec 2023 16:05:29 +0000 Subject: [PATCH 08/23] fix: requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-PARAMIKO-6130887 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 9e00766bd..dfd35c544 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,7 +4,7 @@ ipaddr==2.2.0 requests==2.31.0 aiohttp==3.9.1 asyncio==3.4.3 -paramiko==3.3.1 +paramiko==3.4.0 texttable==1.6.7 PySocks==1.7.1 # library_name=socks # module name is not equal to socks name; this is required to be checked on startup pyOpenSSL==23.2.0 # library_name=OpenSSL From f80ac7945118bc47194d87b49aa065fdd48d4a97 Mon Sep 17 00:00:00 2001 From: Captain-T2004 <126911424+Captain-T2004@users.noreply.github.com> Date: Wed, 17 Jan 2024 00:26:54 +0530 Subject: [PATCH 09/23] Added new module, CVE_2023_6875 --- modules/vuln/wp_plugin_cve_2023_6875.yaml | 51 +++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 modules/vuln/wp_plugin_cve_2023_6875.yaml diff --git a/modules/vuln/wp_plugin_cve_2023_6875.yaml b/modules/vuln/wp_plugin_cve_2023_6875.yaml new file mode 100644 index 000000000..30cf3bcc4 --- /dev/null +++ b/modules/vuln/wp_plugin_cve_2023_6875.yaml @@ -0,0 +1,51 @@ +info: + name: wp_plugin_cve_2023_6875_vuln + author: Captain-T2004 + severity: 9 + description: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Unauthenticated Stored Cross-Site Scripting via device + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-6875 + - https://www.wordfence.com/blog/2024/01/type-juggling-leads-to-two-vulnerabilities-in-post-smtp-mailer-wordpress-plugin/ + - https://www.cve.org/CVERecord?id=CVE-2023-6875 + profiles: + - vuln + - vulnerability + - http + - critical_severity + - cve2023 + - cve + - wordpress + - wp_plugin + +payloads: + - library: http + steps: + - method: post + timeout: 3 + headers: + User-Agent: "{user_agent}" + allow_redirects: false + ssl: false + url: + nettacker_fuzzer: + input_format: "{{schema}}://{target}:{{ports}}/wp-json/post-smtp/v1/connect-app" + prefix: "" + suffix: "" + interceptors: + data: + schema: + - "http" + - "https" + ports: + - 80 + - 443 + response: + success_conditions: content + condition_type: and + conditions: + content: + regex: "fcm_token" + reverse: false + status_code: + regex: "200" + reverse: false From 826405c4afedf9b5108284b18331cf35d08cbf22 Mon Sep 17 00:00:00 2001 From: Jimmy Date: Tue, 16 Jan 2024 19:53:39 +0000 Subject: [PATCH 10/23] Create ivanti_ics_cve_2023_46805_and_cve_2024_21887.yaml --- ...ics_cve_2023_46805_and_cve_2024_21887.yaml | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 modules/vuln/ivanti_ics_cve_2023_46805_and_cve_2024_21887.yaml diff --git a/modules/vuln/ivanti_ics_cve_2023_46805_and_cve_2024_21887.yaml b/modules/vuln/ivanti_ics_cve_2023_46805_and_cve_2024_21887.yaml new file mode 100644 index 000000000..08a450bcc --- /dev/null +++ b/modules/vuln/ivanti_ics_cve_2023_46805_and_cve_2024_21887.yaml @@ -0,0 +1,51 @@ +info: + name: ivanti_ics_cve_2023_46805_and_cve_2024_21887_vuln + author: Jimmy Ly + severity: 9.1 + description: Ivanti Connect Secure Unauthenticated Remote Code Execution. CVE-2023-46805 is an authentication bypass and CVE-2024-21887 is a command injection vulnerability in the web component of Ivanti ICS 9.x, 22.x. These two vulnerabilites can be chained to allow remote code exeuction as an unauthenticated user. + reference: + - https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US + - https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887 + profiles: + - vuln + - vulnerability + - http + - critical_severity + - cve + - ivanti + - ivanti_connect_secure + - invati_ics + +payloads: + - library: http + steps: + - method: get + timeout: 3 + headers: + User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36" + allow_redirects: false + ssl: false + url: + nettacker_fuzzer: + input_format: "{{schema}}://{target}:{{ports}}/{{paths}}" + prefix: "" + suffix: "" + interceptors: + data: + paths: + - "api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark" + schema: + - "http" + - "https" + ports: + - 80 + - 443 + response: + condition_type: and + conditions: + status_code: + regex: '403' + reverse: false + content: + regex: '' + reverse: true \ No newline at end of file From d32ce138aefce8147a557f2176d805559bacc082 Mon Sep 17 00:00:00 2001 From: Jimmy Date: Thu, 18 Jan 2024 15:00:24 +0000 Subject: [PATCH 11/23] Update and rename ivanti_ics_cve_2023_46805_and_cve_2024_21887.yaml to ivanti_ics_cve_2023_46805.yaml --- ..._2024_21887.yaml => ivanti_ics_cve_2023_46805.yaml} | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) rename modules/vuln/{ivanti_ics_cve_2023_46805_and_cve_2024_21887.yaml => ivanti_ics_cve_2023_46805.yaml} (76%) diff --git a/modules/vuln/ivanti_ics_cve_2023_46805_and_cve_2024_21887.yaml b/modules/vuln/ivanti_ics_cve_2023_46805.yaml similarity index 76% rename from modules/vuln/ivanti_ics_cve_2023_46805_and_cve_2024_21887.yaml rename to modules/vuln/ivanti_ics_cve_2023_46805.yaml index 08a450bcc..d01ce9e77 100644 --- a/modules/vuln/ivanti_ics_cve_2023_46805_and_cve_2024_21887.yaml +++ b/modules/vuln/ivanti_ics_cve_2023_46805.yaml @@ -1,8 +1,8 @@ info: - name: ivanti_ics_cve_2023_46805_and_cve_2024_21887_vuln + name: ivanti_ics_cve_2023_46805_vuln author: Jimmy Ly - severity: 9.1 - description: Ivanti Connect Secure Unauthenticated Remote Code Execution. CVE-2023-46805 is an authentication bypass and CVE-2024-21887 is a command injection vulnerability in the web component of Ivanti ICS 9.x, 22.x. These two vulnerabilites can be chained to allow remote code exeuction as an unauthenticated user. + severity: 8.2 + description: CVE-2023-46805 is an authentication bypass that is usually chained with CVE-2024-21887 to perform remote code execution on Ivanti ICS 9.x, 22.x. This module checks whether the mitigations have been applied for CVE-2023-46805. reference: - https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US - https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887 @@ -10,7 +10,7 @@ info: - vuln - vulnerability - http - - critical_severity + - high_severity - cve - ivanti - ivanti_connect_secure @@ -48,4 +48,4 @@ payloads: reverse: false content: regex: '' - reverse: true \ No newline at end of file + reverse: true From ae518acaf2df42cceb06e6f6321465d82596515b Mon Sep 17 00:00:00 2001 From: Sam Stepanyan Date: Fri, 19 Jan 2024 01:22:01 +0000 Subject: [PATCH 12/23] Update wp_plugin_small.txt Added post-smtp (CVE-2023-6875) Signed-off-by: Sam Stepanyan --- lib/payloads/wordlists/wp_plugin_small.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/payloads/wordlists/wp_plugin_small.txt b/lib/payloads/wordlists/wp_plugin_small.txt index e0b7b61fa..63fc4f802 100644 --- a/lib/payloads/wordlists/wp_plugin_small.txt +++ b/lib/payloads/wordlists/wp_plugin_small.txt @@ -145,6 +145,7 @@ placester plugin-dir plugin-newsletter post-highlights +post-smtp premium_gallery_manager pretty-link profiles From e9d0ca07fda2fc2e7755cbdc1c708df538e53c5e Mon Sep 17 00:00:00 2001 From: Sam Stepanyan Date: Fri, 19 Jan 2024 01:45:38 +0000 Subject: [PATCH 13/23] Update version.txt bumping version to 0.3.3 for new release Signed-off-by: Sam Stepanyan --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 7ae773097..925f5e795 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -0.3.2 TRENT +0.3.3 TRENT From af3a37112223bb66551d768a298fda35a4cd77af Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Jan 2024 22:35:54 +0000 Subject: [PATCH 14/23] Bump flask from 3.0.0 to 3.0.1 Bumps [flask](https://github.com/pallets/flask) from 3.0.0 to 3.0.1. - [Release notes](https://github.com/pallets/flask/releases) - [Changelog](https://github.com/pallets/flask/blob/main/CHANGES.rst) - [Commits](https://github.com/pallets/flask/compare/3.0.0...3.0.1) --- updated-dependencies: - dependency-name: flask dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index dfd35c544..4ec83db08 100644 --- a/requirements.txt +++ b/requirements.txt @@ -8,7 +8,7 @@ paramiko==3.4.0 texttable==1.6.7 PySocks==1.7.1 # library_name=socks # module name is not equal to socks name; this is required to be checked on startup pyOpenSSL==23.2.0 # library_name=OpenSSL -flask==3.0.0 +flask==3.0.1 SQLAlchemy>=1.4.43 # library_name=sqlalchemy py3DNS==4.0.0 # library_name=DNS numpy==1.26.2 From d2ea491b801817ad066e43942af42ee481e3eb29 Mon Sep 17 00:00:00 2001 From: Sam Stepanyan Date: Fri, 19 Jan 2024 23:58:14 +0000 Subject: [PATCH 15/23] New Module: Citrix Gateway Last Patched Date Scan Signed-off-by: Sam Stepanyan --- modules/scan/citrix_lastpatcheddate.yaml | 45 ++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 modules/scan/citrix_lastpatcheddate.yaml diff --git a/modules/scan/citrix_lastpatcheddate.yaml b/modules/scan/citrix_lastpatcheddate.yaml new file mode 100644 index 000000000..ba72c6bc6 --- /dev/null +++ b/modules/scan/citrix_lastpatcheddate.yaml @@ -0,0 +1,45 @@ +info: + name: citrix_lastpatcheeddate_scan + author: OWASP Nettacker Team + severity: 3 + description: Citrix Netscaler Gateway Last Patched Date Scan + reference: + profiles: + - scan + - http + - citrix + - low_severity + +payloads: + - library: http + steps: + - method: head + timeout: 3 + headers: + User-Agent: "{user_agent}" + allow_redirects: false + ssl: false + url: + nettacker_fuzzer: + input_format: "{{schema}}://{target}:{{ports}}/epa/scripts/win/nsepa_setup.exe" + prefix: "" + suffix: "" + interceptors: + data: + schema: + - "http" + - "https" + ports: + - 80 + - 443 + response: + condition_type: and + log: "response_dependent['headers']['Last-Modified']" + conditions: + status_code: + regex: "200" + reverse: false + headers: + Last-Modified: + regex: .* + reverse: false From f8a7f60b8fc3309236ec6e4897d217fcb4559798 Mon Sep 17 00:00:00 2001 From: Sam Stepanyan Date: Sat, 20 Jan 2024 01:18:41 +0000 Subject: [PATCH 16/23] New Module: HTML Title scan extract TITLE from the scan target as it can help identify what application is running on the server Signed-off-by: Sam Stepanyan --- modules/scan/http_html_title.yaml | 44 +++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 modules/scan/http_html_title.yaml diff --git a/modules/scan/http_html_title.yaml b/modules/scan/http_html_title.yaml new file mode 100644 index 000000000..4d4f610cb --- /dev/null +++ b/modules/scan/http_html_title.yaml @@ -0,0 +1,44 @@ +info: + name: status_scan + author: OWASP Nettacker Team + severity: 3 + description: HTTP Title scan + reference: + profiles: + - scan + - http + - backup + - low_severity + +payloads: + - library: http + steps: + - method: get + timeout: 3 + headers: + User-Agent: "{user_agent}" + allow_redirects: true + ssl: false + url: + nettacker_fuzzer: + input_format: "{{schema}}://{target}:{{ports}}" + prefix: "" + suffix: "" + interceptors: + data: + schema: + - "http" + - "https" + ports: + - 80 + - 443 + response: + condition_type: or + log: "response_dependent['status_code'] response_dependent['content']" + conditions: + status_code: + regex: \d\d\d + reverse: false + content: + regex: (.+?) + reverse: false From 4acfac057067e587940592d190596461a6bbb439 Mon Sep 17 00:00:00 2001 From: Sam Stepanyan Date: Sat, 20 Jan 2024 01:29:37 +0000 Subject: [PATCH 17/23] Update http_html_title.yaml Signed-off-by: Sam Stepanyan --- modules/scan/http_html_title.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/scan/http_html_title.yaml b/modules/scan/http_html_title.yaml index 4d4f610cb..481a95683 100644 --- a/modules/scan/http_html_title.yaml +++ b/modules/scan/http_html_title.yaml @@ -1,13 +1,12 @@ info: - name: status_scan + name: http_html_title_scan author: OWASP Nettacker Team severity: 3 - description: HTTP Title scan + description: HTTP HTML Title scan - extracts the TITLE tag which can help identify the application running on the server reference: profiles: - scan - http - - backup - low_severity payloads: From 39964d8ce8e6286e4734184d478e7efc4e3402f8 Mon Sep 17 00:00:00 2001 From: Sam Stepanyan Date: Sat, 20 Jan 2024 15:26:56 +0000 Subject: [PATCH 18/23] Update ivanti_ics_cve_2023_46805.yaml UA fix replaced hardcoded UserAgent with variable Signed-off-by: Sam Stepanyan --- modules/vuln/ivanti_ics_cve_2023_46805.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/vuln/ivanti_ics_cve_2023_46805.yaml b/modules/vuln/ivanti_ics_cve_2023_46805.yaml index d01ce9e77..7e7fe1c8d 100644 --- a/modules/vuln/ivanti_ics_cve_2023_46805.yaml +++ b/modules/vuln/ivanti_ics_cve_2023_46805.yaml @@ -22,7 +22,7 @@ payloads: - method: get timeout: 3 headers: - User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36" + User-Agent: "{user_agent}" allow_redirects: false ssl: false url: @@ -44,8 +44,8 @@ payloads: condition_type: and conditions: status_code: - regex: '403' + regex: "403" reverse: false content: - regex: '' + regex: "" reverse: true From 311192138314af86049932e51559cc635b489e4a Mon Sep 17 00:00:00 2001 From: Sam Stepanyan Date: Sat, 20 Jan 2024 19:59:02 +0000 Subject: [PATCH 19/23] New Module: Ivanti EPMM CVE-2023-35082 detect Ivanti EPMM CVE-2023-35082 vulnerability Signed-off-by: Sam Stepanyan --- modules/vuln/ivanti_epmm_cve_2023_35082.yaml | 53 ++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 modules/vuln/ivanti_epmm_cve_2023_35082.yaml diff --git a/modules/vuln/ivanti_epmm_cve_2023_35082.yaml b/modules/vuln/ivanti_epmm_cve_2023_35082.yaml new file mode 100644 index 000000000..6ed6501ea --- /dev/null +++ b/modules/vuln/ivanti_epmm_cve_2023_35082.yaml @@ -0,0 +1,53 @@ +info: + name: ivanti_epmm_cve_2023_35082_vuln + author: OWASP Nettacker team + severity: 9.8 + description: CVE-2023-35082 is an authentication bypass in Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core + reference: + - https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older + - https://www.cisa.gov/news-events/alerts/2024/01/18/cisa-adds-one-known-exploited-vulnerability-catalog + - https://www.helpnetsecurity.com/2024/01/19/exploited-cve-2023-35082/ + - https://www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/ + profiles: + - vuln + - vulnerability + - http + - high_severity + - cve + - ivanti + - ivanti_epmm + - cisa_kev + +payloads: + - library: http + steps: + - method: get + timeout: 3 + headers: + User-Agent: "{user_agent}" + allow_redirects: false + ssl: false + url: + nettacker_fuzzer: + input_format: "{{schema}}://{target}:{{ports}}/{{paths}}" + prefix: "" + suffix: "" + interceptors: + data: + paths: + - "mifs/asfV3/api/v2/ping" + schema: + - "http" + - "https" + ports: + - 80 + - 443 + response: + condition_type: and + conditions: + status_code: + regex: "200" + reverse: false + content: + regex: "vspVersion" + reverse: false From 07cc9945c7b81e8e75f4868e4c2c0ad40e272032 Mon Sep 17 00:00:00 2001 From: Sam Stepanyan Date: Sat, 20 Jan 2024 20:22:25 +0000 Subject: [PATCH 20/23] New Module: Ivanti ICS Last Patched Date scan Signed-off-by: Sam Stepanyan --- modules/scan/ivanti_ics_lastpatcheddate.yaml | 48 ++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 modules/scan/ivanti_ics_lastpatcheddate.yaml diff --git a/modules/scan/ivanti_ics_lastpatcheddate.yaml b/modules/scan/ivanti_ics_lastpatcheddate.yaml new file mode 100644 index 000000000..b7aec241a --- /dev/null +++ b/modules/scan/ivanti_ics_lastpatcheddate.yaml @@ -0,0 +1,48 @@ +info: + name: ivanti_ics_lastpatcheeddate_scan + author: OWASP Nettacker Team + severity: 3 + description: Ivanti ICS Last Patched Date Scan + reference: + profiles: + - scan + - http + - ivanti + - low_severity + +payloads: + - library: http + steps: + - method: head + timeout: 3 + headers: + User-Agent: "{user_agent}" + allow_redirects: false + ssl: false + url: + nettacker_fuzzer: + input_format: "{{schema}}://{target}:{{ports}}/dana-na/css/ds.js" + prefix: "" + suffix: "" + interceptors: + data: + schema: + - "http" + - "https" + ports: + - 80 + - 443 + response: + condition_type: and + log: "response_dependent['headers']['Last-Modified']" + conditions: + status_code: + regex: "200" + reverse: false + headers: + Last-Modified: + regex: .* + reverse: false + Content-Type: + regex: "javascript" + reverse: false From c5956ba9df869c846164ada610a469f156b6b8cc Mon Sep 17 00:00:00 2001 From: Sam Stepanyan Date: Sat, 20 Jan 2024 20:50:45 +0000 Subject: [PATCH 21/23] Update ivanti_ics_lastpatcheddate.yaml Signed-off-by: Sam Stepanyan --- modules/scan/ivanti_ics_lastpatcheddate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/scan/ivanti_ics_lastpatcheddate.yaml b/modules/scan/ivanti_ics_lastpatcheddate.yaml index b7aec241a..6357856f7 100644 --- a/modules/scan/ivanti_ics_lastpatcheddate.yaml +++ b/modules/scan/ivanti_ics_lastpatcheddate.yaml @@ -1,5 +1,5 @@ info: - name: ivanti_ics_lastpatcheeddate_scan + name: ivanti_ics_lastpatcheddate_scan author: OWASP Nettacker Team severity: 3 description: Ivanti ICS Last Patched Date Scan From 93d05aff284bf75c6c3242c15b467e162750e1b4 Mon Sep 17 00:00:00 2001 From: Sam Stepanyan Date: Sat, 20 Jan 2024 21:15:12 +0000 Subject: [PATCH 22/23] New Module: Ivanti EPMM Last Patched Date Scan Signed-off-by: Sam Stepanyan --- modules/scan/ivanti_epmm_lastpatcheddate.yaml | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 modules/scan/ivanti_epmm_lastpatcheddate.yaml diff --git a/modules/scan/ivanti_epmm_lastpatcheddate.yaml b/modules/scan/ivanti_epmm_lastpatcheddate.yaml new file mode 100644 index 000000000..641645f0c --- /dev/null +++ b/modules/scan/ivanti_epmm_lastpatcheddate.yaml @@ -0,0 +1,48 @@ +info: + name: ivanti_epmm_lastpatcheeddate_scan + author: OWASP Nettacker Team + severity: 3 + description: Ivanti EPMM Last Patched Date Scan + reference: + profiles: + - scan + - http + - ivanti + - low_severity + +payloads: + - library: http + steps: + - method: head + timeout: 3 + headers: + User-Agent: "{user_agent}" + allow_redirects: false + ssl: false + url: + nettacker_fuzzer: + input_format: "{{schema}}://{target}:{{ports}}/mifs/css/pages/userlogin.css" + prefix: "" + suffix: "" + interceptors: + data: + schema: + - "http" + - "https" + ports: + - 80 + - 443 + response: + condition_type: and + log: "response_dependent['headers']['Last-Modified']" + conditions: + status_code: + regex: "200" + reverse: false + headers: + Last-Modified: + regex: .* + reverse: false + Content-Type: + regex: "css" + reverse: false From bf457463500a1a877364f50d3ca0501b735ca9cf Mon Sep 17 00:00:00 2001 From: Sam Stepanyan Date: Sat, 20 Jan 2024 21:24:40 +0000 Subject: [PATCH 23/23] Update ivanti_epmm_lastpatcheddate.yaml Signed-off-by: Sam Stepanyan --- modules/scan/ivanti_epmm_lastpatcheddate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/scan/ivanti_epmm_lastpatcheddate.yaml b/modules/scan/ivanti_epmm_lastpatcheddate.yaml index 641645f0c..3d37b3b0d 100644 --- a/modules/scan/ivanti_epmm_lastpatcheddate.yaml +++ b/modules/scan/ivanti_epmm_lastpatcheddate.yaml @@ -1,5 +1,5 @@ info: - name: ivanti_epmm_lastpatcheeddate_scan + name: ivanti_epmm_lastpatcheddate_scan author: OWASP Nettacker Team severity: 3 description: Ivanti EPMM Last Patched Date Scan