Skip to content

More Evidence That Words Don’t Mean What We Thought They Mea... #2357

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+47 −0
Open

More Evidence That Words Don’t Mean What We Thought They Mea... #2357

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions src/pentesting-web/command-injection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,50 @@ Notes:
- Look for the same helper under other prefixes (e.g., `/mifs/c/aftstore/fob/`).
- Arithmetic contexts treat unknown tokens as variable/array identifiers, so this bypasses simple metacharacter filters.

### Exposed configuration command parsers in appliance APIs

Some appliances expose an **internal configuration bus** over HTTP. If a controller accepts one raw string and forwards it into a privileged parser that tokenizes data into fields like `command`, `module`, `xpath`, and `value`, treat it as a **command DSL** rather than as a normal form parameter. A dangerous shape is:

- unauthenticated route → `handleMessage(message)`
- tokenization with `StringTokenizer` / `split()` into control fields
- support for privileged verbs such as `execute`, `test`, `import`, `export`
- attacker-controlled `xpath`/XML objects reaching a native or reflection-backed bridge

### Hunting workflow

1. **Patch-diff WAR/JAR files** and prioritize changed controllers and service handlers.
2. **Rebuild the full route** from the container context plus framework mappings (for example `/mics` + controller path + method path).
3. **List accepted verbs** and follow the one that maps to execution (`EXECUTE`, `RUN`, `TEST`, etc.).
4. If the patch replaces user input with a **hardcoded internal command**, reuse that constant as the payload template against the vulnerable build.

### Real-world payload shape

In Ivanti Sentry / MobileIron Sentry, the vulnerable `message` parameter was parsed into `command module xpath value` and the `execute` verb routed into an XML-backed native execution path. A minimal probe looked like:

```http
POST /mics/api/v2/sentry/mics-config/handleMessage HTTP/1.1
Content-Type: application/x-www-form-urlencoded

message=execute system /configuration/system/commandexec <commandexec><index>1</index><reqandres>uname -a</reqandres></commandexec>
```

Why this shape matters:

- `execute` selects the execution branch
- `system` selects the module handler
- `/configuration/system/commandexec` resolves the XML object
- `<reqandres>` carries the OS command
- successful exploitation returns command output inside the JSON/XML response wrapper

### Patch-introduced constants can document the exploit grammar

A useful reversing trick is to inspect the **patched** controller and look for newly hardcoded constants. If the fix stops trusting `message` and instead sends a fixed internal command such as `/bin/cat /sys/devices/virtual/dmi/id/product_name`, the constant often reveals the exact grammar expected by the vulnerable parser. In practice, replacing only the final command is often enough to build a working probe.

### Quick triage ideas

- Compare vulnerable vs patched behavior on the same route: old builds may return command output in JSON, while fixed builds often return a redirect (`302`) or a generic auth failure because the vendor added an Apache/front-end auth gate.
- When reviewing code, treat reflection helpers such as `executeNativeCommand()` or `excuteModuleMethod()` as **privilege bridges**: HTTP input may not call `/bin/sh` directly, but it can still reach native module methods that do.

### Parameters

Here are the top 25 parameters that could be vulnerable to code injection and similar RCE vulnerabilities (from [link](https://twitter.com/trbughunters/status/1283133356922884096)):
Expand Down Expand Up @@ -287,5 +331,8 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject
- [HTB: Gavel](https://0xdf.gitlab.io/2026/03/14/htb-gavel.html)
- [CVE-2023-27350.py (auth bypass + print scripting automation)](https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py)
- [Unit 42 – Bash arithmetic expansion RCE in Ivanti RewriteMap scripts](https://unit42.paloaltonetworks.com/ivanti-cve-2026-1281-cve-2026-1340/)
- [watchTowr Labs – Ivanti Sentry pre-auth OS command injection (CVE-2026-10520)](https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520/)
- [Ivanti Security Advisory – Ivanti Sentry CVE-2026-10520 / CVE-2026-10523](https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US)
- [watchTowr Detection Artefact Generator – Ivanti Sentry RCE / Auth Bypass](https://github.com/watchtowrlabs/watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523)

{{#include ../banners/hacktricks-training.md}}