Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/wdormann/statuses/114280151477152127">Will Dormann (wdormann@infosec.exchange)'s status on Saturday, 12-Apr-2025 01:16:44 JST</a><a href="https://infosec.exchange/@wdormann" title="wdormann@infosec.exchange"><img src="https://gnusocial.jp/avatar/232810-48-20240116185707.webp" width="48" height="48" alt="Will Dormann" style="position: absolute; left: 0; top: 0;">Will Dormann</a><div><a href="https://infosec.exchange/@wdormann/114275557601801461" rel="in-reply-to">in reply to</a></div></section><article><p>And <a href="https://labs.watchtowr.com/is-the-sofistication-in-the-room-with-us-x-forwarded-for-and-ivanti-connect-secure-cve-2025-22457/" rel="nofollow">per the excellent folks at watchTowr</a>, we can see what the vulnerability is:<br>A stack buffer overflow in X-Forwarded-For</p><p>No need to find a specific endpoint or do something clever. Simply make a web request to anywhere on an ICS system with a large X-Forwarded-For HTTP header and you'll get a stack buffer overflow on the system.  🤦♂️</p><p>And due to the fact that the Ivanti web server does a fork() without a corresponding exec(), we get the same memory layout every single time.</p><p>Now, about Ivanti's use of remediated... The function where the overflow happens just happens to have been rewritten in a way that avoids the overflow.</p><p>Did Ivanti recognize the possibility of a stack buffer overflow and not recognize it as a security issue? Or did they just happen to change code to accidentally avoid the overflow (and decide to use exploit mitigations as well).</p><p>You decide...</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4840199#notice-9556522">In conversation</a><time datetime="2025-04-12T01:16:44+09:00" title="Saturday, 12-Apr-2025 01:16:44 JST">about a month ago</time> <span>from <span><a href="https://infosec.exchange/@wdormann/114280151477152127" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@wdormann/114280151477152127">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/4449398">dmesg on ICS showing web process crash multiple times with same IP and SP addresses each time</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/280/140/413/280/971/original/0ad30e70a74288ae.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/280/140/413/280/971/original/0ad30e70a74288ae.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4449399">Curl with long X-Forwarded-For field
schannel: server closed abruptly</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/280/141/105/205/085/original/68fe07f0072d0c64.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/280/141/105/205/085/original/68fe07f0072d0c64.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4449400">Vulnerable code segment</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/281/708/474/807/766/original/d238035bd107bc9f.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/281/708/474/807/766/original/d238035bd107bc9f.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4449401">"remediated" function</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/280/146/260/123/934/original/dccbbd6e0aa12435.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/280/146/260/123/934/original/dccbbd6e0aa12435.png</a></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Saturday, 12-Apr-2025 01:16:44 JST Will Dormann
in reply to
And per the excellent folks at watchTowr, we can see what the vulnerability is:
A stack buffer overflow in X-Forwarded-For
No need to find a specific endpoint or do something clever. Simply make a web request to anywhere on an ICS system with a large X-Forwarded-For HTTP header and you'll get a stack buffer overflow on the system. 🤦♂️
And due to the fact that the Ivanti web server does a fork() without a corresponding exec(), we get the same memory layout every single time.
Now, about Ivanti's use of remediated... The function where the overflow happens just happens to have been rewritten in a way that avoids the overflow.
Did Ivanti recognize the possibility of a stack buffer overflow and not recognize it as a security issue? Or did they just happen to change code to accidentally avoid the overflow (and decide to use exploit mitigations as well).
You decide...
In conversationabout a month ago from infosec.exchangepermalink
Attachments

Public

Embed Notice

HTML Code

Corresponding Notice