Advisory CVE-2020-13770 – Ivanti Unified Endpoint Manager named pipe token impersonation privilege escalation

by | Nov 11, 2020 | Jumpsec, Research

Software: Ivanti Unified Endpoint Manager
Affected Versions: <= 2020.1.1
Vendor page: www.ivanti.com
CVE Reference: CVE-2020-13770
Published: 11/11/2020
CVSS 3.1 Score: 8.8 – AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector: Local
Credits: Andrei Constantin Scutariu, Lenk Ratchakrit, Calvin Yau

Summary

Several services are accessing named pipes with default or overly permissive security attributes; as these services run as user ‘NT AUTHORITY\SYSTEM’, the issue can be used to escalate privileges from a local standard or service account having SeImpersonatePrivilege (eg. user ‘NT AUTHORITY\NETWORK SERVICE’).

Mitigation

There is currently no fix for this issue. The vendor has yet to release a patch to address the vulnerability; it is advised to review the host configuration and monitor for suspicious activity.

Technical details

The process of exploiting the vulnerability consists in creating a named pipe server, waiting for the vulnerable service to connect to it as a client, extract the client’s token and use it to perform privileged actions as ‘NT AUTHORITY\SYSTEM’. As there can only be one server-side named pipe object, to exploit the vulnerability it might be required to create the named pipe object before the legitimate process does, or alternatively kill it or cause it to crash.

The following named pipe client processes and named pipe objects are affected on version <=2020.1.1:

Pipe name: \\.\pipe\SQLLocal\ldmsdata
Server process: C:\Program Files\Microsoft SQL Server\MSSQL13.LDMSDATA\MSSQL\Binn\sqlservr.exe
Client processes:

  • C:\PROGRA~1\LANDesk\MANAGE~1\landesk\SAM\SamServer\bin\SAM.O365PS_Routines.exe
  • C:\Program Files\LANDesk\LDClient\LDdevmon.exe
  • C:\Program Files\LANDesk\ManagementSuite\AlertService.exe
  • C:\Program Files\LANDesk\ManagementSuite\BrokerService.exe
  • C:\Program Files\LANDesk\ManagementSuite\ManagedPlanet.Core.Barcode.exe
  • C:\Program Files\LANDesk\ManagementSuite\SchedQry.exe
  • C:\Program Files\LANDesk\ManagementSuite\MDMManagementService.exe
  • C:\Program Files\LANDesk\ManagementSuite\commands.service.exe
  • C:\Program Files\LANDesk\ManagementSuite\CoreSyncService.exe
  • C:\Program Files\LANDesk\ManagementSuite\ManagedPlanet.RapidDeploy.Service.exe
  • C:\Program Files\LANDesk\ManagementSuite\MPCore.exe
  • C:\Program Files\LANDesk\ManagementSuite\LDInv32.exe
  • C:\Program Files\LANDesk\ManagementSuite\SchedSvc.exe
  • C:\Program Files\LANDesk\ManagementSuite\ManagedPlanet.Common.DBMonitorService.exe
  • C:\Program Files\LANDesk\ManagementSuite\ManagedPlanet.Common.SoftwareManager.exe
  • C:\Program Files\LANDesk\ManagementSuite\ManagedPlanet.DiscoveryServices.Core.exe

Timeline

28/05/2020: Issue reported to the vendor
01/06/2020: Vendor acknowledged the issues
02/06/2020: CVE number assigned from MITRE
13/07/2020: 90 days notice period for disclosure given to the vendor
11/11/2020: Advisory published by JUMPSEC

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

GitHub Activity

 

Follow JUMPSECLabs

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

You may also like…

Detecting known DLL hijacking and named pipe token impersonation attacks with Sysmon

Recently we posted a bunch of advisories relating to Ivanti Unified Endpoint Manager, a couple of which are for vulnerabilities which can be used to achieve local privilege escalation. We will give a brief explanation of the vulnerabilities and an example of Sysmon configuration rules to log exploitation attempts, along with the rationale behind them so you can adapt them to your existing configuration if needed.

Advisory CVE-2020-13769 – Ivanti Unified Endpoint Manager SQL injection

A number of web components in Endpoint Manager do not properly sanitize user input when executing SQL queries, leaving the application vulnerable to injection attacks towards the underlying database. On a standard installation with default options, the account used to query the database is database administrator.

Share This