Ivanti Endpoint Manager DLL Hijacking Vulnerability Allowing Local Privilege Escalation

A DLL hijacking vulnerability has been identified in Ivanti Endpoint Manager (EPM) versions 2022 SU6 and prior, as well as in EPM 2024, prior to the first service update. This vulnerability allows an authenticated attacker to escalate privileges to the SYSTEM level. The issue arises because the EPM Security Scan (Vulscan) Self Update feature creates a scheduled task that runs with SYSTEM privileges. This task attempts to load certain ZIP files from the ProgramData directory. If these files are missing, a low-privileged user can create them and insert a malicious DLL, which will be executed with elevated privileges, creating a persistent backdoor by leveraging the task's regular execution schedule.

Impact

Exploitation of this vulnerability allows for local privilege escalation, with the attacker gaining SYSTEM-level access.

Reproduction

The vulnerability can be reproduced by creating a ZIP file named 'RebootBehavior_Apply.zip' and placing it in the 'C:\ProgramData\vulScan' directory. This ZIP file should contain a DLL named 'RebootBehavior_Apply.dll' that includes a 'PreApplyBehavior' function designed to execute a command, such as creating a new user with administrative privileges. Once the ZIP file is in place, the scheduled task 'LANDESK Agent Health Bootstrap Task' can be triggered. This task will run the 'vulscan.exe' binary, which will check for the presence of the ZIP file, unzip it, and load the DLL into memory. The malicious DLL will then execute the embedded commands, resulting in the creation of a new user with admin rights.

Remediation

Users can upgrade to Ivanti Endpoint Manager 2024 SU2 or Ivanti Endpoint Manager 2022 SU8, both of which include the necessary patch. Instructions for downloading these updates are available on the Ivanti License System.