Skip to content

More Evidence That Words Don’t Mean What We Thought They Mea...#2357

Open
carlospolop wants to merge 1 commit into
masterfrom
update_More_Evidence_That_Words_Don_t_Mean_What_We_Thou_463345dcfac6cea8
Open

More Evidence That Words Don’t Mean What We Thought They Mea...#2357
carlospolop wants to merge 1 commit into
masterfrom
update_More_Evidence_That_Words_Don_t_Mean_What_We_Thou_463345dcfac6cea8

Conversation

@carlospolop

@carlospolop carlospolop commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

Ivanti Sentry pre-authenticated OS command injection: CVE-2026-10520

The post analyzes CVE-2026-10520, a pre-authenticated OS command injection vulnerability in Ivanti Sentry / MobileIron Sentry before R10.5.2, R10.6.2, and R10.7.1. Ivanti described the impact as allowing a remote unauthenticated attacker to achieve root-level remote code execution, with a CVSS score of 10.0.

Ivanti also disclosed CVE-2026-10523, an Auth...

🔧 Technical Details

Patch diffing to find exposed execution sinks: Compare vulnerable and patched appliance packages, especially WAR/JAR files, to identify changed controller logic. In this case, diffing mics.war showed that only mics-core-10.5.1-R10.5.1.jar changed to mics-core-10.5.2-R10.5.2.jar. The changed code was in mics-core/com/mi/middleware/rest/controller/ConfigServiceController.java. Reconstructing the route from the Tomcat context /mics, the Spring controller mapping /api/v2/sentry/mics-config, and the method mapping /handleMessage produced the attack surface: /mics/api/v2/sentry/mics-config/handleMessage.

Abusing exposed configuration command parsers: If an unauthenticated web endpoint accepts a raw string and passes it into an internal configuration service, treat that string as a possible DSL or command language. Here, message is tokenized into co...

🤖 Agent Actions

Done.

Updated

  • src/pentesting-web/command-injection.md

What I added

A new section covering the reusable technique behind the Ivanti Sentry bug:

  • exposed configuration command parsers / internal command DSLs
  • how to patch-diff WAR/JARs to recover hidden execution routes
  • how to identify command/module/xpath/value parsers
  • how patched hardcoded constants can reveal exploit grammar
  • a concise Ivanti Sentry payload shape example
  • quick triage notes on 302/auth-gate behavior and reflection-backed execution bridges

Why this location

I chose the existing Command Injection page instead of creating a new Ivanti-specific page, because the useful addition is the general technique: HTTP-exposed internal config-command execution leading to OS command execution.

References added

  • watchTowr blog
  • Ivanti advisory
  • watchTowr detection repo

Validation

  • Reviewed diff: only one file changed.
  • Tried mdbook build, but mdbook is not installed in this environment (mdbook: command not found).

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop

carlospolop commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator Author

🔗 Additional Context

Original Blog Post: https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting > 80,443 - Pentesting Web Methodology > Ivanti Sentry / MobileIron Sentry, or Pentesting Web > Command Injection".

Repository Maintenance:

  • MD Files Formatting: 977 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@carlospolop