POC详情: e93acbbc2248cc92650cc141bf5eb96dc0957e84

来源
关联漏洞
标题: Ivanti ICS 授权问题漏洞 (CVE-2023-46805)
描述:Ivanti ICS是美国Ivanti公司的一代远程安全访问产品。 Ivanti ICS 9.x版本、22.x版本、Ivanti Policy Secure存在授权问题漏洞,该漏洞源于 Web 组件中存在身份验证绕过漏洞。攻击者利用该漏洞可以绕过控制检查来访问受限资源。
描述
A Python script for examining Ivanti Secure Connect (ICS) event logs, designed to support investigations into vulnerabilities CVE-2025-0282, CVE-2023-46805, and CVE-2024-21887.
介绍
# Ivanti Secure Connect Logs Parser

This repository provides a Python script designed to convert Ivanti Secure Connect .vc0 log files into CSV format for digital forensics and incident response. In particular, the parser:

- Extracts timestamps from Ivanti log files (notably from `.vc0` files).
- Converts these hexadecimal timestamps into human-readable date/time strings.
- Converts the log entries into a readable CSV.
- Maps each log’s message code to a descriptive message type and message text, based on a reference CSV.

![Script usage example](assets/ivanti_cve_2025_0282_script_usage.png)

The tool was originally developed while investigating CVE-2025-0282 (an unauthenticated RCE vulnerability affecting certain Ivanti appliances). Reports from Mandiant and others indicate that threat actors may remove or alter log entries to hide their activities. By parsing and analyzing these .vc0 files, investigators can more easily spot evidence of compromise, unusual deletions, or other suspicious behavior.

![Threat actor deleting event log entries](assets/ivanti_cve_2025_0282_log_clearing.png)

During multiple incident response engagements involving Ivanti Secure Connect, certain appliances were found to exhibit incomplete or tampered logs—some showed no entries at all until exploitation of CVE-2025-0282 was detected and the appliance was rebooted. Additionally, the built-in integrity checks, which typically run every two hours, may be disabled or altered by an attacker. By converting `.vc0` files into a more user-friendly CSV format, this tool helps investigators identify anomalies, such as missing log entries, unexpected authentication attempts, and potential signs of data manipulation.

![Missing logs detected](assets/ivanti_cve_2025_0282_missing_logs.png)

# Usage

```txt
PS F:\Case20250109001> python .\ics_logs_parser.py -h
usage: ics_logs_parser.py [-h] --input INPUT --output OUTPUT --mapfile MAPFILE

Process .vc0 files and convert them to .csv files.

options:
  -h, --help         show this help message and exit
  --input INPUT      Directory containing .vc0 files
  --output OUTPUT    Directory to save .csv files
  --mapfile MAPFILE  CSV file mapping [MessageCode, MessageType, Description]
```
## Example

```txt
python .\ics_logs_parser.py --input "F:\Case20250109001\root_runtime.img\[root]\runtime\logs" --output .\logs\ --map .\logmessages_map.csv
```

- `--input`: Directory containing .vc0 log files extracted from Ivanti Secure Connect.
- `--output`: Directory where the CSVs will be written.
- `--mapfile`: CSV file mapping each message code to a message type and description.

![Converted logfiles](assets/ivanti_cve_2025_0282_csv_output.png)

## Message Codes

`logmessages_map.csv` stores the known message codes and their corresponding message types and descriptions. While this list (sourced from publicly available Ivanti documentation and community research) is extensive, it may not include every message code in existence. We encourage users to review or customize the mapping as needed for their environment. See the Resources section for the original references.

## Timestamps

By default, timestamps are converted to UTC. If you need to localize them or format them differently, you can modify the `datetime.fromtimestamp(...)` call in the `process_subline()` function.

![Converted logfiles](assets/ivanti_cve_2025_0282_timestamp_modification.png)

# Contact

If you have questions, suggestions, or need assistance, feel free to reach out at info@hexastrike.com.

# Resources

- https://github.com/SeizeCyber/Ivanti-Secure-Connect-Logs-Parser
- https://help.ivanti.com/ps/legacy/PPS/9.1Rx/9.1R9/Pulse-Policy-Secure-Error-Message-Guide.pdf
- https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day?hl=en
- https://community.opentext.com/cyberres/arcsight/f/discussions/249775/juniper-vpn-logging---found-document-outlining-juniper-event-ids-and-formats

# Acknowledgements

- David Abrgel for the original PowerShell ICS parser concept and especially for his thorough replacements of non-printable characters in his PowerShell script.
- Jeff Hochberg for compiling the message codes.
- Mandiant and others for their public advisories on CVE-2025-0282.
文件快照

[4.0K] /data/pocs/e93acbbc2248cc92650cc141bf5eb96dc0957e84 ├── [4.0K] assets │   ├── [ 57K] ivanti_cve_2025_0282_csv_output.png │   ├── [312K] ivanti_cve_2025_0282_log_clearing.png │   ├── [210K] ivanti_cve_2025_0282_missing_logs.png │   ├── [103K] ivanti_cve_2025_0282_script_usage.png │   └── [150K] ivanti_cve_2025_0282_timestamp_modification.png ├── [ 11K] ics_logs_parser.py ├── [122K] logmessages_map.csv └── [4.2K] README.md 1 directory, 8 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。