Permalink
2d4d
complete_cve_2019-19781
e35ebcc
Jan 15, 2020
Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign up
2d4d
complete_cve_2019-19781
e35ebcc
| title: Citrix Netscaler Attack CVE-2019-19781 | |
| description: Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack | |
| id: ac5a6409-8c89-44c2-8d64-668c29a2d756 | |
| references: | |
| - https://support.citrix.com/article/CTX267679 | |
| - https://support.citrix.com/article/CTX267027 | |
| - https://isc.sans.edu/diary/25686 | |
| - https://twitter.com/mpgn_x64/status/1216787131210829826 | |
| - https://github.com/x1sec/x1sec.github.io/blob/master/CVE-2019-19781-DFIR.md | |
| author: Arnim Rupp, Florian Roth | |
| status: experimental | |
| date: 2020/01/02 | |
| modified: 2020/01/15 | |
| logsource: | |
| category: webserver | |
| description: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.' | |
| detection: | |
| selection: | |
| c-uri-path: | |
| - '*/../vpns/*' | |
| - '*/vpns/cfg/smb.conf' | |
| - '*/vpns/portal/scripts/*.pl*' | |
| condition: selection | |
| fields: | |
| - client_ip | |
| - vhost | |
| - url | |
| - response | |
| falsepositives: | |
| - Unknown | |
| level: critical | |