Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

70 lines (50 sloc) 2.57 KB
local nmap = require "nmap"
local shortport = require "shortport"
local sslcert = require "sslcert"
local string = require "string"
local vulns = require "vulns"
local http = require "http"
description = [[
CVE-2019-19781
A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that,
if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.
The vulnerability has been assigned the following CVE number:
• CVE-2019-19781 : Vulnerability in Citrix Application Delivery Controller and Citrix Gateway leading to arbitrary code execution
The vulnerability affects all supported product versions and all supported platforms:
• Citrix ADC and Citrix Gateway version 13.0 all supported builds
• Citrix ADC and NetScaler Gateway version 12.1 all supported builds
• Citrix ADC and NetScaler Gateway version 12.0 all supported builds
• Citrix ADC and NetScaler Gateway version 11.1 all supported builds
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
]]
author = "Hossam Mohamed @cyberstruggle"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = { "default", "safe", "discovery" }
dependencies = {"https-redirect"}
portrule = function(host, port)
return shortport.ssl(host, port) or sslcert.isPortSupported(port) or sslcert.getPrepareTLSWithoutReconnect(port)
end
action = function(host, port)
local vuln_status, err
local vuln = {
title = "Remote Code Execution vulnerability in Citrix Application Delivery Controller (ADC)",
IDS = {CVE = 'CVE-2019-19781'},
risk_factor = "HIGH",
description = [[
A critical remote code execution vulnerability exists in Citrix Application Delivery Controller (ADC) CVE-2019-19781.
]],
references = {
'https://support.citrix.com/article/CTX267027'
},
dates = {
disclosure = {year = '2019', month = '12', day = '17'},
}
}
local report = vulns.Report:new(SCRIPT_NAME, host, port)
vuln.state = vulns.STATE.NOT_VULN
local httpresponse1 = http.get(host, port, "/vpn/../vpns/cfg/smb.conf", nil)
if httpresponse1.status == 200 and string.match(httpresponse1.body, "[global]") and string.match(httpresponse1.body,"lmhosts") then
vuln.state = vulns.STATE.VULN
end
return report:make_output(vuln)
end
You can’t perform that action at this time.