Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add citrix_directory_traversal module to /modules/auxiliary/scanner/h… #12813

Merged
merged 3 commits into from Jan 14, 2020

Conversation

@kalba-security
Copy link
Contributor

kalba-security commented Jan 11, 2020

About

This change adds a new module to /modules/auxiliary/scanner/http/ that can be used to verify whether or not a web server is vulnerable to CVE-2019-19781 - a directory traversal in in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. For more info about this vulnerability, see: https://nvd.nist.gov/vuln/detail/CVE-2019-19781

Vulnerable System

Citrix ADC (NetScalers) systems vulnerable to directory traversal (CVE-2019-19781).

Verification Steps

  1. Select a webserver to target.
  2. Do: use auxiliary/scanner/http/citrix_directory_traversal
  3. Do: set RHOSTS [target IP or hostname]
  4. Do: run
  5. The module will issue an HTTP GET request for [TARGET]/vpn/../vpns/cfg/smb.conf. If HTTP response code 200 is received, it will indicate that the target is vulnerable to CVE-2019-19781.

Options

  1. Proxies . This option is not set by default.
  2. RPORT . The default setting is 80. To use: set RPORT [target port, default is 80]
  3. SSL . The default setting is false.
  4. THREADS . The default setting is 1.
  5. VHOST . This option is not set by default.

Scenarios

msf5 auxiliary(scanner/http/citrix_directory_traversal) > run

[*] Found 127.0.0.1/vpn/../vpns/cfg/smb.conf.
[+] The target is vulnerable to CVE-2019-19781.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@wvu-r7 wvu-r7 self-assigned this Jan 12, 2020
@space-r7 space-r7 added the needs-docs label Jan 13, 2020
@wvu-r7 wvu-r7 mentioned this pull request Jan 13, 2020
0 of 2 tasks complete
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 13, 2020

Hi! Thanks for this. We'll be making some final changes to the module and landing with #12816, using this module as the exploit's check method, if possible. I'll let you know when I'm ready to merge this. Thanks!

@kalba-security

This comment has been minimized.

Copy link
Contributor Author

kalba-security commented Jan 13, 2020

Hi! Thanks for your message. Please let us know if we can help with additional documentation or anything else at this stage. And it would indeed be great if you could keep us updated about when and in what form you will be including the module. Thanks in advance!

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 13, 2020

@kalba-security: If you could write module documentation, that would be a task off my list.

FYI, there are some sweeping functional and stylistic changes that need to be done in order to merge this. I'll keep you posted before anything hits master, but we have a bit of a deadline here. Thank you.

def initialize
super(
'Name' => 'Citrix ADC Directory Traversal',
'Description' => 'This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC (NetScalers). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presense of a "global" variable in smb.conf, which this file should always contain.',

This comment has been minimized.

Copy link
@wvu-r7

wvu-r7 Jan 13, 2020

Contributor

I've updated the code to check for global, since this check is not currently present. Please stand by until I can push my commits for viewing. Thanks!

@kalba-security

This comment has been minimized.

Copy link
Contributor Author

kalba-security commented Jan 13, 2020

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 13, 2020

@kalba-security: Feel free to push the docs! Thanks!

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 13, 2020

You ROCK! Thank you so much. I'll update the docs if the code changes can be reflected.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 13, 2020

Here is the updated code: master...wvu-r7:pr/12813. I'm happy to explain and justify anything. I will need to merge all of this in the next couple hours.

@altjx

This comment has been minimized.

Copy link
Contributor

altjx commented Jan 13, 2020

Looks good!!! @wvu-r7. Quick question, we're not allowed to put email addresses or Twitter handles in by chance are we? Can't remember if that was restricted or not.

@kalba-security

This comment has been minimized.

Copy link
Contributor Author

kalba-security commented Jan 13, 2020

Yeah looks great @wvu-r7!! In the documentation I already referenced the global check you added btw.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 13, 2020

@altjx: Nope, but it's okay to tack them on as a comment! What Twitter handles do y'all want to use? It's easier to avoid conflicts if I make the commit. Sorry for the situation. :(

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 13, 2020

Btw, we're planning to convert all CVE references to NVD soon enough, since CVE Details has been... lacking. So I removed the NVD URL reference for now.

@altjx

This comment has been minimized.

Copy link
Contributor

altjx commented Jan 13, 2020

Sounds great! We can use the following:

No worries! I'm on a plane anyway so I wouldn't be able to do it LOL. Thanks so much!

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 13, 2020

I've improved the smb.conf check and added a PATH option. There are many traversal options, including obfuscation...

@altjx

This comment has been minimized.

Copy link
Contributor

altjx commented Jan 13, 2020

Gotcha!

wvu-r7 added a commit that referenced this pull request Jan 14, 2020
@wvu-r7 wvu-r7 merged commit c30cd8e into rapid7:master Jan 14, 2020
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 14, 2020

Release Notes

This adds a scanner for CVE-2019-19781, a directory traversal vulnerability in Citrix ADC (NetScaler).

msjenkins-r7 added a commit that referenced this pull request Jan 14, 2020
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 14, 2020

Commits I've added:

f1cc40b
d7deb4e
94b6b6d
332afe8
3354e69
4ac7f81
99235c7

Thanks again!

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 14, 2020

Off to finish #12816!

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 14, 2020

@altjx

This comment has been minimized.

Copy link
Contributor

altjx commented Jan 14, 2020

Thanks so much!! @wvu-r7 I apologize but I typod my Twitter handle. should have been @altonjx sorry about that

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 14, 2020

Doh! No problem, let me fix that for ya.

@altjx

This comment has been minimized.

Copy link
Contributor

altjx commented Jan 14, 2020

Thanks again!! 🙏🏽

wvu-r7 added a commit that referenced this pull request Jan 14, 2020
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 14, 2020

All fixed. :-)

msjenkins-r7 added a commit that referenced this pull request Jan 14, 2020

Because vulnerable servers allow for directory traversal, they will accept the request `GET /vpn/../vpns/` and process it as a request for `GET /vpns/`, a directory that contains PERL scripts that can be targeted to allow for limited file writing on the vulnerable host.

This module checks if a target server is vulnerable by issuing an HTTP GET request for `/vpn/../vpns/cfg/smb.conf`and then checking the response for `global`since this configuration file should contain global variables. If ``global``is found, the server is vulnerable to CVE-2019-19781.

This comment has been minimized.

Copy link
@bcoles

bcoles Jan 14, 2020

Contributor
Suggested change
This module checks if a target server is vulnerable by issuing an HTTP GET request for `/vpn/../vpns/cfg/smb.conf`and then checking the response for `global`since this configuration file should contain global variables. If ``global``is found, the server is vulnerable to CVE-2019-19781.
This module checks if a target server is vulnerable by issuing an HTTP GET request for `/vpn/../vpns/cfg/smb.conf`and then checking the response for `global` since this configuration file should contain global variables. If `global` is found, the server is vulnerable to CVE-2019-19781.
1. `Proxies` . This option is not set by default.
2. `RPORT` . The default setting is `80`. To use: `set RPORT [PORT]`
3. `SSL` . The default setting is `false`.
4. `THREADS` . The default setting is `1`.
5. `VHOST` . This option is not set by default.
Comment on lines +24 to +28

This comment has been minimized.

Copy link
@bcoles

bcoles Jan 14, 2020

Contributor

This formatting is inconsistent with existing documentation. See examples:

'Erik Wynter',
'altonjx',
Comment on lines +21 to +22

This comment has been minimized.

Copy link
@bcoles

bcoles Jan 14, 2020

Contributor

Traditionally, the author's role is provided in comments. ie:

[
  'someone', # discovery and PoC
  'someone else', # metasploit
]

This comment has been minimized.

Copy link
@wvu-r7

wvu-r7 Jan 14, 2020

Contributor

This one's fair.

This comment has been minimized.

Copy link
@wvu-r7

wvu-r7 Jan 14, 2020

Contributor

Addressing over in #12816.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 14, 2020

@bcoles: Please review against master. Added commits are in #12813 (comment). I wasn't able to push to their branch, and a PR wouldn't make my deadline. If you have further changes, I would appreciate a PR!

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Jan 14, 2020

@bcoles: Please review against master. Added commits are in #12813 (comment). I wasn't able to push to their branch, and a PR wouldn't make my deadline. If you have further changes, I would appreciate a PR!

A case statement seems a little ridiculous for a single branch conditional. Future proofing?

Also, turi.to_s.end_with?('smb.conf') would be preferred over a regex for readability.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 14, 2020

Yes, future-proofing. Indeed ridiculous for a single branch. I have other cases I would like to add, but I reached a deadline.

ETA: It was originally just if and end_with?. Agreed that it read better!

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 14, 2020

Screw it. I added the PATH option. Reverted to if/end_with? over in #12816.

wvu-r7 added a commit that referenced this pull request Jan 14, 2020
msjenkins-r7 added a commit that referenced this pull request Jan 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.