Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-19781 PoC — Citrix Application Delivery Controller和Citrix Systems Gateway 路径遍历漏洞

Source
https://github.com/zgelici/CVE-2019-19781-Checker
Associated Vulnerability
Title:Citrix Application Delivery Controller和Citrix Systems Gateway 路径遍历漏洞 (CVE-2019-19781)
Description:Citrix Systems NetScaler Gateway(Citrix Systems Gateway)和Citrix Application Delivery Controller(ADC)都是美国思杰系统(Citrix Systems)公司的产品。Citrix Systems NetScaler Gateway是一套安全的远程接入解决方案。该方案可为管理员提供应用级和数据级管控功能,以实现用户从任何地点远程访问应用和数据。Citrix Application Delivery Controll
Description
Check your website for CVE-2019-19781 Vulnerable
Readme
# CVE-2019-19781-Checker
Check your website for CVE-2019-19781 Vulnerable

#VISIT https://citrix-checker.com TO CHECK IF YOU ARE VULNERABLE FOR CVE-2019-19781 


PLEASE USE OUR CHECKER TWO TIMES TO BE SURE


This website gives you the results if your service is vulnerable for CVE-2019-19781. There is a responder policy to mitigate the issue until there is a permanent fix.

To apply the fix login to the console or access it with putty and login. Default username: nsroot default password: nsroot

You can run the following codes after you succesfully logged in:
- enable ns feature responder
- add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\""
- add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403
- bind responder global ctx267027 1 END -type REQ_OVERRIDE
- save config

You can also apply it on the management interface by running the next commands:
- shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0
- shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler"
reboot


There is a few ways to identify that your maybe compromized or atleast a victim. Login again to the console or terminal and run the next commands and you will see dates + random files(like DxzXvx.xml) created.
shell
- ls -l /netscaler/portal/templates/
- ls -l /netscaler/portal/scripts/
- ls -l /var/tmp/netscaler/portal/templates/
- ls -l /var/vpn
- ls -l /var/vpns
- ls -l /etc/crontab
- cat  /etc/crontab


Not verified solution but perhaps it can minimize the effect:
Login to NS
start with: shell
chmod -R 700 /netscaler/portal/templates/
chmod -R 700 /netscaler/portal/scripts/
chmod -R 700 /var/tmp/netscaler/portal/templates/
chmod -R 700 /var/vpn/bookmark

chown -R root:wheel /netscaler/portal/templates/
chown -R root:wheel /netscaler/portal/scripts/
chown -R root:wheel /var/tmp/netscaler/portal/templates/
chown -R root:wheel /var/vpn/bookmark

The default permissions are mostly
- drwxr-xr-x 3 root wheel
or
- drwxr-xr-x 4 nobody wheel

There are also pentesters/white(ethical hackers)/grey hats which are also exploiting to see the impact and show companies that they are vulnerable.


We are using the vulnerability checker code of Trustedsec which is made by Rob Simon and David Kennedy.
If there is any questions you can contact info@senux-it.nl
File Snapshot

 [4.0K]  /data/pocs/3fd8c35a634e42cb3692b5cd504dc4f9627b11b1
└── [2.4K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.