关联漏洞
描述
Indicator of Compromise Scanner for CVE-2019-19781
介绍
# Indicator of Compromise Scanner for CVE-2019-19781
This repository contains a utility for detecting compromises of Citrix ADC Appliances related to CVE-2019-19781.
The utility, and its resources, encode indicators of compromise collected during FireEye Mandiant investigations.
To learn more, please [read the blog announcing this tool's release](https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-and-citrix-tool-scans-for-iocs-related-to-vulnerability.html).
In summary the utility will:
- do a best effort job at identifying existing compromise.
It will *not*:
- identify a compromise 100% of the time, or
- tell you if a device is vulnerable to exploitation.
With community feedback, the tool may become more thorough in its detection.
Please [open an issue](https://github.com/fireeye/ioc-scanner-CVE-2019-19781/issues),
[submit a PR](https://github.com/fireeye/ioc-scanner-CVE-2019-19781/pulls),
or [contact the authors](mailto:citrix-ioc-scanner-support@fireeye.com) if you have problems, ideas, or feedback.
#### Download the standalone tool from the [Releases tab](https://github.com/fireeye/ioc-scanner-CVE-2019-19781/releases/latest/) of this repository.
## Features
This scanner can identify:
- [web server log](./scanners/access-logs.sh) entries indicating successful exploitation
- [file system paths](./scanners/fs-paths.sh) of known malware
- post-exploitation activity in [shell history](./scanners/shell-history.sh)
- known [malicious terms](./scanners/netscaler-content.sh) in NetScaler directories
- [unexpected modification](./scanners/netscaler-content.sh) of NetScaler directories
- unexpected [crontab entries](./scanners/crontab.sh)
- unexpected [processes](./scanners/processes.sh)
- [ports](./scanners/ports.sh) used by known malware
## Details
The Indicator of Compromise (IoC) Scanner for CVE-2019-19781 was jointly developed by
FireEye Mandiant and Citrix based on knowledge gleaned from incident response engagements related to exploitation of CVE-2019-19781.
The goal of the scanner is to analyze available log sources and system forensic artifacts to
identify evidence of successful exploitation of CVE-2019-19781.
There are limitations in what the tool will be able to accomplish,
and therefore, executing the tool should not be considered a guarantee that a system is free of compromise.
For example, log files on the system with evidence of compromise may have truncated/rolled,
the system may have been rebooted,
an attacker may have tampered with the system to remove evidence of compromise,
and/or installed a rootkit that masks evidence of compromise, etc.
The output of the this tool will fall into one of three categories:
1. Evidence of compromise. This is the default.
Any evidence that falls into this category indicates that a device was successfully compromised.
This could be anything from executing commands that disclosure information (e.g. view the `ns.conf` or `smb.conf` configuration files),
to installing a backdoor (e.g. NOTROBIN, a coin miner, etc.),
or dropping a Perl-based web shell.
2. Evidence of successful vulnerability scanning
(this could be authorized system administrator or unauthorized attacker).
Any evidence that falls into this category indicates the system was in a vulnerable state (e.g. the mitigation had not been applied)
and that at least the first step to exploit CVE-2019-19781 was successful.
3. Evidence of failed vulnerability scanning.
Any evidence that falls into this category indicates that attempts to scan or exploit the system failed.
This tool is not guaranteed to find all evidence of compromise, or all evidence of compromise related to CVE-2019-19781.
If indications of compromise are identified on systems, organizations should perform a forensic examination of the compromised system to determine the scope and extent of the incident.
This tool is offered AS IS and without warranty.
## Usage
You should download the standalone Bash script from the
[Releases tab](https://github.com/fireeye/ioc-scanner-CVE-2019-19781/releases/latest/)
of this repository.
Copying the source directory to a Citrix ADC Appliance is possible but not recommended.
The IoC Scanner can be run directly on a Citrix ADC Appliance.
In this mode, the tool will scan files, processes, and ports for known indicators.
The tool writes diagnostic messages to the STDERR stream and results to the STDOUT stream.
In typical usage, you should redirect STDOUT to a file for review.
The tool must be run as `root` in live mode on a Citrix ADC Appliance.
For example:
```sh
$ sudo bash ./ioc-scanner-CVE-2019-19781-v1.1.sh > "/tmp/results-$(date).txt"
```
The tool is designed to be used with the following products:
- Citrix ADC and Citrix Gateway version 13.0
- Citrix ADC and Citrix Gateway version 12.1
- Citrix ADC and Citrix Gateway version 12.0
- Citrix ADC and Citrix Gateway version 11.1
- Citrix ADC and Citrix Gateway version 10.5
- Citrix SD-WAN WANOP software and appliance models 4000, 4100, 5000, and 5100
The IoC Scanner can also inspect a mounted forensic image.
In this scenario, pass a command line argument specifying the path to the image root directory.
You don't have to be root to run in offline mode.
For example:
```sh
$ bash ./ioc-scanner-CVE-2019-19781-v1.1.sh /mnt/path/to/evidence/root/
```
In both modes, the tool will extract supporting code into a temporary directory; this directory will be deleted upon termination of the script.
The tool does not make further changes to the system, although it may cause log entries to be generated.
Like all forensic analysis, prefer offline analysis against a `dd` image to live response.
This will eliminate the likelihood that the tool causes relevant evidence to be overwritten.
Please review the [Frequently Asked Questions](https://github.com/fireeye/ioc-scanner-CVE-2019-19781/wiki/Frequently-Asked-Questions) for further details.
## Contributing
As you invent further ways to identify compromise, please consider contributing to this IoC Scanner.
We would like to provide the most thorough, correct scanner as possible.
The primary goal is to report high confidence indicators of compromise.
Because users may rely on the output of this tool to initiate further investigation, it's important that we don't send them on a wild goose chase.
Therefore, activity such as simple scanning should not be reported in the default mode.
Any evidence of an actor gaining access to the system, fetching information, or creating content should always be reported.
### Design
We provide this tool as a Bash script because it's a common denominator across Citrix ADC Appliances.
Here's the feature matrix for Citrix ADC releases:
| NetScaler Version | OS | Languages available |
|-------------------|-------------|---------------------|
| 13.0 | FreeBSD 8.4 | Bash, Perl, Python |
| 12.1 | FreeBSD 8.4 | Bash, Perl, Python |
| 12.0 | FreeBSD 8.4 | Bash, Perl, Python |
| 11.1 | FreeBSD 8.4 | Bash, Perl |
| 10.5 | FreeBSD 8.4 | Bash, Perl |
| 10.1 | FreeBSD 6.3 | Bash, Perl |
| 9.3 | FreeBSD 6.3 | Bash, Perl |
Although we've seen malware use Go to target FreeBSD/NetScaler, Go does not support FreeBSD 6.x.
### Testing
We maintain sparse file system images containing evidence of compromise in the `./tests/` directory.
As you add IoCs to this tool, such as known paths or blacklisted content, please provide examples of the evidence for testing.
You can run the unit tests on a Linux or macOS system like so:
```sh
$ bash ./tests/test.sh
runnning test: access-logs
runnning test: xml-template
runnning test: crontab
runnning test: var-cron-tabs-nobody
runnning test: error-logs
runnning test: file-system
runnning test: netscalerd
runnning test: notrobin-tmp-init
runnning test: notrobin-var-nstmp-nscache
runnning test: ns-content
runnning test: chr-encoded-template
runnning test: copied-ns-conf
runnning test: curl-in-template
runnning test: perms
runnning test: var-tmp-netscaler-portal-templates
runnning test: var-vpn-bookmark
runnning test: webshell-in-scripts
runnning test: shell-history
runnning test: bash_log
runnning test: notice_log
```
### Building
Once you've checked out the source repository, you can build a standalone script using the `./build.sh` tool.
This packages the primary script and supporting resources into a single bundle.
Upon execution, it will extract to a temporary directory, execute from there, and then clean up.
To build:
```
$ bash ./build.sh > ioc-scanner-CVE-2019-19781-rev$(git rev-parse HEAD | cut -c 1-8).sh
```
## Further Reading
For additional information from FireEye regarding CVE-2019-19781 and in-the-wild exploitation, please see:
* [Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)](https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html) - published on January 14, 2020
* [404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor](https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html) - published on January 16, 2020
The response to CVE-2019-19781 has been a significant effort across the security industry and these blogs heavily cite additional contributions that will be of value to users of this tool. We recommend reading the linked material from these posts to best understand activity in your environment.
As always, the FireEye Mandiant team is available to answer follow-up questions or to further assist on an investigation [by contacting us here](https://www.fireeye.com/company/incident-response.html).
文件快照
[4.0K] /data/pocs/f98f99119dc2f85e623e7d5ab5269bee93f0d5bb
├── [3.2K] build.sh
├── [5.3K] FAQ.md
├── [ 14K] ioc-scanner-CVE-2019-19781.sh
├── [ 11K] LICENSE.txt
├── [9.7K] README.md
├── [4.0K] scanners
│ ├── [2.7K] access-logs.sh
│ ├── [1.3K] cron-history.sh
│ ├── [ 344] crontab.sh
│ ├── [1.4K] error-logs.sh
│ ├── [1.3K] failed-exploitation.sh
│ ├── [3.4K] fs-paths.sh
│ ├── [7.9K] netscaler-content.sh
│ ├── [ 757] ports.sh
│ ├── [ 763] processes.sh
│ ├── [4.2K] shell-history.sh
│ └── [1.3K] successful-scanning.sh
├── [4.0K] tests
│ ├── [4.0K] access-logs
│ │ ├── [4.0K] buffaloverflow
│ │ │ └── [4.0K] var
│ │ │ └── [4.0K] log
│ │ │ └── [ 294] httpaccess.log
│ │ ├── [4.0K] query-params
│ │ │ └── [4.0K] var
│ │ │ └── [4.0K] log
│ │ │ └── [ 296] httpaccess.log
│ │ └── [4.0K] xml-template
│ │ └── [4.0K] var
│ │ └── [4.0K] log
│ │ └── [ 280] httpaccess.log
│ ├── [4.0K] cron-history
│ │ ├── [4.0K] ci-sh
│ │ │ └── [4.0K] var
│ │ │ └── [4.0K] log
│ │ │ └── [ 656] cron
│ │ └── [4.0K] nobody-user
│ │ └── [4.0K] var
│ │ └── [4.0K] log
│ │ └── [ 163] cron
│ ├── [4.0K] crontab
│ │ └── [4.0K] var-cron-tabs-nobody
│ │ └── [4.0K] var
│ │ └── [4.0K] cron
│ │ └── [4.0K] tabs
│ │ └── [ 509] nobody
│ ├── [4.0K] error-logs
│ │ └── [4.0K] var
│ │ └── [4.0K] log
│ │ └── [7.4K] httperror.log
│ ├── [4.0K] failed-exploitation
│ │ └── [4.0K] var
│ │ └── [4.0K] log
│ │ └── [ 165] httpaccess.log
│ ├── [4.0K] file-system
│ │ ├── [4.0K] apt41
│ │ │ └── [4.0K] tmp
│ │ │ ├── [ 0] bsd
│ │ │ └── [ 0] un
│ │ ├── [4.0K] netscalerd
│ │ │ └── [4.0K] var
│ │ │ └── [4.0K] tmp
│ │ │ └── [ 0] netscalerd
│ │ ├── [4.0K] notrobin-tmp-init
│ │ │ └── [4.0K] tmp
│ │ ├── [4.0K] notrobin-var-nstmp-nscache
│ │ │ └── [4.0K] var
│ │ │ └── [4.0K] nstmp
│ │ ├── [4.0K] notrobin-var-vpn-theme-random
│ │ │ └── [4.0K] var
│ │ │ └── [4.0K] vpn
│ │ │ └── [4.0K] theme
│ │ │ └── [ 0] aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php
│ │ └── [4.0K] notrobin-var-vpn-theme-y
│ │ └── [4.0K] var
│ │ └── [4.0K] vpn
│ │ └── [4.0K] theme
│ │ └── [ 0] aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa_y.pl
│ ├── [4.0K] ns-content
│ │ ├── [4.0K] chr-encoded-template
│ │ │ └── [4.0K] netscaler
│ │ │ └── [4.0K] portal
│ │ │ └── [4.0K] templates
│ │ │ └── [2.8K] bflxohnzbv.xml
│ │ ├── [4.0K] copied-ns-conf
│ │ │ └── [4.0K] netscaler
│ │ │ └── [4.0K] portal
│ │ │ └── [4.0K] templates
│ │ │ └── [ 19] copied.conf
│ │ ├── [4.0K] curl-in-template
│ │ │ └── [4.0K] netscaler
│ │ │ └── [4.0K] portal
│ │ │ └── [4.0K] templates
│ │ │ └── [ 351] 1.xml
│ │ ├── [4.0K] perl-webshell
│ │ │ └── [4.0K] netscaler
│ │ │ └── [4.0K] portal
│ │ │ └── [4.0K] scripts
│ │ │ └── [ 755] loadcolorprefs.pl
│ │ ├── [4.0K] perms
│ │ │ ├── [4.0K] netscaler
│ │ │ │ └── [4.0K] portal
│ │ │ │ └── [4.0K] templates
│ │ │ │ └── [ 244] foo.xml
│ │ │ └── [ 266] test.sh_
│ │ ├── [4.0K] var-tmp-netscaler-portal-templates
│ │ │ └── [4.0K] var
│ │ │ └── [4.0K] tmp
│ │ │ └── [4.0K] netscaler
│ │ │ └── [4.0K] portal
│ │ │ └── [4.0K] templates
│ │ │ └── [2.8K] bflxohnzbv.xml
│ │ ├── [4.0K] var-vpn-bookmark
│ │ │ └── [4.0K] var
│ │ │ └── [4.0K] vpn
│ │ │ └── [4.0K] bookmark
│ │ │ ├── [2.8K] bflxohnzbv.xml
│ │ │ └── [2.8K] with newline\012.xml
│ │ └── [4.0K] webshell-in-scripts
│ │ └── [4.0K] netscaler
│ │ └── [4.0K] portal
│ │ └── [4.0K] scripts
│ │ └── [ 181] rmpm.pl
│ ├── [4.0K] shell-history
│ │ ├── [4.0K] bash_log
│ │ │ └── [4.0K] var
│ │ │ └── [4.0K] log
│ │ │ └── [2.8K] bash.log
│ │ ├── [4.0K] bash_log_gz
│ │ │ └── [4.0K] var
│ │ │ └── [4.0K] log
│ │ │ └── [ 490] bash.log.0.gz
│ │ ├── [4.0K] bsd
│ │ │ └── [4.0K] var
│ │ │ └── [4.0K] log
│ │ │ └── [ 152] bash.log
│ │ ├── [4.0K] notice_log
│ │ │ └── [4.0K] var
│ │ │ └── [4.0K] log
│ │ │ └── [ 719] notice.log
│ │ └── [4.0K] sh_log
│ │ └── [4.0K] var
│ │ └── [4.0K] log
│ │ └── [2.8K] sh.log
│ ├── [4.0K] successful-scanning
│ │ └── [4.0K] var
│ │ └── [4.0K] log
│ │ └── [3.2K] httpaccess.log
│ └── [1.3K] test.sh
└── [4.0K] util
└── [3.1K] get_image_from_remote.sh
104 directories, 47 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。