Menu

Search for hundreds of thousands of exploits

"Citrix Command Center - Credential Disclosure"

Author

Exploit author

"Han Sahin"

Platform

Exploit platform

xml

Release date

Exploit published date

2015-03-19

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Abstract


It was discovered that Citrix Command Center stores configuration files containing credentials of managed devices within a folder accessible through the web server. Unauthenticated attackers can download any configuration file stored in this folder, decode passwords stored in these files, and gain privileged access to devices managed by Command Center.

Tested version


This issue was discovered in Citrix Command Center 5.1 build 33.3 (including patch CC_SP_5.2_40_1.exe), other versions may also be vulnerable.

Fix


Citrix reports that this vulnerability is fixed in Command Center 5.2 build 42.7, which can be downloaded from the following location (login required).
https://www.citrix.com/downloads/command-center/product-software/command-center-52-427.html

Citrix assigned BUG0493933 to this issue.

Introduction


Citrix Command Center is a management and monitoring solution for Citrix application networking products. Command Center enables network administrators and operations teams to manage, monitor, and troubleshoot the entire global application delivery infrastructure from a single, unified console.

Citrix Command Center stores configuration files containing credentials of managed devices within a folder accessible through the web server. No access control is enforced on this folder, an unauthenticated attacker can download any configuration file stored in this folder.

Details


Configuration files can be downloaded from the conf web folder. Below is an example of a configuration file that can be obtained this way.

https://<target>:8443/conf/securitydbData.xml

This files contains encoded passwords, for example:

<DATA ownername="NULL" password="C70A0eE9os9T2z" username="root"/>


These passwords can be decoded trivially. The algorithm used can be found in the JAR file NmsServerClasses.jar. For example the encoded password C70A0eE9os9T2z decodes to SECURIFY123. The credentials stored in these files can than be used to gain privileged access to devices managed by Command Center.
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-07-07 "Microsoft Windows mshta.exe 2019 - XML External Entity Injection" remote xml hyp3rlinx
2020-05-05 "BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection" webapps xml "Daniel Martinez Adan"
2020-02-07 "ExpertGPS 6.38 - XML External Entity Injection" webapps xml "Trent Gordon"
2020-01-22 "Citrix XenMobile Server 10.8 - XML External Entity Injection" webapps xml "Jonas Lejon"
2020-01-20 "Easy XML Editor 1.7.8 - XML External Entity Injection" local xml "Javier Olmedo"
2020-01-09 "MSN Password Recovery 1.30 - XML External Entity Injection" local xml ZwX
2019-12-04 "Microsoft Visual Basic 2010 Express - XML External Entity Injection" local xml ZwX
2019-12-03 "Microsoft Windows Media Center 2002 - XML External Entity MotW Bypass" local xml hyp3rlinx
2019-12-02 "Microsoft Excel 2016 1901 - XML External Entity Injection" local xml hyp3rlinx
2019-12-02 "Visual Studio 2008 - XML External Entity Injection" local xml hyp3rlinx
Release Date Title Type Platform Author
2017-05-01 "HideMyAss Pro VPN Client for macOS 3.x - Local Privilege Escalation" local macos "Han Sahin"
2017-05-01 "HideMyAss Pro VPN Client for OS X 2.2.7.0 - Local Privilege Escalation" local osx "Han Sahin"
2017-03-01 "WordPress Plugin NewStatPress 1.2.4 - Cross-Site Scripting" webapps php "Han Sahin"
2016-07-11 "WordPress Plugin Activity Log 2.3.1 - Persistent Cross-Site Scripting" webapps php "Han Sahin"
2016-04-27 "EMC ViPR SRM - Cross-Site Request Forgery" webapps multiple "Han Sahin"
2015-09-10 "Synology Video Station 1.5-0757 - Multiple Vulnerabilities" webapps cgi "Han Sahin"
2015-03-19 "EMC M&R (Watch4net) - Directory Traversal" webapps java "Han Sahin"
2015-03-19 "EMC M&R (Watch4net) - Credential Disclosure" webapps java "Han Sahin"
2015-03-19 "Citrix Nitro SDK - Command Injection" webapps linux "Han Sahin"
2015-03-19 "Citrix Command Center - Credential Disclosure" webapps xml "Han Sahin"
2015-03-18 "Websense Appliance Manager - Command Injection" webapps java "Han Sahin" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected