At the end of last year, Positive Technologies expert discovered the vulnerability CVE-2019-19781 in Citrix ADC software, which allows any unauthorized user to execute arbitrary operating system commands.

The threat was about 80 thousand companies worldwide. The situation is exacerbated by the fact that the Citrix ADC product is installed on the border between the external and internal network of the organization. Thus, after exploiting the vulnerability, an attacker gains access immediately to the company's internal network and has the opportunity to develop attacks on the private network segment.

In today's article, the author of the study will analyze in more detail the vulnerability, the details of its discovery and exploitation. Let's go!

What is Citrix ADC


Citrix ADC is a software-oriented application delivery and load balancing solution specifically designed to improve the performance of traditional, cloud and web applications, no matter where they are located. The most common such controllers have already received in the IT and telecom industries. According to forecasts, by 2023 the demand for ADC will increase among financial and insurance companies.

How serious is it


Monitoring of threat intelligence revealed that at least 80,000 companies from 158 countries are potentially vulnerable. At the time of vulnerability discovery, the TOP 5 by the number of such organizations included the United States of America (the absolute leader - more than 38% of all vulnerable organizations are located in the United States), Germany, the United Kingdom, the Netherlands, and Australia.

Russia was ranked 26th in the total number of potentially vulnerable companies in various business sectors — more than 300 organizations in total. Kazakhstan and Belarus ranked 44th and 45th in terms of the number of vulnerable companies, respectively.

As of February 2020, the top countries in terms of the number of potentially vulnerable organizations included Brazil (43% of the number of companies in which the vulnerability was originally identified), China (39%), Russia (35%), France (34%), Italy (33%) and Spain (25%). The United States, Great Britain and Australia showed the best dynamics in eliminating vulnerabilities: in these countries, 21% were registered in companies that continued to use vulnerable devices and did not take any protective measures.
ITKarma picture

Detection and Operation


At the very beginning of the study, I found that using Path Traversal, an unauthorized user has the ability to access static files that are not accessible without authorization (/vpn/./vpns/style.css). This was found during the Black Box analysis of Citrix ADC.

ITKarma picture

The behavior described above interested me, so I decided to find the Citrix ADC image, run it locally (thanks for the help to my colleague Yuri Aleinov) and continue the study with full access to the application source code.

First of all, the Apache web server config (/etc/httpd.conf) was analyzed, which is responsible for the web interface of this application. As we see in the picture below, the paths that fall under the pattern “ /vpns/portal/scripts/.*\.pl$ ” are processed by the ModPerl :: Registry function. It turns out that it is possible to execute perl scripts from the /netscaler/portal/scripts/ folder without authorization.

ITKarma picture

After that, I began to analyze the scripts that we can call by going to /vpn/./vpns/portal/scripts/[scriptName†.pl .

ITKarma picture

In almost every script, the csd function of the NetScaler :: Portal :: UserPrefs module ( /netscaler/portal/modules/NetScaler/Portal/UserPrefs.pm ) is called. The function works with the HTTP headers NSC_USER and NSC_NONCE.No interesting action is taken with the second header, but the value of the NSC_USER header is used as the file name. If the file (whose name was transferred as the value of the NSC_USER header) does not exist, then this file is created with a certain structure, and if it already exists, it is parsed and the $ doc variable is filled on its basis.

ITKarma picture

It turns out that if we use path traversal in the file name, then we can create a file with the extension “.xml” in any directory of the file system where we have write permissions. To check this, send the string “././././tmp/myTestFile” as the value of the “NSC_USER” header and check the file in the “/tmp/” directory.

ITKarma picture

At this stage, we have the ability to create a file with the extension “.xml”, but there is no way to control the contents of the file.

Let's pay attention to the script “newbm.pl”, which is also located in the directory that we are interested in. This script accepts POST parameters and writes to a file (the name of which is indicated in the NSC_USER header) the values ​​of parameters such as “url”, “title” and “desc”.

ITKarma picture

Now it is possible not only to create xml-files in arbitrary places, but also to partially control their contents.

To continue the path to RCE, we again turn to the web server config and note that another path (/vpns/portal/) is processed by the NetScaler :: Portal :: Handler ( /netscaler/portal/modules/NetScaler/Portal/Handler.pm )

ITKarma picture

The handler function gets the part of the path after the last “/” character as the file name, looks for it in the “/netscaler/portal/templates/” folder and tries to render this file using the “Template Toolkit” library.

ITKarma picture

Thus, if we can upload our file to the template folder, we can also call its render.

Further operation is complicated by the fact that the Template Toolkit library operates in such a mode that it is impossible to execute perl-code using regular methods. For example, the directive “ [% PERL%] ” cannot be used.

ITKarma picture

Based on these restrictions, I decided to look for vulnerabilities in standard library plugins. Consider a plugin like “Datafile” ( /usr/local/lib/perl5/site_perl/5.14.2/mach/Template/Plugin/Datafile.pm ). The file is quite small, so immediately pay attention to the call to the standard function “open” with two arguments. Such use is unsafe and may lead to RCE.

ITKarma picture

We try to exploit the vulnerability locally and as a check we create the file “testRCE” in the folder “/tmp/”.

ITKarma picture

At the moment, we have the ability to create files in arbitrary places on the system, partially control their contents and vulnerability in the Template Toolkit library. We use all this in order to obtain the execution of arbitrary commands from an unauthorized user.

We create a file in the template folder, the render of which will lead to the execution of the code and the creation of a command line web interpreter.

ITKarma picture

Then render this file.

ITKarma picture

We turn to the script (web shell) that we created earlier and execute an arbitrary OS command.

ITKarma picture

How to defend yourself


Citrix has issued recommendations to address this vulnerability. In addition, the manufacturer recommends that users immediately update all vulnerable software versions to the recommended ones.

Companies can use application-level firewalls to block a possible attack. For example, PT Application Firewall detects such an attack "out of the box": the system should be put into dangerous requests blocking mode for real-time protection. Given the total lifespan of the identified vulnerability (it has been relevant since the release of the first vulnerable version of the software, that is, since 2014), the detection of possible facts of exploiting this vulnerability (and, accordingly, compromising the infrastructure) in retrospect.

Users of PT Network Attack Discovery can use special rules that detect when they start December 18, 2019 Attempts to exploit this vulnerability online.

Author : Mikhail Klyuchnikov (@ __mn1__ ), Positive Technologies

Timeline


  • December 5, 2019 Reported to Citrix
  • December 19, 2019 Released mitigation steps from Citrix
.

Source