search

trustedsec / cve-2019-19781

This is a tool published for the Citrix ADC (NetScaler) vulnerability. We are only disclosing this due to others publishing the exploit code first.
Other
570 stars 127 forks source link

Path normalization #13

Closed rxwx closed 4 years ago

rxwx commented 4 years ago

The current version of urllib3 normalizes the request path when using the python requests module like this:

requests.get('http://server/vpn/../vpns/newbm.pl')

This will result in the request getting normalised to:

GET /vpns/newbm.pl

The impact is that if you are running the latest urllib3/python3 then the exploit will fail on Virtual IP interfaces but not on management interfaces (since traversal is not required there).

The scanner check won't lead to false negatives, because although the path is normalized, it will still hit the /vpns/ path which is blocked in the mitigation.

The fix is to use PreparedRequests and swap the URL out after normalization:

s = requests.Session()
url = "http://%s:%s/vpn/../vpns/cfg/smb.conf" % (target,targetport)
r = requests.Request(method='GET', url=url)
prep = r.prepare()
prep.url = url
trustedsec commented 4 years ago

We put a requirements.txt downgrading the version to the non-sanitized one as a stop gap due to the newer version normalizing. Had to do with a RFC change in urllib3. I have an open issue out for them but will take a peek at this one to see if it works. Thanks!

rxwx commented 4 years ago

Sounds good, thanks 👍

trustedsec commented 4 years ago

This is an awesome fix. Thank you very much @rxwx. Tested and working. Going through some testing now but will have this committed shortly. Thanks again.

trustedsec commented 4 years ago

Resolved in scanner and exploit. Thanks again for this solution.

    with requests.Session() as s:
        r = requests.Request(method='POST', url=url, data=data, headers=headers)
        prep = r.prepare()
        prep.url = url
        req = s.send(prep, verify=False)