Skip Navigation
BlackBerry ThreatVector Blog

Red Team: An Offensive Perspective on CVE-2019-19781

As a follow up to our defensive perspective on trending CVE-2019-19781 incident response cases, our BlackBerry Red Team is now covering this issue from an offensive perspective. Attackers see this as an ideal vulnerability because by design, these types of appliances bridge the victim’s network to the Internet.

Exploitation of this host provides an excellent pivot point that facilitates lateral movement across the target network. In poorly designed environments, these devices may even skip the DMZ and reside inside the internal network—lowering the overall level of effort an attacker needs to exert to achieve their goal:

Figure 1:  One potential (simplified) network architecture

Discovering the Vulnerability

Vulnerability scanners provide a fairly easy method of discovering assets and determining their associated vulnerabilities—even if unfamiliar with the network. For example, Tenable’s Nessus Vulnerability Scanner has four plugins capable of performing checks for this particular vulnerability using different methods such as SNMP, local checks, and web checks.

If being more selective, you can select a single plugin to check for the vulnerability or use a dedicated auxiliary module within the Metasploit framework, as shown here:

Figure 2:  Searching Metasploit for the CVE-2019-19781 scanner

Exploiting the Vulnerability

After confirming the existence of the vulnerability, from an attacker’s perspective, it is time to exploit it. Early on, exploiting this vulnerability was more of a manual process; however, with the explosion of publicly available code, it is now well beyond the point of weaponization and automation. In fact, one easy method of exploitation is included in the freely available Metasploit Framework and provides a number of payload options, as shown in the screenshot below:

Figure 3:  Metasploit payloads that can be deployed via the citrix_dir_traversal_rce exploit

Post Exploitation Possibilities

The attacker’s goal will largely drive the payload decision. However, in the majority of instances, a persistence mechanism is established along with an instrument for conducting lateral movement. In one of our Red Team engagements, we were able to pull the /flash/nsconfig/ns.conf file from the affected device, which contained domain credentials—making lateral movement trivial. This, combined with the network information from the appliance, provides an attacker a path to spread and achieve their goals. Once moving throughout the network, they are free to deploy ransomware or steal sensitive information.

Conclusion

Due to the uptick in Incident Response inbounds resulting from the CVE-2019-19781 exploit, we hope that covering both the attacker and defender’s perspective spurs organizations to take a second look at their environment. If you have not put on your black hat, it might be time. A little effort spent looking for these vulnerabilities and signs of compromise will pay dividends down the road.

Anthony Paimany

About Anthony Paimany

Practice Director, Attack Simulation Services at BlackBerry

As Practice Director, Anthony Paimany is responsible for setting the strategic direction for the Attack Simulation Service and holds management authority over all Attack Simulation Service engagements. As a technical expert, Anthony possesses a deep understanding of threat actor Tactics, Tools, Techniques, and Procedures, and has assisted the Bank of England, CREST, and its partner companies in developing industry accreditation standards.

During his decade-plus-long career, Anthony has held multiple security roles and conducted dozens of consulting assignments for clients in a wide variety of industry sectors. Thanks to this broad experience, Anthony is keenly aware of the challenges organization face in managing their cyber risks and how the Attack Simulation Services can provide clients with maximum impact and business value. Anthony is a Certified CREST Simulated Attack Specialist and Simulated Attack Manager.

Tony Lee

About Tony Lee

Vice President, Global Services Technical Operations, BlackBerry

Tony Lee has more than fifteen years of professional research and consulting experience pursuing his passion in all areas of information security.

As an avid educator, Tony has instructed thousands of students at many venues worldwide, including government, universities, corporations, and conferences such as Black Hat. He takes every opportunity to share knowledge as a contributing author to Hacking Exposed 7, and is also a frequent blogger, researcher, and author of white papers on topics ranging from Citrix Security, the China Chopper Web shell, and Cisco's SYNFul Knock router implant.

Over the years, he has contributed many tools to the security community such as UnBup, Forensic Investigator Splunk app, and CyBot, the extensible Threat Intelligence Bot framework designed for anyone from a home user to a SOC analyst.