漏洞平台

POC详情： 7bb15d5e0a2d0e81c6dddb34700b8ce3eeebf2ac

来源

https://github.com/hessandrew/CVE-2020-13884

关联漏洞

标题： Citrix Systems Workspace App 安全漏洞 (CVE-2020-13884)
描述：Citrix Systems Workspace App（前称Receiver）是美国思杰系统（Citrix Systems）公司的一款用于提供对应用程序、桌面和数据安全访问功能的应用程序。 Citrix Systems Workspace App 1912之前版本（Windows）中存在安全漏洞。本地攻击者可利用该漏洞在卸载该应用程序期间提升权限。

描述

Citrix Workspace app before 1912 for Windows - Privilege Escalation #2

介绍

# Exploit Title: Citrix Workspace app before 1912 for Windows - Privilege Escalation #2

Date: 2020-06-07<br/>
Author: Andrew Hess<br/>
Software Link: https://www.citrix.com/downloads/workspace-app/legacy-workspace-app-for-windows/workspace-app-for-windows-1911.html/<br/>
Bulletin: https://support.citrix.com/article/CTX275460<br/>
CVE: CVE-2020-13884<br/>


# History

2020.02.10 - Vulnerability discovered<br/>
2020.02.10 - Initial contact with the vendor<br/>
2020.XX.XX - ~~Vendor Patch 2006.1~~ The 1912 version, which was released after my report, already does not have the vulnerability<br/>
2020.06.06 - I created a CVE because the vendor did not publish the vulnerability<br/>
2020.06.10 - Contact with the vendor and correction of the CVE <br/>


# Software description

High performance access to Windows virtual apps and desktops, anywhere access from your desktop, start menu, Workspace app UI or web access with Chrome, Internet Explorer or Firefox.

Citrix Workspace app can be used on domain and non-domain joined PCs, tablets, and thin clients. Provides high performance use of virtualized Skype for Business, line of business and HDX 3D Pro engineering apps, multimedia, local app access.


# Exploit description

Citrix Workspace App before 1912 on Windows has Insecure Permissions for %PROGRAMDATA%\Citrix and an unquoted UninstallString, which allows local users to gain privileges by copying a malicious citrix.exe there.


# Affected Components

- C:\ProgramData\Citrix (Write ACL for Users)
- UninstallString in HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CitrixOnlinePluginPackWeb is unquoted (C:\ProgramData\Citrix\Citrix Workspace 1911\TrolleyExpress.exe /uninstal)


## Steps To Reproduce

- Copy a malicious citrix.exe to C:\ProgramData\Citrix
- Wait until an admin or software distribution uninstalls the Citrix Workspace app. This will execute the malicious Citrix.exe.

## Impact

A possible attacker obtains system privileges

文件快照


 [4.0K]  /data/pocs/7bb15d5e0a2d0e81c6dddb34700b8ce3eeebf2ac
└── [1.9K]  README.md

0 directories, 1 file

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。