-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2020-022
Product: ADC/NetScaler 
Manufacturer: Citrix 
Tested Version(s): NS13.0 52.24
Vulnerability Type: Improper Neutralization of Input During 
                    Web Page Generation (CWE-79) 
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2020-05-06
Solution Date: 2020-09-17
Public Disclosure: 2020-10-02
CVE Reference: CVE-2020-8245
Author of Advisory: Moritz Bechler, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

NetScaler/Citrix ADC is a multi-protocol reverse proxy appliance, 
commonly used to externally provide Citrix Remote Desktop Services 
or SSL VPN.

The manufacturer describes the product as follows (see [1]):

"Citrix ADC is the most comprehensive application delivery and load 
balancing solution for monolithic and microservices-based applications. 
Which means you can deliver a better user experience, on any 
device—anywhere."

Due to improper encoding of user input, manipulated HTML or possibly
script content can be introduced in the Citrix ADC user interface
through manipulated links when using certain web browsers.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The file transfer site (/vpns/portal/filetransfer.html) in the user
portal reflects the request query string in an iframe "src" attribute
without proper encoding:

<iframe src="/vpns/fslogin.html?[% env.getvar('QUERY_STRING') %]" [...]

Most web browsers enforce that special characters in URLs are
URL-encoded. This includes the quote characters required to escape the 
attribute in this case. This issue is not exploitable in these 
browsers.

Microsoft's Internet Explorer, however, does not enforce such encoding. 
Therefore, it is possible to escape the attribute and iframe element 
context in order to include arbitrary HTML content that will be
rendered. 

JavaScript code can be included as well. Nevertheless, IE's cross-site
scripting mitigation is enabled. Combined with a suitable, application-
specific or generic bypass vector, a full reflected cross-site scripting
attack becomes possible.

Some other similar instances where the application does not properly 
encode user input when including it in HTML code were identified. In
these cases, however, the input in question was previously URL-encoded by
the web server and it did not seem possible to be bypassed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Open the URL

https://$NETSCALER/vpns/portal/filetransfer.html?"></iframe>[cont...]
<h1>Welcome</h1><!--

in Microsoft Internet Explorer while being logged in as a user to Citrix 
ADC.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Apply security patch provided by the vendor [4].

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2020-05-04: Vulnerability discovered
2020-05-06: Vulnerability reported to manufacturer
2020-09-17: Patch released by manufacturer
2020-10-02: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Website for Citrix ADC
    https://www.citrix.com/products/citrix-adc/
[2] SySS Security Advisory SYSS-2020-022
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-022.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/
[4] Vendor Security Bulletin
    https://support.citrix.com/article/CTX281474

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Bechler of SySS GmbH.

E-Mail: moritz.bechler@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc
Key ID: 0x768EFE2BB3E53DDA
Key Fingerprint: 2C8F F101 9D77 BDE6 465E  CCC2 768E FE2B B3E5 3DDA

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEELI/xAZ13veZGXszCdo7+K7PlPdoFAl927UcACgkQdo7+K7Pl
PdqW/Af+PkUK3XoL5XtC0bupFcep51Av7aJ6qzBv9TyfQB3ClOg07DNbPVV9Yoqk
tiNX2t3TUxg4/RgFVJXlO1aV2Zla46QwFy/4L0r8BfwDM0hds5veS2uRx22U3oFt
tc+Go26zFmWQiSVHIfCXieK171Ih2LmKcKxArq/fFKn0iKI4FAHXVK6VcFYZweqq
lj592S/2E4MiLbQ+o/a8Wis6SP+X5pWBnuJT09btcTe34Zg2jCAV9q4P/3GD1CoY
opav6GGGrFXZgJkE//Dus8MmVt4cTPCmuhYboasI/5bw2AkfqV91ihbL7yAFC96f
Ic5fUcEFEjZCpBIxE1pyD2d/iFkMcw==
=Irvo
-----END PGP SIGNATURE-----