On December 17th, Citrix published an article reporting a vulnerability in Citrix Application Delivery Controller and Citrix Gateway leading to arbitrary code execution. The following product versions were affected:
· Citrix ADC and Citrix Gateway version 13.0 all supported builds
· Citrix ADC and NetScaler Gateway version 12.1 all supported builds
· Citrix ADC and NetScaler Gateway version 12.0 all supported builds
· Citrix ADC and NetScaler Gateway version 11.1 all supported builds
· Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
Citrix credited Mikhail Klyuchnikov of Positive Technologies, and Gianlorenzo Cipparrone and Miguel Gonzalez of Paddy Power Betfair plc but did not release any details regarding the vulnerability. Citrix provided an expected release date for patched versions with the earliest patched version expected to ship on 20th January, 2020. Citrix also provided steps to mitigate the vulnerability. The following mitigation steps were provided for a standalone system.
bind responder global ctx267027 1 END -type REQ_OVERRIDE
Vulnerability Analysis and Exploit POC
On 11th January, 2020, a group of security researchers from India, Project Zero India released a working POC exploiting the vulnerability. This release was shortly followed by other security researchers releasing their exploit POC and vulnerability scanners.
By analyzing the mitigation steps provided by Citrix, Security Researchers were able to figure out where the vulnerability lies and how to exploit it. The vulnerability can be exploited by an HTTP request that includes either ‘/vpns/’ or ‘/../’ in the URL. This directory traversal vulnerability is further affected by construction of an XML file by using unsanitized HTTP request headers. The application uses NSC_USER HTTP header to create an XML file. This allows an attacker to control the filename and the contents of the XML file.
Once an attacker is able to create an XML file on the vulnerable server, an attacker can use Perl Template Toolkit to parse the XML file to execute commands.
There are various exploits available online and a malicious first request would look like this:
Figure 1 : Initial request sent by an attacker. The RandomFileName in the NSC_USER header value is used to create an XML file.
A vulnerable server will create an XML file named RandomFileName (used in the NSC_USER header) in the /vpns/portal folder. Another GET request to this file location will result in command execution.
Figure 2 : If the attacker is able to successfully create the XML file, the command output will be visible by accessing this page.
Mitigation through Big-IP ASM
ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing signatures to detect “Directory Traversal and “Command Execution”.
Figure 3 : Exploitation attempt detected with existing Directory Traversal attempt signatures for header and POST content.
Figure 4 : Exploitation attempt detected with existing Command execution attempt signatures (uname for this example).
Furthermore, Big-IP ASM now has a dedicated signature to capture exploitation attempts against this vulnerability.
Figure 5 : Dedicated signature to detect exploit attempt.