We analyze the vulnerability in Citrix ADC, allowing for a minute to penetrate the internal network of the company
Threatened about 80 thousand companies Worldwide. The situation is exacerbated by the fact that the Citrix ADC product is installed on the border between the external and internal network of the organization. Thus, after exploiting a vulnerability, an attacker gains access immediately to the company’s internal network and has the ability to develop attacks on a private network segment.
In today’s article, the author of the study will analyze in more detail the vulnerability, details of its detection and exploitation. Go!
What is Citrix ADC
Citrix ADC is a software-oriented application delivery and load balancing solution specifically designed to improve the performance of traditional, cloud and web applications, no matter where they are located. The most common such controllers have already received in the IT and telecom industries. According to forecasts, by 2023 the demand for ADC will increase among financial and insurance companies.
How serious is it
Monitoring of threat intelligence revealed that at least 80,000 companies from 158 countries are potentially vulnerable. At the time of vulnerability discovery, the TOP 5 by the number of such organizations included the United States of America (the absolute leader – more than 38% of all vulnerable organizations are located in the United States), Germany, the United Kingdom, the Netherlands, and Australia.
Russia was ranked 26th in the total number of potentially vulnerable companies in various business sectors — more than 300 organizations in total. Kazakhstan and Belarus ranked 44th and 45th in terms of the number of vulnerable companies, respectively.
As of February 2020, the top countries in terms of the number of potentially vulnerable organizations included Brazil (43% of the number of companies in which the vulnerability was originally identified), China (39%), Russia (35%), France (34%), Italy (33%) and Spain (25%). The United States, Great Britain and Australia showed the best dynamics in eliminating vulnerabilities: in these countries, 21% were registered for companies that continued to use vulnerable devices and did not take any protection measures.
Discovery and Operation
At the very beginning of the study, I found that using Path Traversal, an unauthorized user has the ability to access static files that are not accessible without authorization (/vpn/../vpns/style.css). This was found during the Black Box analysis of Citrix ADC.
The behavior described above interested me, so I decided to find the Citrix ADC image, run it locally (thanks for the help to my colleague Yuri Aleinov) and continue the study with full access to the application source code.
First of all, the Apache web server config (/etc/httpd.conf) was analyzed, which is responsible for the web interface of this application. As we see in the picture below, the paths falling under the pattern “/vpns/portal/scripts/.*.pl$»Processed by the ModPerl :: Registry function. It turns out that it is possible to execute perl scripts from a folder / netscaler / portal / scripts / without authorization.
After that, I began to analyze scripts that we can call by going to the address /vpn/../vpns/portal/scripts/[scriptName].pl.
In almost every script, the csd function of the NetScaler :: Portal :: UserPrefs (/netscaler/portal/modules/NetScaler/Portal/UserPrefs.pm) The function works with the HTTP headers NSC_USER and NSC_NONCE. No interesting action is taken with the second header, but the value of the NSC_USER header is used as the file name. If the file (whose name was transferred as the value of the NSC_USER header) does not exist, then this file is created with a certain structure, and if it already exists, it is parsed and the variable is filled on its basis $ doc.
It turns out that if we use path traversal in the file name, then we can create a file with the extension “.xml” in any directory of the file system where we have write permissions. To check this, send the line “../../../../tmp/myTestFile” as the value of the “NSC_USER” header and check the presence of the file in the “/ tmp /” directory.
At this stage, we have the ability to create a file with the extension “.xml”, but there is no way to control the contents of the file.
Let’s pay attention to the script “newbm.pl”, which is also located in the directory that we are interested in. This script accepts POST parameters and writes to the file (the name of which is indicated in the NSC_USER header) the values of such parameters as “url”, “title” and “desc”.
Now it is possible not only to create xml-files in arbitrary places, but also to partially control their contents.
To continue the path to RCE, we again turn to the web server config and note that another path (/ vpns / portal /) is processed by the NetScaler :: Portal :: Handler perl function (/netscaler/portal/modules/NetScaler/Portal/Handler.pm)
The handler function receives the part of the path after the last “/” character as the file name, searches for it in the “/ netscaler / portal / templates /” folder and tries to render this file using the “Template Toolkit” library.
Thus, if we can upload our file to the template folder, we can also call its render.
Further operation is complicated by the fact that the Template Toolkit library operates in such a mode that it is impossible to execute perl-code using regular methods. For example, the “[% PERL %]“.
Based on these restrictions, I decided to look for vulnerabilities in standard library plugins. Consider a plugin like “Datafile” (/usr/local/lib/perl5/site_perl/5.14.2/mach/Template/Plugin/Datafile.pm) The file is quite small, so immediately pay attention to the call to the standard function “open” with two arguments. Such use is unsafe and may lead to RCE.
We try to exploit the vulnerability locally and as a check we create the file “testRCE” in the folder “/ tmp /”.
At the moment, we have the ability to create files in arbitrary places on the system, partially control their contents and vulnerability in the Template Toolkit library. We use all this in order to obtain the execution of arbitrary commands from an unauthorized user.
We create a file in the template folder, the render of which will lead to the execution of the code and the creation of a web-based command line interpreter.
Then render this file.
We turn to the script (web shell) that we created earlier and execute an arbitrary OS command.
How to protect yourself
Citrix released recommendations to eliminate this vulnerability. In addition, the manufacturer recommends that users immediately update all vulnerable software versions to the recommended ones.
Companies can use application-level firewalls to block a possible attack. For example, PT Application Firewall detects such an attack “out of the box”: the system should be switched to the blocking mode of dangerous requests for protection in real time. Given the total lifetime of the identified vulnerability (it has been relevant since the release of the first vulnerable version of the software, that is, since 2014), identifying the relevance possible facts exploitation of this vulnerability (and, accordingly, compromised infrastructure) in retrospect.
Users PT Network Attack Discovery Beginning December 18, 2019, they can take advantage of special rules that detect attempts to exploit this vulnerability online.
Author: Mikhail Klyuchnikov (@__mn1__), Positive Technologies
- December 5, 2019 Reported to Citrix
- December 19, 2019 Released mitigation steps from Citrix