The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Citrix NetScaler Web Management Cookie Weakness
------------------------------------------------------------------------
SUMMARY
For most web application logins a user fills out an HTTP form, which sets
up the user with a session cookie. The cookie content is merely a session
ID, which allows the server-side application to match incoming requests to
a specific user and session. If the cookie gets compromised, such as using
XSS, the attacker might be able to impersonate the user for the duration
of the session but it typically does not allow the attacker to obtain the
user's login credentials.
A weakness in Citrix's NetScaler allows attacks that can gain access to
the cookie used for authentication against the product to retrieve the the
plaintext information stored by it by using a chosen plaintext attack.
DETAILS
Vulnerable Systems:
* Citrix NetScaler version 8.0, build 47.8
The web management interface of Citrix NetScaler stores the user's
credentials in an encrypted form in the cookie, namely values ns1 and ns2.
In addition the cookie contains other encrypted information in values ns3,
ns4, and ns5. Since the encryption is a simple XOR with a fixed key stream
it is possible to determine parts of the key stream by XOR'ing a known
plaintext with its corresponding ciphertext. This in turn allows the
attacker to recover the plaintext form of the user's credentials by
applying the key stream to cookie values ns1 and ns2. Furthermore, the
cipher does not in any way pad the plaintext before it gets encrypted so
the length of the ciphertext is equal to the length of the plaintext,
which also provides a clue about the plaintext.
There are several approaches to obtain the ciphertext for some known
plaintext:
* Log into the management console with the attacker's own credentials (if
the attacker is a configured user, even with minimal privileges) and
analyze his own cookie.
* Make an educated guess about the username contained in ns1. (As an
example, the default root user on NetScaler is "nsroot".)
* Make an educated guess about the device hostname or IP address, which
is contained in ns3. (As an example, the "main" IP address is stored
unencrypted in cookie value "domain". This is a minor vulnerability all by
itself.)
* Use cookie value ns4, which is an encrypted value of "NS".
* Use cookie value ns5, which is an encrypted value of either "true" or
"false".
ADDITIONAL INFORMATION
The information has been provided by nnposter.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
