Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Citrix NetScaler Web Management Cookie Weakness

from [nnposter] Network Security [Permanent Link]
Subject: Citrix NetScaler Web Management Cookie Weakness
Date: 26 Nov 2007 02:06:03 -0000 
Citrix NetScaler Web Management Cookie Weakness


Product: Citrix NetScaler
http://www.citrix.com/lang/English/ps2/index.asp


Background:
For most web application logins a user fills out an HTTP form, which sets up 
the user with a session cookie. The cookie content is merely a session ID, 
which allows the server-side application to match incoming requests to a 
specific user and session. If the cookie gets compromised, such as using XSS, 
the attacker might be able to impersonate the user for the duration of the 
session but it typically does not allow the attacker to obtain the user's login 
credentials.


Vulnerability:
The web management interface of Citrix NetScaler stores the user's credentials 
in an encrypted form in the cookie, namely values ns1 and ns2. In addition the 
cookie contains other encrypted information in values ns3, ns4, and ns5. Since 
the encryption is a simple XOR with a fixed key stream it is possible to 
determine parts of the key stream by XOR'ing a known plaintext with its 
corresponding ciphertext. This in turn allows the attacker to recover the 
plaintext form of the user's credentials by applying the key stream to cookie 
values ns1 and ns2. Furthermore, the cipher does not in any way pad the 
plaintext before it gets encrypted so the length of the ciphertext is equal to 
the length of the plaintext, which also provides a clue about the plaintext.

There are several approaches to obtain the ciphertext for some known plaintext:

* Log into the management console with the attacker's own credentials (if the 
attacker is a configured user, even with minimal privileges) and analyze his 
own cookie.
* Make an educated guess about the username contained in ns1. (As an example, 
the default root user on NetScaler is "nsroot".)
* Make an educated guess about the device hostname or IP address, which is 
contained in ns3. (As an example, the "main" IP address is stored unencrypted 
in cookie value "domain". This is a minor vulnerability all by itself.)
* Use cookie value ns4, which is an encrypted value of "NS".
* Use cookie value ns5, which is an encrypted value of either "true" or "false".


The vulnerability has been identified in version 8.0, build 47.8.
However, other versions may be also affected.


Solution:
Do not stay logged into the NetScaler web management interface while browsing 
other web sites to avoid cookie theft via XSS, such as CVE-2007-6037.


Found by:
nnposter
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Citrix NetScaler Web Management Cookie Weakness, nnposter <=
Previous by Date:  FMDeluxe (index.php) Cross-Site Scripting Vulnerability, sys-project
Next by Date:  GWExtranet Script Injections & Privilege Escalation Vulnerability, DoZ
Previous by Thread:  FMDeluxe (index.php) Cross-Site Scripting Vulnerability, sys-project
Next by Thread:  GWExtranet Script Injections & Privilege Escalation Vulnerability, DoZ
Indexes:  [Date] [Thread] [Top] [All Lists]