SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Device (Encryption/VPN)  >   Citrix NetScaler Vendors:   Citrix
Citrix NetScaler Cookie Weakness May Let Users Access Arbitrary Accounts
SecurityTracker Alert ID:  1018991
SecurityTracker URL:  http://securitytracker.com/id/1018991
CVE Reference:   CVE-2007-6192, CVE-2007-6193   (Links to External Site)
Updated:  Dec 4 2007
Original Entry Date:  Nov 26 2007
Impact:   User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 8.0, build 47.8
Description:   A vulnerability was reported in Citrix NetScaler. A remote authenticated user may be able to create cookies for arbitrary accounts on the system.

The web management interface stores the target user's authentication credentials in encrypted form in a cookie when the target user is logged in to the interface. The credentials are encrypted using a fixed key stream.

A remote authenticated user can determine portions of the key stream by XORing known plaintext values with the corresponding encrypted values. With knowledge of the target username, the remote user can generate the necessary cookie values to access the target user's account.

Citrix Access Gateway is also affected.

nnposter reported this vulnerability.

Impact:   A remote authenticated user may be able to create cookies to gain access to arbitrary accounts on the system.
Solution:   No solution was available at the time of this entry.

The Citrix advisory is available at:

http://support.citrix.com/article/CTX115496

Vendor URL:  support.citrix.com/article/CTX115496 (Links to External Site)
Cause:   Authentication error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  26 Nov 2007 02:06:03 -0000
Subject:  Citrix NetScaler Web Management Cookie Weakness

Citrix NetScaler Web Management Cookie Weakness


Product: Citrix NetScaler
http://www.citrix.com/lang/English/ps2/index.asp


Background:
For most web application logins a user fills out an HTTP form, which sets up the user with a session cookie. The cookie content is
 merely a session ID, which allows the server-side application to match incoming requests to a specific user and session. If the cookie
 gets compromised, such as using XSS, the attacker might be able to impersonate the user for the duration of the session but it typically
 does not allow the attacker to obtain the user's login credentials.


Vulnerability:
The web management interface of Citrix NetScaler stores the user's credentials in an encrypted form in the cookie, namely values ns1
 and ns2. In addition the cookie contains other encrypted information in values ns3, ns4, and ns5. Since the encryption is a simple
 XOR with a fixed key stream it is possible to determine parts of the key stream by XOR'ing a known plaintext with its corresponding
 ciphertext. This in turn allows the attacker to recover the plaintext form of the user's credentials by applying the key stream to
 cookie values ns1 and ns2. Furthermore, the cipher does not in any way pad the plaintext before it gets encrypted so the length of
 the ciphertext is equal to the length of the plaintext, which also provides a clue about the plaintext.

There are several approaches to obtain the ciphertext for some known plaintext:

* Log into the management console with the attacker's own credentials (if the attacker is a configured user, even with minimal privileges)
 and analyze his own cookie.
* Make an educated guess about the username contained in ns1. (As an example, the default root user on NetScaler is "nsroot".)
* Make an educated guess about the device hostname or IP address, which is contained in ns3. (As an example, the "main" IP address
 is stored unencrypted in cookie value "domain". This is a minor vulnerability all by itself.)
* Use cookie value ns4, which is an encrypted value of "NS".
* Use cookie value ns5, which is an encrypted value of either "true" or "false".


The vulnerability has been identified in version 8.0, build 47.8.
However, other versions may be also affected.


Solution:
Do not stay logged into the NetScaler web management interface while browsing other web sites to avoid cookie theft via XSS, such
 as CVE-2007-6037.


Found by:
nnposter

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC