Just before the holidays, Citrix announced that their Citrix Application Delivery Controller (ADC) and Citrix Gateway are prone to a vulnerability which can allow remote unauthenticated attackers to execute code on vulnerable gateways. This led to a wave of alarming headlines about “80,000 firms” being exposed to hacking due to this flaw. What’s more interesting is that Citrix has not released a fix for this issue but has rather published just mitigation steps that can help guard against the possibility of attacks.

Citrix has not said a lot about the specifics of the vulnerability, leaving many admins wondering if they are actually affected and unsure of how to forensically identify attacks. In this post, I will briefly attempt to clear the air somewhat about this advisory, and I will also share original data about the prevalence of unpatched systems 20 days after the initial advisory.

To begin this investigation, we must look at the mitigation steps advised by Citrix. The core of this fix is a NetScaler responder policy to reject certain requests:

add responder policy ctx267027 “HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(”/vpns/”) && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(”/../”))” respondwith403

We can readily infer from this that the exploit attempts would involve a path traversal likely related to the /vpns/ path on Citrix. I reviewed the Apache configuration on an ADC appliance and found that the /vpns/ path is home to some Perl content including a directory without an authorization requirement.

Looking into this Perl code, I quickly remembered how much I hate doing anything with Perl, but before long, I spotted a file path being constructed from a request header without sanitization. I could now write a ‘.xml’ file with limited user-controlled content in any location the web server process can write. Despite (Read more...)