lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20071126020603.1015.qmail@securityfocus.com>
Date: 26 Nov 2007 02:06:03 -0000
From: nnposter@...closed.not
To: bugtraq@...urityfocus.com
Subject: Citrix NetScaler Web Management Cookie Weakness

Citrix NetScaler Web Management Cookie Weakness


Product: Citrix NetScaler
http://www.citrix.com/lang/English/ps2/index.asp


Background:
For most web application logins a user fills out an HTTP form, which sets up the user with a session cookie. The cookie content is merely a session ID, which allows the server-side application to match incoming requests to a specific user and session. If the cookie gets compromised, such as using XSS, the attacker might be able to impersonate the user for the duration of the session but it typically does not allow the attacker to obtain the user's login credentials.


Vulnerability:
The web management interface of Citrix NetScaler stores the user's credentials in an encrypted form in the cookie, namely values ns1 and ns2. In addition the cookie contains other encrypted information in values ns3, ns4, and ns5. Since the encryption is a simple XOR with a fixed key stream it is possible to determine parts of the key stream by XOR'ing a known plaintext with its corresponding ciphertext. This in turn allows the attacker to recover the plaintext form of the user's credentials by applying the key stream to cookie values ns1 and ns2. Furthermore, the cipher does not in any way pad the plaintext before it gets encrypted so the length of the ciphertext is equal to the length of the plaintext, which also provides a clue about the plaintext.

There are several approaches to obtain the ciphertext for some known plaintext:

* Log into the management console with the attacker's own credentials (if the attacker is a configured user, even with minimal privileges) and analyze his own cookie.
* Make an educated guess about the username contained in ns1. (As an example, the default root user on NetScaler is "nsroot".)
* Make an educated guess about the device hostname or IP address, which is contained in ns3. (As an example, the "main" IP address is stored unencrypted in cookie value "domain". This is a minor vulnerability all by itself.)
* Use cookie value ns4, which is an encrypted value of "NS".
* Use cookie value ns5, which is an encrypted value of either "true" or "false".


The vulnerability has been identified in version 8.0, build 47.8.
However, other versions may be also affected.


Solution:
Do not stay logged into the NetScaler web management interface while browsing other web sites to avoid cookie theft via XSS, such as CVE-2007-6037.


Found by:
nnposter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ