Software Engineering Institute

Citrix has published a security bulletin that mentions a vulnerability that can be exploited to achieve arbitrary code execution by a remote, unauthenticated attacker. Although the bulletin does not describe details about the vulnerability, the mitigation steps describe techniques to block the handling of requests that contain a directory traversal attempt (/../) and also requests that attempt to access the /vpns/ directory.

Limited testing has shown that the affected Citrix software fails to restrict access to perl scripts that are available via the /vpns/ path. An unauthenticated remote attacker may be able to provide crafted content to these scripts that result in arbitrary code execution. One technique that has been outlined involves the writing of an XML file using a directory traversal and the subsequent command execution by way of the Perl Template Toolkit. Other exploitation techniques may be possible.

A link of the following form can be used to determine if a system is affected:
https:// CITRIXGATEWAY /vpn/../vpns/cfg/smb.conf

For example, the following curl command can be used:
curl https:// CITRIXGATEWAY /vpn/../vpns/cfg/smb.conf --path-as-is -k -f

The " CITRIXGATEWAY " string should be replaced with the name or IP of the system you wish to test. If retrieving the link results in a 403 Forbidden error, then the mitigations outlined below have likely been applied. However, if retrieving the link results in the contents of a smb.conf file, then the system is vulnerable.

By exploiting this vulnerability, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.

Apply an update

Citrix has released updates in Security Bulletin CTX267027. The updated software is designed to prevent unauthenticated attackers from accessing certain web server features. If updates are unavailable for your platform, or if you are otherwise unable to apply updates, please consider the following workarounds:

Block the handling of specially-crafted requests

Citrix article CTX267679 contains several mitigation options for this vulnerability, depending on what type of product installation is used. For example, on a stand-alone system, the following commands are reported to mitigate this vulnerability:

nable ns feature responder
add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\\r\
add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403
bind responder global ctx267027 1 END -type REQ_OVERRIDE
save config

shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0
shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler"
reboot