Advisory

Overview

Users who can make network requests from localhost can run commands as root including creating new unix users and changing passwords. Theses users can also login with high privileges on the web interface.

Proof of concept

On the XenMobile server, there is a Tomcat server running as root on ports 8000, 30000 and 30001. These ports are only available within the local machine. It is part of the XenMobile application, and appears to be a backing service used by the application to run privileged commands on the system.

While there is authentication around this service, it is not enforced if requests are made from localhost. As described in other findings, there are several vulnerabilities that allow an unauthenticated user to make requests from the XenMobile server (that is, localhost).

This Tomcat server allows callers to execute a variety of commands that should not be available to unauthenticated users. For example:

• Change the administrator password (/admin_user/cli/reset_password)
• Create a new administrator (/admin_user/ui/create1)
• Decrypting passwords (/sftu/crypto/dec)
• Dropping firewall rules (/firewall/iptables_stop)

Mitigation/further actions

Citrix have acknowledged this issue but have not addressed it on the basis that it is already mitigated:

"[This issue is] already mitigated by the internal firewall that limits access to configuration services to localhost. Because these are already mitigated, we did not list them in the Citrix security bulletin."

We acknowledge that the firewall does prevent this issue from being exploited externally. However, the issue nonetheless exists, making the service vulnerable to local attack, and potentially to remote attack in the case that another vulnerability is found that allows the firewall to be circumvented.

As such, we still consider the issue relevant.

Advisory timeline

1. 2018-03-28 – Reported to Citrix and acknowledged immediately
2. 2018-05-21 – Citrix report that they do not consider this issue to be a vulnerability