Fingerprinting, Netscaler Gateway Version information leaking

recently i wanted to know the running version from a remote Netscaler Gateway – but i didnt have an admin login or any other access to the appliance. since Netscaler is a widely used security solution, there should be no way of identifying the version – but it turned out, there is a very simple way.

anyone who has got a user login to a netscaler might be able to download the Netscaler Gateway plugin and installing it will reveal the exact version of the Netscaler build. but a security analyst or a hacker usually dont have any logins to the remote system and therefore this option will not work.

but Netscaler Gateway offers the possibility to run endpoint analysis to query certain services or files on the client computer. this can even be configured to run before a user logs in – wait – before a user logs in means also, that the endpoint client must be available for users that dont supplied credentials yet.

here is the weak point actually. with forceful browsing we can download the endpoint analysis client and check the version. this will match the exact build of the Netscaler!

all you need is the base url for the Netscaler Gateway portal and to download the EPA client, you just add “/epa/scripts/win/nsepa_setup.exe” to it.

fingerprint

using 7-zip you can extract the files without installing them. just open the nsepa_setup.exe in 7zip, select nsepa.msi and press ctrl + pagedn

7zipmsi 7zipnsepa

now you can extract the nsepa.exe and check its properties. the version matches the exact remote Netscaler build!

nsepa

 

actually this shouldnt be possible – because this gives an attacker a good start too look for vulnerabilities in certain Netscaler builds!

if you dont need the EPA scan at all, you can simply disable the download with a responder policy using HTTP.REQ.URL.ENDSWITH(“/nsepa_setup.exe”), bind it to the Netscaler Gateway virtual server and select DROP or RESET as action. you will have to do this for the x64 binary (nsepa_setup64.exe) aswell.

follow up: i have informed citrix security about this issue and they responded:

The behaviour that you have identified is normal for the current implementations of NetScaler Gateway. We understand that this behaviour may provide a remote user with the ability to determine the appliance firmware version and we are currently considering enhancements to change this behaviour in a future version of the product.  In the meantime, it is possible to configure a policy, such as the one you reference in your blog posting, that will prevent the unauthorised download of this binary.

3 Comments

  1. Great article! Thank you very much. I tried configuring the responder policy using HTTP.REQ.URL.ENDSWITH(“/nsvpnc_setup.exe”) but it did not work for me. Using HTTP.REQ.URL.ENDSWITH(“/nsepa_setup.exe”) || HTTP.REQ.URL.ENDSWITH(“/nsepa_setup64.exe”)does. I hope Citrix fixes this flaw.

Leave a Reply