{"id":114,"date":"2015-05-30T15:50:29","date_gmt":"2015-05-30T14:50:29","guid":{"rendered":"http:\/\/kolbi.cz\/blog\/?p=114"},"modified":"2017-12-15T17:05:44","modified_gmt":"2017-12-15T16:05:44","slug":"netscaler-endpoint-analyse-epa-pre-authentication-bypassing","status":"publish","type":"post","link":"https:\/\/kolbi.cz\/blog\/2015\/05\/30\/netscaler-endpoint-analyse-epa-pre-authentication-bypassing\/","title":{"rendered":"Netscaler Endpoint Analyse (EPA) Pre-Authentication bypassing!"},"content":{"rendered":"<p><strong>UPDATE:<\/strong> <em>bypassing the EPA scan with this method is only possible when using the Netscaler default settings. read the update at the end of this article, which explains\u00a0how to enable encryption for the client security expressions.<\/em><\/p>\n<p>Citrix Netscaler Gateway offers the ability to scan client computers and check\u00a0certain requirements. these include\u00a0operating system, ports, registry, antivirus, files and a many more items.<\/p>\n<p>these scans can take place even before a user logs in and we can control who actually is able to\u00a0see the login page\u00a0at all.\u00a0if a\u00a0scan fails, the user gets redirected to an error page and can then run the scan again. with this feature, we can check if a computer is a business device or a home computer and for example block all private devices.<\/p>\n<p>first i need to say that remote client security is very difficult to control, because an administrator of a machine can virtually do anything he wants. this includes debugging of running code, analyzing and manipulating network packets and intercepting http requests. an endpoint analyse software can therefore be analyzed, monitored, modified and tricked to send back wrong results.<\/p>\n<p>just out of curiosity i have analyzed the Netscaler EPA scan and tried to bypass it. this turned out to be very easy and im somewhat surprised, that it is\u00a0implemented in such a\u00a0weak way. actually i have found a very simple\u00a0backdoor and also some unwanted information leaking &#8211; an attacker can easy find out, which components must be present on an\u00a0endpoint to pass the scan.<\/p>\n<p>just for proof of concept, i have also used <a href=\"https:\/\/technet.microsoft.com\/de-ch\/sysinternals\/bb896645.aspx\" target=\"_blank\" rel=\"noopener\">sysinternals procmon<\/a> and i was able to find the registry and filechecks pretty easy &#8211; this is why i said, client security is difficult to control &#8211; these checks cant be really hidden on the endpoint and will\u00a0always be revealed rather\u00a0quickly.<\/p>\n<p>but even if a company decides to add 100 checks for files, antivirus, registry keys, domain membership etc, etc &#8211; my\u00a0discovered backdoor will allow a quick access to the login page and tricks\u00a0the EPA scan.<\/p>\n<p>first, let me explain how the EPA scan in detail works:<\/p>\n<p><a href=\"http:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/epa_scan.jpg\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-116 size-large\" src=\"http:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/epa_scan-1024x673.jpg\" alt=\"epa_scan\" width=\"1024\" height=\"673\" srcset=\"https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/epa_scan-1024x673.jpg 1024w, https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/epa_scan-300x197.jpg 300w, https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/epa_scan-1170x769.jpg 1170w, https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/epa_scan.jpg 1214w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>i discovered this by using <a href=\"https:\/\/www.owasp.org\/index.php\/OWASP_Zed_Attack_Proxy_Project\" target=\"_blank\" rel=\"noopener\">OWASP ZAP Proxy<\/a>\u00a0while\u00a0analyzing the http requests. by doing so, i have found\u00a0something\u00a0very\u00a0interesting. when the epa client connects to the \/epaq to load the items for local execution, the configuration is transfered <strong>IN CLEARTEXT<\/strong>!!! this means, we can very quickly find out, which items the EPA scan actually checks on the endpoint. <strong>but\u00a0this is information, that an attacker shouldnt get that easy!<\/strong> check here the screenshot from ZAP:<\/p>\n<p><a href=\"http:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/zap_config.jpg\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-117 size-full\" src=\"http:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/zap_config.jpg\" alt=\"zap_config\" width=\"538\" height=\"175\" srcset=\"https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/zap_config.jpg 538w, https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/zap_config-300x98.jpg 300w\" sizes=\"auto, (max-width: 538px) 100vw, 538px\" \/><\/a><\/p>\n<p>this is exactly what i have configured in my netscaler EPA Pre-authentication policy! a domain check for &#8220;mydomain.local&#8221; and the file &#8220;c:\\securefile.bin&#8221; &#8211; ouch! sure, the connection from the client to the Netscaler is SSL protected, but with a local proxy, we can intercept this traffic and analyze it.<\/p>\n<p>but it gets actually even worse &#8211; after that checks, the EPA client sends the result back to the Netscaler &#8211; and by results i mean <strong>just a result code<\/strong>!<\/p>\n<p><a href=\"http:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/epa_code.jpg\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-118 size-full\" src=\"http:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/epa_code.jpg\" alt=\"epa_code\" width=\"524\" height=\"158\" srcset=\"https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/epa_code.jpg 524w, https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/epa_code-300x90.jpg 300w\" sizes=\"auto, (max-width: 524px) 100vw, 524px\" \/><\/a><\/p>\n<p>i analyzed a successful EPA scan and the\u00a0code just changed to 00 &#8211; now guess what we can do here? yeah&#8230; with ZAP we can set a breakpoint on the \/epas url and then simply change the resultcode &#8211; <strong>this will completely override\u00a0the EPA scan result and we can get the login page with a non compliant machine!<\/strong><\/p>\n<p>the question is, can we even trick the EPA scan <em>without<\/em> ZAP? yes we can &#8211; with a simple Firefox addon called <a href=\"https:\/\/addons.mozilla.org\/de\/firefox\/addon\/modify-headers\/\" target=\"_blank\" rel=\"noopener\">Modify Headers<\/a>!<\/p>\n<p><a href=\"http:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/modifyheaders.jpg\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-119 size-full\" src=\"http:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/modifyheaders.jpg\" alt=\"modifyheaders\" width=\"755\" height=\"226\" srcset=\"https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/modifyheaders.jpg 755w, https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/modifyheaders-300x90.jpg 300w\" sizes=\"auto, (max-width: 755px) 100vw, 755px\" \/><\/a><\/p>\n<p>just install the addon in firefox and add the custom header &#8220;CSEC&#8221; with the value &#8220;00&#8221; to it. now\u00a0we can recreate\u00a0the process\u00a0explained on\u00a0first image with our browser &#8211; but because it needs the cookies that Netscaler sends in the first request, we cannot simply surf to the \/vpn page directly. here is how you can do it,\u00a0if you dont want to use ZAP &#8211; just dont forget the Modify Header plugin and to set\u00a0&#8220;CSEC=00&#8221;.<\/p>\n<ol>\n<li>open the root page from the Netscaler Gateway and let it redirect to \/epa\/epa.html<\/li>\n<li>the EPA client will launch\u00a0&#8211; dont close it!<\/li>\n<li>now surf to the same site but change the url to \/epatype &#8211; it will display &#8220;Epa:on;deviceCert:off;&#8221;<\/li>\n<li>change the url manually again to \/epaq &#8211; an empty page will appear.<\/li>\n<li>put \/epas in your browser and it will display &#8220;10&#8221;<\/li>\n<li>now surf to the main site or add \/vpn\/index.html to the location bar<\/li>\n<li>done. you are able login with your credentials now, even if the computer didnt pass the EPA scan!<\/li>\n<\/ol>\n<p><strong>it does not really matter, what the EPA client scans on the machine &#8211; the custom header must match &#8220;00&#8221; and all is fine! not so good \ud83d\ude41<\/strong><\/p>\n<p>how could this be improved then?<\/p>\n<ul>\n<li>the Netscaler should at least check, from which client the requests are sent (User-Agent, <a href=\"http:\/\/en.wikipedia.org\/wiki\/Cryptographic_nonce\" target=\"_blank\" rel=\"noopener\">nonce<\/a>)<\/li>\n<li>configuration should be encrypted and not clearly visible in the http traffic (DH Key Exchange, proper Crypto)<\/li>\n<li>result code should be something unguessable or use encryption to\u00a0protect it<\/li>\n<li>the EPA\u00a0client could also check for procmon and other reverse engineering tools<\/li>\n<\/ul>\n<p>i did not yet analyze how the EPA scan works when using it in a session policy. some items can be configured to be checked with\u00a0a time interval &#8211; im not sure, if this can be tricked too &#8211; but for the pre-authentication policy this doesnt really matter.<\/p>\n<p><strong>the best solution for EPA and pre-authentication is definitely to use\u00a0<a href=\"http:\/\/support.citrix.com\/article\/CTX200290\" target=\"_blank\" rel=\"noopener\">client certificates<\/a> &#8211; i was not able to trick EPA when i had configured a client certificate check!<\/strong><\/p>\n<p>i have informed Citrix Security about this issue and the answer is pending &#8211; as soon ive get\u00a0a statement, ill post it here.<\/p>\n<hr style=\"height: 1px; border: none; color: #000; background-color: #000;\" \/>\n<p><strong>UPDATE 31.05.2015<\/strong>:<\/p>\n<p>i did analyze the nsepa.exe to see if its possible to patch it and <em>it is<\/em> actually possible!\u00a0with a hex editor its easy\u00a0to look for &#8220;CSEC %s&#8221; and replace the &#8220;%s &#8221; with &#8220;00&#8221; and the EPA scan will always pass. this means, there is no integrity checking and no encryption or obfuscation in the binary itself. this is a dirty patch and might corrupt the stack, but its the most easy way and the nsepa.exe is terminated after the scan anyway.<\/p>\n<p><a href=\"http:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/nsepa_patch.jpg\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-139 size-full\" src=\"http:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/nsepa_patch.jpg\" alt=\"nsepa_patch\" width=\"818\" height=\"350\" srcset=\"https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/nsepa_patch.jpg 818w, https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/nsepa_patch-300x128.jpg 300w\" sizes=\"auto, (max-width: 818px) 100vw, 818px\" \/><\/a><\/p>\n<p>but now comes a good message! looking at this binary reveals some interesting strings &#8220;Encryption of CSEC result failed&#8221; &#8211; hey this is exactly what we want in this scenario &#8211; an encrypted CSEC value, but where can we configure that?<\/p>\n<p>i have found this little checkbox in the global settings under security of the Netscaler Gateway:<\/p>\n<p><a href=\"http:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/epa_secure.jpg\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-140 size-full\" src=\"http:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/epa_secure.jpg\" alt=\"epa_secure\" width=\"582\" height=\"228\" srcset=\"https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/epa_secure.jpg 582w, https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/epa_secure-300x118.jpg 300w\" sizes=\"auto, (max-width: 582px) 100vw, 582px\" \/><\/a><\/p>\n<p>this setting is <em>disabled<\/em> by default, but it should actually be enabled on every Netscaler that uses EPA. this does exactly what it should have been done from\u00a0the beginning: it encrypts the CSEC values and even the result code.<\/p>\n<p><a href=\"http:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/encrypted_epa.jpg\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-141 size-full\" src=\"http:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/encrypted_epa.jpg\" alt=\"encrypted_epa\" width=\"812\" height=\"157\" srcset=\"https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/encrypted_epa.jpg 812w, https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/encrypted_epa-300x58.jpg 300w\" sizes=\"auto, (max-width: 812px) 100vw, 812px\" \/><\/a><\/p>\n<p>now its not possible anymore to see what the EPA client scans and also the result code is not visible anymore. i even tried to resend the same encrypted result code in a new session, but this didnt work. the encryption is based on RSA and AES &#8211; i did not analyze this in detail (yet) and cant tell if its secure, but it will stop an easy attack!<\/p>\n<p>for some reason this setting is not documented very well &#8211; if you google &#8220;Client Security Encryption&#8221; and Netscaler, you wont find that easy what this setting really does. the popup in the Netscaler GUI states &#8220;Enable encryption of client security expressions&#8221; and googling this gives only a few hits where only two are from citrix. you can set this checkbox with &#8220;set vpn parameter&#8221; on the command line:<\/p>\n<p><strong>encryptCsecExp<\/strong><\/p>\n<p class=\"p\">Enable encryption of client security expressions.<br \/>\nPossible values: ENABLED, DISABLED<br \/>\nDefault value: VPN_SESS_ACT_DISABLED<\/p>\n<p class=\"p\"><strong>conclusion:<\/strong> it turned out, that Netscaler has the correct security already built in, but its not enabled by default. i suspect, that most installations with EPA scans dont have this setting enabled and the therefore it can easy be bypassed. in my opinion, citrix should\u00a0enable this feature by default for every Netscaler. i for sure will in the future \ud83d\ude42<\/p>\n<p class=\"p\">if you scan for registry keys or files, try to hide them as good as possible. dont use keys like HKLM\\SOFTWARE\\MyCompany and dont check for obvious filenames either. as i said earlier, with a procmon an attacker can find these values rather easy, but if you check for something like\u00a0HKEY_CLASSES_ROOT\\CLSID\\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA}\\InprocServer32 its not so easy to locate, because the nsepa.exe queries a lot registry keys itself already.<\/p>\n<p class=\"p\">the nsepa.exe itself does still not contain additional security and can be modified and\u00a0debugged.\u00a0here is a PoC patch (with\u00a0<a href=\"http:\/\/www.hiew.ru\/\" target=\"_blank\" rel=\"noopener\">hackers view<\/a>) that will change the nsepa.exe and\u00a0set the result code\u00a0to &#8220;0&#8221; <em>before<\/em> it gets encrypted. this will override\u00a0all EPA scans\u00a0(Version 10.5.57.7).<\/p>\n<p class=\"p\"><a href=\"http:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/hiew_nsepa.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-142 size-full\" src=\"http:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/hiew_nsepa.png\" alt=\"hiew_nsepa\" width=\"660\" height=\"342\" srcset=\"https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/hiew_nsepa.png 660w, https:\/\/kolbi.cz\/blog\/wp-content\/uploads\/2015\/05\/hiew_nsepa-300x155.png 300w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\" \/><\/a><\/p>\n<p class=\"p\">you can download the patched nsepa.exe (10.5.57.7)\u00a0<a href=\"http:\/\/www.kolbi.cz\/nsepa.zip\" target=\"_blank\" rel=\"noopener\">here<\/a>. just replace it with your local one at &#8220;C:\\Program Files\\Citrix\\Secure Access Client&#8221; and it will pass any EPA scan &#8211; even if the Client Security Encryption is turned on.<\/p>\n<p class=\"p\">as stated in the beginning &#8211; client security is not easy to achive, but for sure there are ways to make it better. i actually like to see some additional protection in the nsepa.exe\u00a0and the\u00a0encryptCsecExp should set be to <em>enabled<\/em> in future Netscaler versions. also the EPA scan should\u00a0better submit something more secure than just a result code &#8211; this is too easy to manipulate.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>UPDATE: bypassing the EPA scan with this method is only possible when using the Netscaler default settings. read the update at the end of this <a class=\"mh-excerpt-more\" href=\"https:\/\/kolbi.cz\/blog\/2015\/05\/30\/netscaler-endpoint-analyse-epa-pre-authentication-bypassing\/\" title=\"Netscaler Endpoint Analyse (EPA) Pre-Authentication bypassing!\">[&#8230;]<\/a><\/p>\n<\/div>","protected":false},"author":1,"featured_media":116,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,9,14],"tags":[],"class_list":["post-114","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-citrix","category-netscaler","category-security"],"_links":{"self":[{"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/posts\/114","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/comments?post=114"}],"version-history":[{"count":35,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/posts\/114\/revisions"}],"predecessor-version":[{"id":466,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/posts\/114\/revisions\/466"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/media\/116"}],"wp:attachment":[{"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/media?parent=114"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/categories?post=114"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/tags?post=114"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}