Hacking nsroot

H

last update: November 18th 2019

Hacking nsroot on a NetScaler with default settings is completely easy!
I missed this one in Neil Spelling’s excellent blog about penetration testing NetScalers.

What do you need to hack a NetScaler if you forgot your nsroot password? An external authentication source.

My 1st idea would be: Use nerecover user. But this dies not work, as it uses the same password as nsroot. So I had to dig a bit deeper.


How does NetScaler authentication work?

Well, NetScaler will use any authentication method configured and will check if the username / password pair fits to any authentication method (in order of bindings, lowest number is the highest priority). The last one will always be local authentication. This is done by aaad, the authentication demon.

You may watch this process by opening BSD shell and type cat /tmp/aaad.debug (see here or  here)

If aaad is able to authenticate a user it will stop and return a message send_accept sending accept to kernel for : administrator

It will also return a set of groups if there are any. Next step, done by NetScaler itself, is the one we use to exploit the process:

NetScaler will try to find any object matching the user or one of it’s group memberships. So NetScaler will assume this user to be the same as a local user, if it is able to find a user with the same name.

So we got it. We open Active Directory and add an user called nsroot. We give it a password of our own choice. And we will be able to log on.

Panic!

How to fix this issue?

well, let’s open nsroot and disable external authentication. I don’t know why external authentication is enabled for this user, and I’d consider this to be a massive security issue

external_authentication

or simply: set system user nsroot -externalAuth Disabled (Danke Marco Zimmermann)

Have fun

Johannes

About the author

Johannes Norz

Johannes Norz is a Citrix Certified Citrix Technology Advocate (CTA), Citrix Certified Instructor (CCI) and Citrix Certified Expert on Application Delivery and Security (CCE-AppDS).

He frequently works for Citrix international Consulting Services and several education centres all around the globe.

Johannes lives in Austria. He had been borne in Innsbruck, a small city (150.000 inhabitants) in the middle of the most beautiful Austrian mountains (https://www.youtube.com/watch?v=UvdF145Lf2I)

4 comments

By Johannes Norz

Recent Posts

Recent Comments