We rarely talk about memory corruption on our bounty episodes, but this one its a good one to keep in mind. Its a problem with snprintf the “secure” sprintf function. It allows you to specify the maximum number of bytes to write so it won’t overflow the target buffer.

The primary “gotcha” with using snprintf is that unlike the other printf family of functions its return value is not the number of bytes written but the number of bytes that would have been written if the buffer was large enough.

So with that background in mind, we come to Citrix’s ns_aaa_oauth_send_openid_config function which is used to handle requests to the OpenID Connect Discovery endpoint which responds with a JSON blob containing the identity provider’s (Citrix) OIDC configuration information, things like the various endpoints and issuer information. This endpoint generates the JSON using a snprintf to write into a 0x20000 byte buffer, in order to dynamically determine the right hostname to use in URLs it reads the Host header from the HTTP request and reflects it back into the configuration JSON.

It then passes that buffer along with the size (as reported by the return value of snprintf) to be written out in thee response. body. An attacker who provides a malicious Host header that is long enough to fill the buffer for the JSON will end up with a buffer that is only filled to the maximum length (0x20000 bytes) but snprintf will still return a larger value. When the buffer is written out in the response body, it treats this larger value as the size and reads out of bounds reading whatever is in adjacent memory. In this case the authors were able to leak session cookies that could then be used to authenticate with the application.