-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add 12.1 Targets for CVE-2023-3519 #18264
Conversation
@firefart Does this work for your 12.1 target? Not a blocker to landing this, just a useful datapoint to help with the testing/landing process 👍 |
sorry, all 12.1 targets in my range are already patched :/ But it looks like Azure Marketplace still has a free 12.1 version available https://azuremarketplace.microsoft.com/en-us/marketplace/apps/citrix.netscalervpx-121?tab=Overview |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a blocker; It'd be good to backfill the installation notes into the .md
file for setting up an environment 👍
Switching to use citrix-fonts.css allows the technique to work for 12.x and 13.x.
45d5fd3
to
baa0f3d
Compare
Release NotesUpdates the |
Is this not applicable to version 12.1.56.22? |
@Jmdyy I'm pretty sure it does but I can only add targets for systems I have access to for testing because of how I need to use GDB to determine the necessary values. Adding new targets is a bit more involved due to the nature of the exploit. |
I have reviewed some vulnerability exploitation scripts, do they need to be modified for different versions |
This adds two more targets as requested to the exploit for CVE-2023-3519. The added targets are 12.1-65.25, and 12.1-64.17. In both of these cases, my technique to fixup the stack by skipping into the
ns_aaa_cookie_valid
frame was failing. I'm pretty certain that the return value fromns_aaa_cookie_valid
was not being checked so when the exploit sets it to NULL, it'd cause a crash later on. To address this, the exploit goes up a frame higher in the stack tons_aaa_client_handler
. Unfortunately, this means that no HTTP response is sent to the client. The exploit didn't check it anyways so it's not a big deal.This also adds automatic targeting based on the
Last-Modified
header of thelogon/fonts/citrix-fonts.css
resource. Each supported target has a different timestamp fingerprint and the exploit can use this value to detect the version and automatically select the correct target.Verification
List the steps needed to make sure this thing works