New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add module for Citrix Bleed (CVE-2023-4966) #18492
Add module for Citrix Bleed (CVE-2023-4966) #18492
Conversation
return nil unless res.headers['Content-Type'].downcase.start_with?('application/json') | ||
|
||
username = nil | ||
res.body.scan(/([0-9a-f]{32,65})/i).each do |cookie| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
res.body.scan(/([0-9a-f]{32,65})/i).each do |cookie| | |
res.body.scan(/([0-9a-f]{65}|[0-9a-f]{32})/i).each do |cookie| |
{32,65}
means "between 32 and 65 in length". Note that the order is important in my suggestion, since the regex will try to match the first condition (length = 65), and then "length = 32", so that truncation shouldn't happen.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean to keep it at "between 32 and 65 in length". That was intentional because there were implications that different versions used different sized cookies but I wasn't clear that it's always either exactly 32 or 65 bytes in length. Ultimately, the cookie's value is tested anyways, so it's unlikely we'd yield false positives. This would just reduce the set that are tested.
documentation/modules/auxiliary/scanner/http/citrix_bleed_cve_2023_4966.md
Outdated
Show resolved
Hide resolved
Log servers that are vulnerable but don't leak any cookies
Thanks @zeroSteiner for updating this. Everything looks good to me, this has been tested against live targets and confirmed the user Cookies were retrieved. I'll go ahead and land it. |
Release NotesThis adds a scanner module for exploiting CVE-2023-4966 which is a memory leak in Citrix ADC servers. This vulnerability allows a remote, unauthenticated attacker to leak memory by sending a very large HTTP Host header. The leaked memory is then scanned for session cookies which can be hijacked if found. |
This adds a module for exploiting CVE-2023-4966 which is a memory leak in Citrix ADC servers that can be used to leak session cookies of authenticated users.
A user needs to be logged in for the vulnerability to be usable to leak a session cookie. While testing my 13.1-48.47 target, with multiple users authenticated it appears that the session cookie that is leaked is consistently the last user that authenticated and not the session cookie of the last request that was received. For that reason, it doesn't make a lot of sense to make multiple attempts to leak cookies in a short time frame as I was originally considering (say 1 request per second over 10 seconds). If the observations are correct, this would only be beneficial and leak multiple cookies if users were login within that time period.
Example Output
Closes #18486