Very High
CVE-2023-4966
CVE-2023-4966
Description
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
Add Assessment
Technical Analysis
On October 10, 2023, Citrix posted an advisory about a high-risk vulnerability in Citrix ADC, which affects the following versions:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
Assetnote coined this as Citrixbleed when they released their research on it. Basically, it lets you steal session tokens (and other data from memory). It’s been added to KEV based on Citrix’s statement.
The vulnerability itself is subtle, and is due to misusing a C API function (as so many vulns are). The following disassembled code is used as part of the OpenID response:
iVar3 = snprintf(print_temp_rule,0x20000, "{\"issuer\": \"https://%.*s\", \"authorization_endpoint\": \"https://%.*s/oauth/ idp/login\", \"token_endpoint\": \"https://%.*s/oauth/idp/token\", \"jwks_uri\": \"https://%.*s/oauth/idp/certs\", \"response_types_supported\": [\"code\", \"toke n\", \"id_token\"], \"id_token_signing_alg_values_supported\": [\"RS256\"], \"end _session_endpoint\": \"https://%.*s/oauth/idp/logout\", \"frontchannel_logout_sup ported\": true, \"scopes_supported\": [\"openid\", \"ctxs_cc\"], \"claims_support ed\": [\"sub\", \"iss\", \"aud\", \"exp\", \"iat\", \"auth_time\", \"acr\", \"amr \", \"email\", \"given_name\", \"family_name\", \"nickname\"], \"userinfo_endpoin t\": \"https://%.*s/oauth/idp/userinfo\", \"subject_types_supported\": [\"public\"]}" ,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8); authv2_json_resp = 1; iVar3 = ns_vpn_send_response(param_1,0x100040,print_temp_rule,iVar3);
It uses the snprintf() function, which returns the number of bytes the call wants to write to the buffer, not the number of bytes it actually writes to the buffer; from the manpage printf(3):
The functions
snprintf()andvsnprintf()do not write more than size bytes (including the terminating null byte (‘\0’)). If the output was truncated due to this limit, then the return value is the number of characters (excluding the terminating null byte) which would have been written to the final string if enough space had been available. Thus, a return value of size or more means that the output was truncated
That length value – which can be longer than the size of the buffer – is used when sending a reply. That means that if the desired string is more than 0x20000 bytes long, it will respond with memory after the end of the buffer, which includes session tokens.
CVSS V3 Severity and Metrics
General Information
Vendors
- citrix
Products
- netscaler application delivery controller,
- netscaler gateway
Metasploit Modules
References
Exploit
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.
