POC详情: 9dadcf4769652ec76fa49e56141b022f1fa9f2fd

来源
https://github.com/certat/citrix-logchecker
关联漏洞
标题: Citrix Systems NetScaler ADC和NetScaler Gateway 安全漏洞 (CVE-2023-4966)
描述:Citrix Systems Citrix NetScaler Gateway(Citrix Systems Gateway)和Citrix Systems NetScaler ADC都是美国思杰系统(Citrix Systems)公司的产品。Citrix NetScaler Gateway是一套安全的远程接入解决方案。该方案可为管理员提供应用级和数据级管控功能,以实现用户从任何地点远程访问应用和数据。Citrix Systems NetScaler ADC是一个应用程序交付和安全平台。 NetScale
描述
Parse citrix netscaler logs to check for signs of CVE-2023-4966 exploitation
介绍
# citrix-logchecker
Parse citrix netscaler logs to check for signs of CVE-2023-4966 exploitation

Written by Otmar Lendl.

# Usage:

        ./citrix-anomaly.pl [-d] [-v] [-h] [-p file] [-a X] [logfiles]

        This script parse citrix netscale syslog files and looks for session
        reconnects that might be the result of a CVE-2023-4966 exploitation.

        Parameters:

                -d  Debug
                -v  Verbose
                -h  This help
                -a  Set aggregation type. Possible values
                        b (default) simple /24 aggregation
                        a aggregate by ASN
                        p aggregate to routing table prefix
                -p path to a routing table dump. Syntax: "prefix asn" per line

# Requirements

The script needs Net::CIDR and Net::Patricia (you want to use the -p feature) which might not be installed on all Linux servers. On Debian-based systems, use

        sudo apt install libnet-cidr-perl libnet-patricia-perl

to install them.

A file with the global routing table as of 2023-10-27 is included in this repo. It needs to be decompressed.

The logline prefixes can vary between different systems / log daemons. The code now tries to ignore
line prefixes and matches on the Citrix supplied timestamps. (which apparently can vary by locale settings.)

# Background and Algorithm

CVE-2023-4966 leaks session cookies which allows attackers to reconnect to existing Citrix sessions.

This script looks for "SSLVPN LOGIN" and "SSLVPN TCPCONNSTAT" syslog lines (pre-filtering with grep for these lines makes sense) 
and checks which sessions either don't have a matching LOGIN line or change client IP address over its lifetime.

The script uses successful initial logins as sign that a source network is benign. If there are only reconnects from 
a source network, but no initial connects from there, then these reconnects are suspicious. This is not done on a 
pure IP-address basis, there are three aggrgation schemes implemented:

* trival /24
* aggregate to prefix according to the routing table
* aggregate to AS according to the routing table

The latter two algorithms need a file that matches prefixes to ASN. An example is supplied in this repo.
文件快照

 [4.0K]  /data/pocs/9dadcf4769652ec76fa49e56141b022f1fa9f2fd
├── [ 13K]  citrix-anomaly.pl
├── [ 18K]  LICENSE
├── [2.2K]  README.md
└── [3.4M]  v4table.gz

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。