Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-4966 PoC — Citrix Systems NetScaler ADC和NetScaler Gateway 安全漏洞

Source
https://github.com/certat/citrix-logchecker
Associated Vulnerability
Title:Citrix Systems NetScaler ADC和NetScaler Gateway 安全漏洞 (CVE-2023-4966)
Description:Citrix Systems Citrix NetScaler Gateway(Citrix Systems Gateway)和Citrix Systems NetScaler ADC都是美国思杰系统(Citrix Systems)公司的产品。Citrix NetScaler Gateway是一套安全的远程接入解决方案。该方案可为管理员提供应用级和数据级管控功能,以实现用户从任何地点远程访问应用和数据。Citrix Systems NetScaler ADC是一个应用程序交付和安全平台。 NetScale
Description
Parse citrix netscaler logs to check for signs of CVE-2023-4966 exploitation
Readme
# citrix-logchecker
Parse citrix netscaler logs to check for signs of CVE-2023-4966 exploitation

Written by Otmar Lendl.

# Usage:

        ./citrix-anomaly.pl [-d] [-v] [-h] [-p file] [-a X] [logfiles]

        This script parse citrix netscale syslog files and looks for session
        reconnects that might be the result of a CVE-2023-4966 exploitation.

        Parameters:

                -d  Debug
                -v  Verbose
                -h  This help
                -a  Set aggregation type. Possible values
                        b (default) simple /24 aggregation
                        a aggregate by ASN
                        p aggregate to routing table prefix
                -p path to a routing table dump. Syntax: "prefix asn" per line

# Requirements

The script needs Net::CIDR and Net::Patricia (you want to use the -p feature) which might not be installed on all Linux servers. On Debian-based systems, use

        sudo apt install libnet-cidr-perl libnet-patricia-perl

to install them.

A file with the global routing table as of 2023-10-27 is included in this repo. It needs to be decompressed.

The logline prefixes can vary between different systems / log daemons. The code now tries to ignore
line prefixes and matches on the Citrix supplied timestamps. (which apparently can vary by locale settings.)

# Background and Algorithm

CVE-2023-4966 leaks session cookies which allows attackers to reconnect to existing Citrix sessions.

This script looks for "SSLVPN LOGIN" and "SSLVPN TCPCONNSTAT" syslog lines (pre-filtering with grep for these lines makes sense) 
and checks which sessions either don't have a matching LOGIN line or change client IP address over its lifetime.

The script uses successful initial logins as sign that a source network is benign. If there are only reconnects from 
a source network, but no initial connects from there, then these reconnects are suspicious. This is not done on a 
pure IP-address basis, there are three aggrgation schemes implemented:

* trival /24
* aggregate to prefix according to the routing table
* aggregate to AS according to the routing table

The latter two algorithms need a file that matches prefixes to ASN. An example is supplied in this repo.
File Snapshot

 [4.0K]  /data/pocs/9dadcf4769652ec76fa49e56141b022f1fa9f2fd
├── [ 13K]  citrix-anomaly.pl
├── [ 18K]  LICENSE
├── [2.2K]  README.md
└── [3.4M]  v4table.gz

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.