In this Blog lets discuss about Citrix POCs that is released recently on July
1. POC for CVE-2023-24488
https://github.com/securitycipher/CVE-2023-24488
Citrix Gateway Open Redirect and XSS (CVE-2023-24488)
URL query parameters are not adequately sanitised before they are placed into an HTTP Location header. An attacker can create a link which, when clicked, redirects the victim to an arbitrary location. Alternatively the attacker can inject newline characters into the Location header, to prematurely end the HTTP headers and inject an XSS payload into the response body.
https://github.com/Abo5/CVE-2023-24488
CVE-2023-24488.rb The provided script is a Ruby script used to check and detect the CVE-2023-24488 security vulnerability in Citrix Gateway and Citrix ADC.
Script Details:
The script requires the HTTParty library, which helps in sending HTTP requests. The check_cve_2023_24488 function is defined, which takes a url parameter to specify the target URL. The path variable is defined, which contains the string for the CVE-2023-24488 vulnerability. A GET request is sent using HTTParty to the target URL along with the pre-defined path. The server’s response is examined to verify if the vulnerability is available. This is done by checking the presence of the <script>alert(document.domain)</script> string in the response body, verifying that the response header contains “content-type: text/html”, and checking that the response code is 302. If the vulnerability is detected in the target URL, it prints “Vulnerable to CVE-2023-24488: Citrix Gateway and Citrix ADC – Cross-Site Scripting.” If the vulnerability is not detected in the target URL, it prints “Not vulnerable to CVE-2023-24488.” The script is used to scan a specific website (in this case, https://example.com/) to check if it is vulnerable to the CVE-2023-24488. You can change the target URL by modifying the value of target_url in the script.
2. Bug Bounty
CVE-2023-3519
https://github.com/SalehLardhi/CVE-2023-3519
Nuclei template checks for the presence of the CVE-2023-3519 vulnerability in a target web server.
Vulnerability:
CVE-2023-3519 is a vulnerability that allows unauthenticated remote code execution in the Citrix Application Delivery Controller (ADC) and Gateway appliances. An attacker can this vulnerability by sending a specially crafted request to the affected system.
This template checks for the presence of the vulnerability by comparing the “Last-Modified” header in the server response to known patched versions.
To scan a single target with Nuclei, use the following command:
nuclei -target <target> -t cve-2023-3519.yaml
To scan multiple targets, use a file containing a list of targets:
nuclei -l <target_file> -t cve-2023-3519.yaml
3. Mass CVE-2023-24489 [RCE]
https://github.com/codeb0ss/CVE-2023-24489-PoC
4. Scanner
cve-2023-3519-citrix-scanner
https://github.com/telekom-security/cve-2023-3519-citrix-scanner
to identify vulnerable Citrix Gateways/ADCs by looking at the HTTP headers.
How it Works:
During our analysis of this vulnerability, we and our friends at CERT-Verbund noticed, that our patched systems had the same HTTP header Last-Modified timestamp.
Note that reverse proxies and heavily customised front pages may alter the results. In this case, we check, if the timestamp is volatile. It it isn’t and the timestamp is newer than 18. July 2023, the server has probably been patched. This script should not be your only method of checking that you are not vulnerable.
Our current known timestamps are:
Our current known timestamps are:
| Patch | Last-Modified Timestamp |
| 13.1-49.13 | Mon, 10 Jul 2023 17:41:17 GMT |
| 13.1-49.13 | Mon, 10 Jul 2023 18:36:14 GMT |
| 13.0-91.13 | Fri, 07 Jul 2023 15:39:40 GMT |
