Earlier this year we saw one of the worst vulnerabilities in years for corporate networks involving certain Citrix products, but it didn’t get a lot of press. Citrix published some mitigation steps but it took them a comparatively long time to release an actual patch.
The technologies involved are Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway. The vulnerability allowed unauthenticated attackers to run arbitrary code.
This is a big deal because these are key technologies that set between users on the Internet and applications inside corporate networks.
In the meantime, attackers started working on how to exploit it. The mitigation steps from Citrix provided some big clues. They basically boiled down to creating rules that block directory traversal attempts (/../) and requests that try to access the /vpns/ directory. Now that directly contains Perl scripts. So that pretty much tells you right away that the targets are vulnerable scripts in that folder that could be tricked into running arbitrary instructions as a result of carefully crafted input.
But what was the “carefully crafted input”? It didn’t take security researchers long to figure that out. Soon Project Zero India released a public proof-of-concept exploit, quickly followed by TrustedSec.
In this Anatomy of a Hack session I will explain what the relevant Citrix technologies do, and why this vulnerability is so important. Then we will dive into the details of the vulnerability in terms of how it works, how to use it in red teaming and how to detect and defend against it from a blue team perspective.
There’s a lot to learn from this hack that can be applied much more widely than just Citrix technologies. The exploit involves:
- Directory traversal
- Unsanitized input
- Remote file insertion
- Code injection
- Indirect file execution
As part of the blue team defensive analysis I’m going to show you, we will analyze some PCAP (packet capture) data and isolate the signature of this attack. We’ll have to deal with some encoded data which is fairly simple once you recognize it. Then we’ll create a snort rule to detect attempts to exploit this vulnerability.
One of the coolest things about this real training for free session is that we’ll be using the hands-on training platform from Immersive Labs for the blue team work. Then Kevin Breen - Director of Cyber Threat Research from Immersive Labs will briefly show you more about this fully interactive, gamified and on-demand cyber skills platform.
Please join us for this real training for free session.