CVE-2023-4966 PoC — Unauthenticated sensitive information disclosure

Description

Python script to search Citrix NetScaler logs for possible CVE-2023-4966 exploitation.

Readme

# Scan for CVE-2023-4966 IoCs

## Script: check-cve-2023-4966.py

The script searches the Citrix NetScaler logs for possible CVE-2023-4966 exploitation.

### Usage

```
usage: check-cve-2023-4966.py [-h] [--nologline] logdir_path

Python script to check CitrixNetScaler logs for possible CVE-2023-4966 exploitation

positional arguments:
  logdir_path  path to NetScaler log files (located on the NetScaler in the directory /mnt/temp/log/)

options:
  -h, --help   show this help message and exit
  --nologline  do not print the logline
```

### Example

```bash
$ python check-cve-2023-4966.py NetScaler/log/mnt/temp/log/ --nologline
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
```

## Citrix XenDesk/XenApp Monitoring Database

Citrix XenDesk and XenApp sessions are logged in the monitoring database.
With this monitoring database it is possible to find the sessions and worker machines which might be used after successful exploitation.

The helper directory contains sql queries to check the monitoring database.

### machines.sql

Script to get the machine id, name and ip address.

## last-sessions.sql

Query to get sessions from a specific machine (MachineId).

## session query

Query to get additionl sessions information for a specific machine (MachineId) and user.

File Snapshot

Remarks