Critical Exposure in Citrix ADC (NetScaler) – Unauthenticated Remote Code Execution
Credit: Suggested steps taken from twitter post by @darkQuassar
Just converted to copy/pastable gist for easy access
historycat /var/log/bash.log | grep -Eio "shell_command=.*$" | sort | uniq -c | sort -n && zcat /var/log/bash*.gz | grep -Eio "shell_command=.*$" | sort | uniq -c | sort -nfind / -name "*.xml" -exec ls -haltr {} \; | sed 's/ */ /g' | sort -k 8cat /var/log/* | grep -Ei "vpns|\.pl " && zcat /var/log/*.gz | grep -Ei "vpns|\.pl "find / -name "*.xml" -newermt "2020-01-10" && find / -name "*.pl" -newermt "2020-01-10" && find / -name "*.py" -newermt "2020-01-10"cat /var/log/cron | sed 's/ */ /g' | cut -d" " -f 10 | sort | uniq -c && zcat /var/log/cron*gz | sed 's/ */ /g' | cut -d" " -f 10 | sort | uniq -cCheck for recently mod scripts, sort by date, most recent ones at the bottom (you should technically only see /var/ns_system_backup.pl)
find / -name "*.pl" -exec ls -haltr {} \; | grep -iv "local\/lib" | sed 's/ */ /g' | sort -klsof -RPni && lsof -PnPCould be filtered further using grep
ps auxd | grep nobodysockstat -c -4 | awk '{ if (substr($7,1,8) != "127.0.0.") print $0}'find /netscaler -mtime -4 -type f -print0 | xargs -0 /bin/ls -ltr zgrep -Ei "http://newbm.pl|http://rmbm.pl|http://picktheme.pl" /var/log/*.gz- Critical Exposure in Citrix ADC (NetScaler) – Unauthenticated Remote Code Execution
- https://github.com/trustedsec/cve-2019-19781
- Initial 0day drop
- https://www.reddit.com/r/blueteamsec/comments/en4m7j/multiple_exploits_for_cve201919781_citrix/
- Youtube: PoC walkthrough
- Best tool to assess the vulnerability: citrixmash scanner by @x1sec
Hi mate, thanks again for wrapping this up in a gist! Do you think we can update it with two more suspicious process checks?
Check for suspicious running processes and their connections - 3
Check for suspicious running processes and their connections - 4
find /netscaler -mtime -4 -type f -print0 | xargs -0 /bin/ls -ltr (ref. Robert @x1sec tweet)And a new link: