cbcvebase.
CVE-2014-7140
published 2014-10-21

CVE-2014-7140: Unspecified vulnerability in the management interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.x before 10.1-129.11…

PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
16.19%
96.5th percentile
Unspecified vulnerability in the management interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.x before 10.1-129.11 and 10.5 before 10.5-50.10 allows remote attackers to execute arbitrary code via unknown vectors.

Affected

11 ranges
VendorProductVersion rangeFixed in
citrixcitrix_adm
citrixcitrix_hypervisor
citrixcitrix_virtual_apps_and_desktops
citrixendpoint_management
citrixnetscaler_adc
citrixnetscaler_adc_gateway
citrixnetscaler_application_delivery_controller_firmware
citrixnetscaler_application_delivery_controller_firmware
citrixnetscaler_application_delivery_controller_firmware
citrixnetscaler_gateway
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

url/soap
port3010
bytes
0xa5a50000
bytes
\x00\x00\xa5\xa5
bytes
\x81\xc4\x54\xf2\xff\xff
  • Detect exploit check: HTTP GET to /soap returning HTTP 200 with body matching 'Server Request Handler.*No body received' indicates a vulnerable/exposed SOAP endpoint.
  • Exploit sends a POST request to /soap containing a malicious SOAP body that references an attacker-controlled host and port (default 3010) as a NetScaler config server. Monitor for outbound connections from the NetScaler management interface to unexpected external hosts on port 3010.
  • The malicious config server response begins with a 2-byte little-endian length field followed by the magic bytes 0x00 0x00 0xa5 0xa5. Detect this binary protocol pattern on port 3010 in network traffic.
  • The exploit targets the SOAP handler in the NetScaler web management interface (apache2 process). Exploitation results in arbitrary code execution with web server privileges on BSD platform (x86). Monitor apache2 child processes for anomalous child spawning or shell execution.
  • The stack pivot prepend encoder bytes (\x81\xc4\x54\xf2\xff\xff — 'add esp, -3500') will appear at the start of shellcode in memory or network payload. Use this as a memory/network signature.
  • ·The exploit targets NetScaler Virtual Appliance version 450010 specifically, using hardcoded memory addresses. The RwPtr (apache2 rw address) is fixed at 0x80b9000, valid only because the virtual appliance lacks ASLR/DEP. Physical appliances or other versions will have different addresses.
  • ·The exploit includes a bruteforce mode for the return address, sweeping from 0xffffec00 (bottom of stack) to 0xfffdf000 (top of stack) in steps of 256 bytes. This bruteforce is only viable because the target is an apache child process without ASLR.
  • ·Affected versions are NetScaler ADC and NetScaler Gateway 10.x before 10.1-129.11 and 10.5 before 10.5-50.10. Versions outside this range are not confirmed vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.