morgan davis

Overread - Citrix Bleed Bug

By Morgan Davis
04 Dec 2023 • updated 4d
Code · Video

Citrix Bleed - CVE-2023-4966

Simulates CVE-2023-4966 Citrix Bleed overread bug

This is my final project for Harvard CS50 Cybersecurity 2023. It’s about a bug. A small bug - with huge, ongoing consequences. In this presentation, I’ll be sharing the “bleeding insights” from one developer’s tiny mistake. A mistake that continues to cause big problems for potentially millions of people.

Video

Video: Citrix Bleed Video on YouTube

Recorded December 4, 2023

Notes

This demonstration program in C makes a call to snfprintf() in a way that forces it to truncate the output. It then attempts to actually overread a memory buffer to show how the CVE-2023-4966 exploit works.

Depending on your compiler and the size of the buffers used here, malloc() might introduce page-alignment padding which could break the demonstration. The constants I use are chosen so the output fits on one terminal display screen. Changing them can cause the results to differ and might not demonstrate the issue at all.

Output

Memory dump showing overread

See Project On GitHub

Citrix Bleed overread bug on GitHub

Explore
Reply
Notifications: 
Open Gravatar
How is my info protected?
  • Your email address is kept private and is never shown.
  • You are not signing up for anything.
  • You only get email for reply activity if notifications are enabled.
  • You can edit or delete your reply (using same device and browser).
  • Your info is not shared or used in any other way.
Message
How is my info used and protected?
  • Your email address and message are kept private.
  • You are not signing up for anything.
  • Your info is not shared or used in any other way.