CVE-2019-19781 - Imaging a physical FreeBSD device

In response to exploitation of CVE-2019-19781, incident responders may find themselves needing to grab an image of vulnerable Citrix ADC and/or Gateway appliances. It’s likely that the majority of these devices are virtual appliances within networks, however there’s bound to be some physical boxes sitting out in datacentres somewhere.

Thus, here are a couple of ways to grab an image of these devices.

Note!

Copy partitions to an external drive attached to the device.

The Netscalers have a single USB port on the front or back, making copying data off to an external drive easy enough once mounted.

1. Run df -h and identify partitions of interest. These are likely /dev/md0, /dev/ad0s1a, /dev/ad0s1b
2. Mount a drive with an ext2/3 filesystem.
   • To identify your drive, use geom. geom disk list to view disks and geom part list to break them out into partitions.
   • Use the mount utility to specify the block device and your mountpoint, if you’re having issues then try mounting as a CDROM.
3. Use dd to copy the partitions identified with df -h to output files on the mounted drive.
   • You may be able to direct the output from dd straight to the partitions block device in /dev without mounting. I didn’t have any success with it though.

Copy partitions to a host of your choice over SSH.

1. Run df -h and identify partitions of interest. These are likely /dev/md0, /dev/ad0s1a, /dev/ad0s1b
2. Choose a host to either: push the image to, pull the image to (recommended).
3. Push method (taken from https://github.com/x1sec/CVE-2019-19781/blob/master/CVE-2019-19781-DFIR.md)
   • dd if=/dev/md0 | gzip -1 - | ssh user@[IP address] dd of=/[fullpath]/md0.gz
   • dd if=/dev/ad0s1a | gzip -1 - | ssh user@[IP address] dd of=/[fullpath]/ad0s1a.gz
   • dd if=/dev/ad0s1b | gzip -1 - | ssh user@[IP address] dd of=/[fullpath]/ad0s1b.gz
4. Pull method (also taken from the above link, but it was my pull request)
   • ssh user@[IP address] "shell dd if=/dev/md0 | gzip -1 - " | dd of=/[fullpath]/md0.gz status=progress
   • ssh user@[IP address] "shell dd if=/dev/ad0s1a | gzip -1 - " | dd of=/[fullpath]/ad0s1a.gz status=progress
   • ssh user@[IP address] "shell dd if=/dev/ad0s1b | gzip -1 - " | dd of=/[fullpath]/ad0s1b.gz status=progress
   • The shell keyword in the above commands are required to pass dd through to the execution context of sh.
   • Remove gzip if you’re concerned about performance of the Netscalers, you’ll take a full cut of the disk including all unallocated space though.

Happy imaging!