Re: [PEN-TEST] Security of Citrix server to client protocol

[H D Moore <hdm () SECUREAUSTIN COM>]

Peter Van Epp wrote:
>         My question is can any one tell me I don't even need to look because
> the server client protocol is (for instance) a full IP connection and full of
> holes? Has anyone been able to compromise a client machine by breaking in to
> the server on Citrix?

Hi,

The Citrix client has the ability to map local file systems to a drive
on the Citrix server, by default the linux client mounts the /tmp
directory to the R drive.  If someone gains access to the server, they
could write to any drives mounted in this fashion.  If the user happens
to mount a directory containing sensitive files then the attacker now
has access to them.  If the user mounts their unix home directory or the
system directory under Windows, then the attacker could install an
outbound trojan and force it to startup upon login.  Citrix also
provides a device mapping capability, allowing a user to map his COM
ports to the COM ports on the remote machine in his current session.
This allows them to make use of their local printer/modem/etc from the
Citrix server.  The implications of 'remote modem access' should be
clear.

The actual communication protocol between client and server is not very
secure by default, although a secure Windows client does exist that
enable network encryption.  The "dsniff" tool (hi Dug!) has the ability
to snag Citrix passwords off the wire.  As far as I know, nobody has
published a packet-by-packet dissection of the actual Citrix protocol or
revealed any vulnerabilities with it.  When I get time I will take a
look and publish the results if anything funny turns up.

-HD

http://www.digitaldefense.net (work)
http://www.digitaloffense.net (play)