Penetration Testing mailing list archives
Re: [PEN-TEST] Security of Citrix server to client protocol
From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Wed, 13 Sep 2000 21:15:38 -0500
Peter Van Epp wrote:
My question is can any one tell me I don't even need to look because the server client protocol is (for instance) a full IP connection and full of holes? Has anyone been able to compromise a client machine by breaking in to the server on Citrix?
Hi, The Citrix client has the ability to map local file systems to a drive on the Citrix server, by default the linux client mounts the /tmp directory to the R drive. If someone gains access to the server, they could write to any drives mounted in this fashion. If the user happens to mount a directory containing sensitive files then the attacker now has access to them. If the user mounts their unix home directory or the system directory under Windows, then the attacker could install an outbound trojan and force it to startup upon login. Citrix also provides a device mapping capability, allowing a user to map his COM ports to the COM ports on the remote machine in his current session. This allows them to make use of their local printer/modem/etc from the Citrix server. The implications of 'remote modem access' should be clear. The actual communication protocol between client and server is not very secure by default, although a secure Windows client does exist that enable network encryption. The "dsniff" tool (hi Dug!) has the ability to snag Citrix passwords off the wire. As far as I know, nobody has published a packet-by-packet dissection of the actual Citrix protocol or revealed any vulnerabilities with it. When I get time I will take a look and publish the results if anything funny turns up. -HD http://www.digitaldefense.net (work) http://www.digitaloffense.net (play)
Current thread:
- Re: [PEN-TEST] VMware Batten, Gerald (Sep 12)
- Re: [PEN-TEST] VMware Greg (Sep 12)
- [PEN-TEST] Security of Citrix server to client protocol Peter Van Epp (Sep 13)
- Re: [PEN-TEST] Security of Citrix server to client protocol H D Moore (Sep 14)
- Re: [PEN-TEST] Security of Citrix server to client protocol Peter Van Epp (Sep 14)
- [PEN-TEST] Security of Citrix server to client protocol Peter Van Epp (Sep 13)
- Re: [PEN-TEST] VMware Greg (Sep 12)