Re: Citrix NFuse 1.6 - additional network exposure

["Bob Fiero" <bfiero () mentalfloss net>]

On a Citrix server supporting applications running off of a Novell Directory Services network, I found that additional 
information about the victim network can be discovered.

After opening the applist.asp page and seeing all configured applications, without authentication, I clicked on one of 
the apps. Another browser window opened with the following error:

There was an error:
This operation requires user credentials to be specified. The following session field was not set: NFUSE_USER

while opening the URL of:

http://nfuse.insecureMSserver.com/launch.asp?NFuse_Application=LookOut&NFuse_MIMEExtension=.ica

I appended &NFUSE_USER=ABM&NFUSE_PASSWORD=byte-me to the URL. Note that the two parameters NFUSE_USER and 
NFUSE_PASSWORD were supplied with bogus parameters. 

After a short period of time, Citrix presented me with a Novell client login screen. By clicking the Advanced button, I 
was able to browse Novell Directory Services for all tree, organizational units, and server names contained on the 
network. In the NT/2000 tab of the client, I was able to ascertain the name of the AD domain, and the server name 
hosting the Citrix published application.

As was and is still the case, as far as I can tell this bug only the exposes network information. But, exposure of 
information such as this is great for recognizance preceding further attacks.

I tested with a bogus application name after the NFuse_Application parameter, but only with a valid app name is this a 
problem.