Full Disclosure mailing list archives
Re: are the NetBIOS-like hacking days over? - wide open citrix services on critical domains
From: <full-disclosure () hushmail com>
Date: Sun, 07 Oct 2007 10:40:54 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SHUT UP On Thu, 04 Oct 2007 15:55:06 -0400 "pdp (architect)" <pdp.gnucitizen () googlemail com> wrote:
The other day I was performing some CITRIX testing, so I had a lot of fun with hacking into GUIs, which, as most of you probably know, are trivial to break into. I did play around with .ICA files as well, just to make sure that the client is not affected by some obvious client-side vulnerabilities. This exercise led me to reevaluate great many things about ICA (Independent Computing Architecture). When querying Google and Yahoo for public .ICA files, I was presented with tones of wide open services, some of which were located on .gov and .mil domains. This is madness! No, this is the Web. Through, I wasn't expecting what I have found. Hacking like in the movies? I did not poke any of the services I found, although it is obvious what is insecure and what is not when it comes to citrix. It is enough to look into the ICA files. With a few lines in bash combined with my Google python script, I was able to dump all the ICA files that Google knows about and do some interesting grepping on them. What I discovered was unbelievable. Shall we start with the Global Logistics systems or the US Government Federal Funding Citrix portals - all of them wide open and susceptible to attacks. Again, no poking on my side, just simple observation exercises on the information provided by Google. Just by looking into Google, I was able to find 114 wide open CITRIX instances: 10 .gov, 4 .mil, 20 .edu, 27 .com, etc… The research was conducted offline, therefore there might be some false positives. Among the services discovered, there were several critical applications which looked so interesting that I didn't even dare look at theirs ICA files. I am trying to raise the consumer awareness with this article. I mean, it is 2007 people, it shouldn't be that simple. I did write and article about my findings which you can read from here: http://www.gnucitizen.org/blog/citrix-owning-the-legitimate- backdoor/ I've also created a video that show the lamest way someone can use to break into unprotected citrix just to show the concepts. CITRIX hacking is just like back in the old days with NetBIOS. It simple. It is malicious. It is highly effective. And the problem is that CITRIX is pretty useful. Here is a dilemma for you: Let's say that you have a pretty stable desktop app which you would like to be available on the Web. What you gonna do? Port it to XHTML, JavaScript and CSS? No way! You are most likely going to put it over CITRIX. I've also wrote a script which makes use of ICAClient ActiveX controller to enumerate remote Application, Servers and Farms: http://www.gnucitizen.org/blog/citrix-owning-the-legitimate- backdoor/enum.js Let me know if you find this useful. cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkcI7/YACgkQ+dWaEhErNvS36wP8Cxo00/NFSl7Z7Gbn5pZ95JyJozc5 N0oZGocSA2OClztJ4yMSiMwJ5NYXTuAGoYYCqeN0iqbYoPVxjdyEtTKx1g7GDmozGTBI BQva/eK5JoJU5w4/mhW3JwmOyvOhyZ8qL9pPF9717d5f68/A4hRx0VKeM9ghfsEV3V1O wS6ZEhQ= =77ds -----END PGP SIGNATURE----- -- Click for free information on court reporter careers, $100 per hour potential. http://tagline.hushmail.com/fc/Ioyw6h4dB34gPHFk5dCWg95E3wYzBrLQcPADHp9ZYNvj1kzDeO4iLG/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: are the NetBIOS-like hacking days over? - wide open citrix services on critical domains full-disclosure (Oct 07)