Re: are the NetBIOS-like hacking days over? - wide open citrix services on critical domains

[<full-disclosure () hushmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SHUT UP

On Thu, 04 Oct 2007 15:55:06 -0400 "pdp (architect)"
<pdp.gnucitizen () googlemail com> wrote:
> The other day I was performing some CITRIX testing, so I had a lot
> of
> fun with hacking into GUIs, which, as most of you probably know,
> are
> trivial to break into. I did play around with .ICA files as well,
> just
> to make sure that the client is not affected by some obvious
> client-side vulnerabilities. This exercise led me to reevaluate
> great
> many things about ICA (Independent Computing Architecture). When
> querying Google and Yahoo for public .ICA files, I was presented
> with
> tones of wide open services, some of which were located on .gov
> and
> .mil domains. This is madness! No, this is the Web. Through, I
> wasn't
> expecting what I have found. Hacking like in the movies?
>
> I did not poke any of the services I found, although it is obvious
> what is insecure and what is not when it comes to citrix. It is
> enough
> to look into the ICA files. With a few lines in bash combined with
> my
> Google python script, I was able to dump all the ICA files that
> Google
> knows about and do some interesting grepping on them. What I
> discovered was unbelievable. Shall we start with the Global
> Logistics
> systems or the US Government Federal Funding Citrix portals - all
> of
> them wide open and susceptible to attacks. Again, no poking on my
> side, just simple observation exercises on the information
> provided by
> Google.
>
> Just by looking into Google, I was able to find 114 wide open
> CITRIX
> instances: 10 .gov, 4 .mil, 20 .edu, 27 .com, etc… The research
> was
> conducted offline, therefore there might be some false positives.
> Among the services discovered, there were several critical
> applications which looked so interesting that I didn't even dare
> look
> at theirs ICA files. I am trying to raise the consumer awareness
> with
> this article. I mean, it is 2007 people, it shouldn't be that
> simple.
>
> I did write and article about my findings which you can read from
> here:
> http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-
> backdoor/
>
> I've also created a video that show the lamest way someone can use
> to
> break into unprotected citrix just to show the concepts.
>
> CITRIX hacking is just like back in the old days with NetBIOS. It
> simple. It is malicious. It is highly effective. And the problem
> is
> that CITRIX is pretty useful. Here is a dilemma for you:
> Let's say that you have a pretty stable desktop app which you
> would
> like to be available on the Web. What you gonna do? Port it to
> XHTML,
> JavaScript and CSS? No way! You are most likely going to put it
> over
> CITRIX.
>
> I've also wrote a script which makes use of ICAClient ActiveX
> controller to enumerate remote Application, Servers and Farms:
> http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-
> backdoor/enum.js
>
> Let me know if you find this useful.
>
> cheers
>
> --
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.5

wpwEAQECAAYFAkcI7/YACgkQ+dWaEhErNvS36wP8Cxo00/NFSl7Z7Gbn5pZ95JyJozc5
N0oZGocSA2OClztJ4yMSiMwJ5NYXTuAGoYYCqeN0iqbYoPVxjdyEtTKx1g7GDmozGTBI
BQva/eK5JoJU5w4/mhW3JwmOyvOhyZ8qL9pPF9717d5f68/A4hRx0VKeM9ghfsEV3V1O
wS6ZEhQ=
=77ds
-----END PGP SIGNATURE-----

--
Click for free information on court reporter careers, $100 per hour potential.
http://tagline.hushmail.com/fc/Ioyw6h4dB34gPHFk5dCWg95E3wYzBrLQcPADHp9ZYNvj1kzDeO4iLG/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/