Re: 0day: Hacking secured CITRIX from outside

[<full-disclosure () hushmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SHUT UP VLADIS

On Wed, 10 Oct 2007 11:47:23 -0400 "pdp (architect)"
<pdp.gnucitizen () googlemail com> wrote:
> http://www.gnucitizen.org/blog/0day-hacking-secured-citrix-from-
> outside
>
> In the true spirit of GNUCITIZEN half(partial)-disclosure
> initiative,
> we announce that it is possible to gain user access level on
> integrated remote CITRIX servers. The bug/feature does not relay
> on
> any client/server vulnerabilities nor client/server
> misconfiguration
> issues. All an attacker needs to do to exploit the weakness is to
> lure
> a victim, part of an integrated network, to a malicious website or
> trick them into opening specially crafted ICA files. The attack
> results into remote command execution with the access level of the
> current user.
>
> The success of the attack relays on the fact that the victim (the
> proxy) is part of a CITRIX ring to which he/she can perform pass
> through authentication. Once a connection is instantiated, the
> victim
> will unwillingly and transparently login into CITIRIX and perform
> several commands specified by the attacker. The attacker can
> simply
> instruct the remote desktop to download files from a remote TFTP
> server and execute them locally. Once the attack is performed, the
> local connection is terminated and the CITRIX session is cleared.
> No
> user interaction is required!
>
> CAUTION!!! The attack can be used to circumvent/bypass border
> firewalls and sneak into private networks. This attack is of type
> CRSF
> (Cross-site Request forgery), although it does not relay on Web
> bugs.
> The attack vector works flawlessly on IE and Firefox (when
> configured
> correctly). It also works with any email client or other types of
> file
> sharing mechanisms. All versions of CITRIX and CITRIX client are
> affected. The attack may fail on certain setups.
>
> If you manage to re-discover the type of vulnerability outlined in
> this post, we encourage you to keep it private. Give some time for
> the
> folks at CITRIX to react. Currently, I am not aware of any remedy
> against the attack. Given CITRIX's popularity among corporations
> and
> big organizations, it is highly recommended to take this warning
> with
> extra caution.
>
> --
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.5

wpwEAQECAAYFAkcNFHoACgkQ+dWaEhErNvQM6AP/ekt3CCtqTxrnVyfYRDz57l9oeJVU
vIcKTIuERgLNLSCGdl21CqgAC2KinIfJaK/70KtV/P62Y5spou5/z4owCKNl8iP6czcp
36cXOwpL4+vHsTTebs4onGTDw7TZnSDf2YA+02kk58NYTjEwiav6MzY+pep64teQCj1h
7Sz/9Kc=
=nCB2
-----END PGP SIGNATURE-----


--
Click here to save up to 50% off a quality steel building.
http://tagline.hushmail.com/fc/Ioyw6h4esimyMWnRSMH37RdqH4pxtUNm1CNPeAwNOoshCui4UuKTva/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/