Re: Breaking MS applications published via Citrix

[Matt Wagenknecht <matt.wagenknecht () quantum com>]

Office applications, especially Word,  are notoriously bad in a Citrix 
environment. Even if Internet Explorer is not "published" to a user, 
putting a link (http://specialopssecurity.com) in a document and 
CTRL+clicking it will launch an Internet Explorer session from the 
Citrix server. If you are coming form the outside through a "secure 
gateway", you would have complete access to internal web content..

I have recently discovered that a link pointing to "file://c:/" dumps 
the word session out of "seemless" mode and gives me a desktop from the 
Citrix server that has the context of the account I am using, 
consequently giving me access to all applications on the Citrix box not 
just those apps published to me.. You can then download whatever 
application you want and have fun.

Other things to look for:
   1. Use Dialog boxes to their full potential if you are stuck in a 
seemless application.. "Save" or "Open" dialog boxes are great for 
finding EXEs and Right-click, Open..
   2. Look for services running as system that would present a Gui 
interface. Sometimes the interfaces will allow you to Save or will 
invoke Windows Help. From there, you could launch a DOS prompt or run 
other applications as SYSTEM since launched processes inherit the 
context of the parent process. Privilege escalation complete..

Citrix is so much fun to play with... :c)

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Matt Wagenknecht                          CISSP  |  MCSE
Sr. Security Administrator
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Never be afraid to try something new.
Remember, amateurs built the ark; professionals built the Titanic.

This email may contain confidential and privileged information for the
sole use of the intended recipient. Any review or distribution by others
is strictly prohibited. If you are not the intended recipient, please
contact the sender and delete all copies of this email message.



Chris McNab wrote:

> Hi,
>
> I've recently seen a number of our clients using Citrix (MetaFrame XP,
> NFuse, and Secure Gateway) to provide remote access via HTTP+SSL to
> published MS Office 2000 applications (Word, Excel, PowerPoint), Internet
> Explorer 6, and other home-grown applications. In terms of hardening, the
> underlying application servers usually run Win2K Advanced Server, and are
> part of an Active Directory, so I recommend some strict permissions on
> executables (cmd.exe, net.exe, wscript.exe, regedt32.exe, etc.), folders,
> and registry keys as far as the 'AnonXXX' Citrix users are concerned, and
> object access auditing of potentially sensitive files through Group Policy
> Objects, to act as an early warning mechanism.
>
> What I'd like to know is if any of you have experience with breaking
> published MS applications through Citrix in this way--in particular MS
> Office and Internet Explorer 6 to run arbitrary code on the Citrix
> application server. URLs to work that's already been done would be great
> too.
>
> Thanks,
>
> Chris
>
>
> Chris McNab
> Technical Director
>
> Matta
> 18 Noel Street
> London W1F 8GN
>
> http://www.trustmatta.com
>
>
> ------------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> -------------------------------------------------------------------------------
>  

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------