Penetration Testing mailing list archives
Re: Citrix exploits?
From: "r@d" <m2rad () gmx net>
Date: Fri, 18 Aug 2006 22:54:38 +0200
This is quite hard to do, because Citrix Web Interface, usually is installed in conjuntion with Citrix Access Gateway or Citrix Secure Gateway, that inherits a ticketing system to validate the requisted session. If you could break the Citrix Web Interface by exploiting one of the .dll's its using, or finding error's in the .cs or .js files included with Web Interface (serverside/clientside folder) it would be possible to get unauthorized access to the application list, once there, it should be no problem requesting a ticket for a session. Citrix has several security bulletins on their website (support.citrix.com) how this is done with two factor 'protected' sites, where if two factor fails, a path to the applist.htm is available to get unauthorized access to the application list. Still you would need a username/password (ie test/test) to initially authenticatie. A more easy option: Usually Citrix Web Interface is installed as local administrator on IIS, break IIS, and you break Web Interface.
regards, Rajendra Soebhag----- Original Message ----- From: "Marc Ouwerkerk" <marc () olderchurch nl>
To: "'Ben Nell'" <enemy.cow () gmail com>; <pen-test () securityfocus com> Sent: Monday, August 14, 2006 5:12 PM Subject: RE: Citrix exploits?
If you have a valid user name and login, you can check if one of the MS applications installed (Word, Access, etc) have VBA enabled. You can then execute any dll that you upload to the machine. Marc Ouwerkerk -----Original Message----- From: Ben Nell [mailto:enemy.cow () gmail com] Sent: maandag 14 augustus 2006 5:56 To: pen-test () securityfocus com Subject: Re: Citrix exploits? On 11 Aug 2006 22:35:38 -0000, 09Sparky () gmail com <09Sparky () gmail com> wrote:(web)? I am working on exploiting a citrix server with a front end webpage,Does anyone have any good techniques or exploits available for Citrixbut am unsuccessful. Any suggestions/thoughts? Do you have a valid user name and login for the Citrix farm? If the launch.ica files (provided as links, once logged into the webinterface) can be downloaded and opened in a text editor, they will provideyou with information about the connection that the farm is set up to use. Is the web interface using SSL? If the site's running over SSL, it's possible that they have their farm behind a Citrix Access Gateway (AG) or MetaFrame Secure Acess Manager (MSAM). In the case that an AG or MSAM is deployed, the connection is encrypted on the backend, otherwise you shouldbe able to capture session information on the backend. You can tell if oneof these technologies is in use because ports 1494 (ICA) and 2598 (session reliability) will not be open in such a setup. I would also note the type of farm that's set up. Citrix "best practice" suggests setting up a farm using the naming convention "meta01" for the first server in the farm and moving up. I would check for additional DNS names using the same convention. ---------------------------------------------------------------------------- -- This List Sponsored by: Cenzic Concerned about Web Application Security?Why not go with the #1 solution - Cenzic, the only one to win the Analyst'sChoice Award from eWeek. As attacks through web applications continue torise, you need to proactively protect your applications from hackers. Cenzichas the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ---------------------------------------------------------------------------- -- ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security?Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has themost comprehensive solutions to meet your application security penetrationtesting and vulnerability management needs. You have an option to go with amanaged service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
Current thread:
- Citrix exploits? 09Sparky (Aug 11)
- Re: Citrix exploits? Ben Nell (Aug 13)
- RE: Citrix exploits? Marc Ouwerkerk (Aug 14)
- Re: Citrix exploits? r@d (Aug 19)
- RE: Citrix exploits? Marc Ouwerkerk (Aug 14)
- <Possible follow-ups>
- Re: Re: Citrix exploits? 09sparky (Aug 14)
- Re: Citrix exploits? Ben Nell (Aug 13)