Re: Citrix exploits?

["r@d" <m2rad () gmx net>]

This is quite hard to do, because Citrix Web Interface, usually is installed 
in conjuntion with Citrix Access Gateway or Citrix Secure Gateway, that 
inherits a ticketing system to validate the requisted session. If you could 
break the Citrix Web Interface by exploiting one of the .dll's its using, or 
finding error's in the .cs or .js files included with Web Interface 
(serverside/clientside folder) it would be possible to get unauthorized 
access to the application list, once there, it should be no problem 
requesting a ticket for a session. Citrix has several security bulletins on 
their website (support.citrix.com) how this is done with two factor 
'protected' sites, where if two factor fails, a path to the applist.htm is 
available to get unauthorized access to the application list. Still you 
would need a username/password (ie test/test) to initially authenticatie. A 
more easy option: Usually Citrix Web Interface is installed as local 
administrator on IIS, break IIS, and you break Web Interface.

regards, Rajendra Soebhag

----- Original Message ----- 
From: "Marc Ouwerkerk" <marc () olderchurch nl>
To: "'Ben Nell'" <enemy.cow () gmail com>; <pen-test () securityfocus com>
Sent: Monday, August 14, 2006 5:12 PM
Subject: RE: Citrix exploits?


> If you have a valid user name and login, you can check if one of the MS
> applications installed (Word, Access, etc) have VBA enabled. You can then
> execute any dll that you upload to the machine.
>
>
> Marc Ouwerkerk
>
> -----Original Message-----
> From: Ben Nell [mailto:enemy.cow () gmail com]
> Sent: maandag 14 augustus 2006 5:56
> To: pen-test () securityfocus com
> Subject: Re: Citrix exploits?
>
> On 11 Aug 2006 22:35:38 -0000, 09Sparky () gmail com <09Sparky () gmail com>
> wrote:
> > Does anyone have any good techniques or exploits available for Citrix
> (web)? I am working on exploiting a citrix server with a front end 
> webpage,
> but am unsuccessful.  Any suggestions/thoughts?
>
> Do you have a valid user name and login for the Citrix farm?  If the
> launch.ica files (provided as links, once logged into the web
> interface) can be downloaded and opened in a text editor, they will 
> provide
> you with information about the connection that the farm is set up to use.
> Is the web interface using SSL?  If the site's running over SSL, it's
> possible that they have their farm behind a Citrix Access Gateway (AG) or
> MetaFrame Secure Acess Manager (MSAM).  In the case that an AG or MSAM is
> deployed, the connection is encrypted on the backend, otherwise you should
> be able to capture session information on the backend.  You can tell if 
> one
> of these technologies is in use because ports 1494 (ICA) and 2598 (session
> reliability) will not be open in such a setup.
>
> I would also note the type of farm that's set up.  Citrix "best practice"
> suggests setting up a farm using the naming convention "meta01" for the
> first server in the farm and moving up.  I would check for additional DNS
> names using the same convention.
>
> ----------------------------------------------------------------------------
> --
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> Why not go with the #1 solution - Cenzic, the only one to win the 
> Analyst's
> Choice Award from eWeek. As attacks through web applications continue to
> rise, you need to proactively protect your applications from hackers. 
> Cenzic
> has the most comprehensive solutions to meet your application security
> penetration testing and vulnerability management needs. You have an option
> to go with a managed service (Cenzic ClickToSecure) or an enterprise
> software (Cenzic Hailstorm). Download FREE whitepaper on how a managed
> service can help you: http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm your
> results from other product. Contact us at request () cenzic com for details.
> ----------------------------------------------------------------------------
> --
>
>
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> Why not go with the #1 solution - Cenzic, the only one to win the 
> Analyst's
> Choice Award from eWeek. As attacks through web applications continue to 
> rise,
> you need to proactively protect your applications from hackers. Cenzic has 
> the
> most comprehensive solutions to meet your application security penetration
> testing and vulnerability management needs. You have an option to go with 
> a
> managed service (Cenzic ClickToSecure) or an enterprise software
> (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
> help you: http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm your
> results from other product. Contact us at request () cenzic com for details.
> ------------------------------------------------------------------------------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------