RE: Citrix application breakout - take care of Microsoft calculator

["Thor (Hammer of God)" <thor () hammerofgod com>]

Yep, XP and Server 2003's "calc" launches Notepad when you view the
eula.txt ;)  Vista and 2008 do not... they just open a pop-up window in
the same calc.exe process.  Any time you deploy remote desktop/remote
app solutions, you really need to ensure that you've covered all your
bases and ensured that you don't just count on the remote app deployment
mechanism to secure you -- you've got to have your permissions tight.

t



> -----Original Message-----
> From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com] On Behalf Of Stefan Gora
> Sent: Friday, March 07, 2008 3:14 AM
> To: pen-test () securityfocus com
> Subject: Citrix application breakout - take care of Microsoft
> calculator
>
> Dear all,
>
> I'm not shure if the following issue is already known or exciting,
> nevertheless the following attack vector found during a penetration
> test
> might be interesting:
>
> A customer has built a Citrix environment for a partner company to
> provide access to a specific application. This application was
intended
> to be the only application accessible for this partner. It was
possible
> to get a remote task manager with CRTL-F3, but no other way of
> interacting with the Citrix Server (e.g. through printing or so).
>
> Unfortunately they have integrated Microsoft's calculator into the
> application. A bad idea - guess why ;-).
>
> Using the calculator you are able to do funny stuff: Open the
> calculator
> and click "info". Klick on the licence agreement and here you go, you
> have got an editor. With this you can use "open file" and browse the
> server, find for example Word and rightclick on "Open" - Word is
> running, and all other applications which you like as well ...
>
> I think this can easily be fixed using more restrictive file
> permissions, but I thought maybe some of you might find this
> information
> useful.
>
> Stefan
>
> --
> --------------------------------------------------------
> Identity Management Symposium 22.-23.04.2008 KA/Ettlingen
> http://www.identity-management-symposium.de
> --------------------------------------------------------
>
> Stefan Gora
> Security Consultant
>
> Secorvo Security Consulting GmbH
> Ettlinger Strasse 12-14, D-76137 Karlsruhe
> Tel. +49 721 255171-302, Fax +49 721 255171-100
> stefan.gora () secorvo de, http://www.secorvo.de
> PGP: 5EAD 34FE F3C1 0FEB  058F 4DD0 E6B3 FF4A
>
> Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox
-----------------------------------------------------------------------
> -
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
-----------------------------------------------------------------------
> -


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------