Re: Citrix application breakout - take care of Microsoft calculator

["Shreyas Zare" <shreyas () technitium com>]

Also, you can disable the Task Scheduler service so that AT wont work.

On 3/18/08, Robert S. Slifkin <rob () slifkin net> wrote:
> Yes, that can be particularly dangerous.  From there you can launch the
>  explorer shell to get a full desktop and everything with System
>  privileges.
>
>
>  ____________________________________
>  Robert S. Slifkin
>  Email: Rob () slifkin net
>  Phone: 203.962.3878
>
>  -----Original Message-----
>  From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
>  On Behalf Of Bill Stout
>  Sent: Monday, March 17, 2008 12:32 AM
>  To: pen-test () securityfocus com
>  Subject: Re: Citrix application breakout - take care of Microsoft
>  calculator
>
>
>  Or this command string, which will pop up a second command window, but
>  with 'system' privileges.
>
>  c:\> at 21:00 /interactive %systemroot%\system32\cmd.exe
>
>
>  Bill Stout
>
>
>  ----- Original Message ----
>  > From: "infolookup () gmail com" <infolookup () gmail com>
>  > To: Erik Soosalu <eriks () nationalfastfreight com>;
>  > listbounce () securityfocus com; pen-test () securityfocus com
>  > Sent: Wednesday, March 12, 2008 4:46:34 AM
>  > Subject: Re: Citrix application breakout - take care of Microsoft
>  > calculator
>  >
>  > A discussion of this nature started a while back where someone noted
>  > that you could if giving regular user rights on a Citrix terminal
>  > still browse the network for shares.
>  >
>  > Right click your desktop, select new shortcut and browse to
>  > system32/cmd.exe get a list of host name and available shares.
>  >
>  > Then open up MS word and create a link to the share, click on it then
>  > you are browsing the share, or network place in question, in some
>  > cases you can even browse the underlining Citrix server that you are
>  > connected too, or create a folder and copy anything to it.
>  > Sent from my Verizon Wireless BlackBerry
>  >
>  > -----Original Message-----
>  > From: "Erik Soosalu"
>  >
>  > Date: Mon, 10 Mar 2008 12:50:40
>  > To:
>  > Subject: RE: Citrix application breakout - take care of Microsoft
>  > calculator
>  >
>  >
>  > Once you're in Notepad, File->Open, browse to Windows/system32, find
>  > cmd.exe right click and open and you have a command prompt on the box.
>
>  > Of course, your could specify any UNC and get a file to load from
>  > wherever you want. Not sure what the actual run permissions would
>  be....
>  >
>  > Erik
>  >
>  >
>  >
>  > ________________________________
>  >
>  > From: listbounce () securityfocus com on behalf of Stefan Gora
>  > Sent: Fri 3/7/2008 6:13 AM
>  > To: pen-test () securityfocus com
>  > Subject: Citrix application breakout - take care of Microsoft
>  > calculator
>  >
>  >
>  >
>  > Dear all,
>  >
>  > I'm not shure if the following issue is already known or exciting,
>  > nevertheless the following attack vector found during a penetration
>  > test might be interesting:
>  >
>  > A customer has built a Citrix environment for a partner company to
>  > provide access to a specific application. This application was
>  > intended to be the only application accessible for this partner. It
>  > was possible to get a remote task manager with CRTL-F3, but no other
>  > way of interacting with the Citrix Server (e.g. through printing or
>  so).
>  >
>  > Unfortunately they have integrated Microsoft's calculator into the
>  > application. A bad idea - guess why ;-).
>  >
>  > Using the calculator you are able to do funny stuff: Open the
>  > calculator and click "info". Klick on the licence agreement and here
>  > you go, you have got an editor. With this you can use "open file" and
>  > browse the server, find for example Word and rightclick on "Open" -
>  > Word is running, and all other applications which you like as well ...
>  >
>  > I think this can easily be fixed using more restrictive file
>  > permissions, but I thought maybe some of you might find this
>  > information useful.
>  >
>  > Stefan
>  >
>  > --
>  > --------------------------------------------------------
>  > Identity Management Symposium 22.-23.04.2008 KA/Ettlingen
>  > http://www.identity-management-symposium.de
>  >
>  > --------------------------------------------------------
>  >
>  > Stefan Gora
>  > Security Consultant
>  >
>  > Secorvo Security Consulting GmbH
>  > Ettlinger Strasse 12-14, D-76137 Karlsruhe Tel. +49 721 255171-302,
>  > Fax +49 721 255171-100 stefan.gora () secorvo de, http://www.secorvo.de
>  > PGP: 5EAD 34FE F3C1 0FEB 058F 4DD0 E6B3 FF4A
>  >
>  > Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox
>  >
>  > ----------------------------------------------------------------------
>  > --
>  > This list is sponsored by: Cenzic
>  >
>  > Need to secure your web apps NOW?
>  > Cenzic finds more, "real" vulnerabilities fast.
>  > Click to try it, buy it or download a solution FREE today!
>  >
>  > http://www.cenzic.com/downloads
>  > ----------------------------------------------------------------------
>  > --
>  >
>  >
>  >
>  >
>  >
>  > ----------------------------------------------------------------------
>  > --
>  > This list is sponsored by: Cenzic
>  >
>  > Need to secure your web apps NOW?
>  > Cenzic finds more, "real" vulnerabilities fast.
>  > Click to try it, buy it or download a solution FREE today!
>  >
>  > http://www.cenzic.com/downloads
>  > ----------------------------------------------------------------------
>  > --
>
>  ------------------------------------------------------------------------
>  This list is sponsored by: Cenzic
>
>  Need to secure your web apps NOW?
>  Cenzic finds more, "real" vulnerabilities fast.
>  Click to try it, buy it or download a solution FREE today!
>
>  http://www.cenzic.com/downloads
>  ------------------------------------------------------------------------
>
>
>  ------------------------------------------------------------------------
>  This list is sponsored by: Cenzic
>
>  Need to secure your web apps NOW?
>  Cenzic finds more, "real" vulnerabilities fast.
>  Click to try it, buy it or download a solution FREE today!
>
>  http://www.cenzic.com/downloads
>  ------------------------------------------------------------------------



-- 
("Computers are useless. They can only give you answers." - Pablo Picasso)

Shreyas Zare
Co-Founder, Technitium
eMail: shreyas () technitium com

..::< The Technitium Team >::..
Visit us at www.technitium.com
Contact us at theteam () technitium com

Technitium Personal Computers
We believe in quality.
Visit http://pc.technitium.com for details.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------