Penetration Testing mailing list archives
Re: Citrix application breakout - take care of Microsoft calculator
From: "Shreyas Zare" <shreyas () technitium com>
Date: Tue, 18 Mar 2008 15:49:13 +0530
Also, you can disable the Task Scheduler service so that AT wont work. On 3/18/08, Robert S. Slifkin <rob () slifkin net> wrote:
Yes, that can be particularly dangerous. From there you can launch the explorer shell to get a full desktop and everything with System privileges. ____________________________________ Robert S. Slifkin Email: Rob () slifkin net Phone: 203.962.3878 -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Bill Stout Sent: Monday, March 17, 2008 12:32 AM To: pen-test () securityfocus com Subject: Re: Citrix application breakout - take care of Microsoft calculator Or this command string, which will pop up a second command window, but with 'system' privileges. c:\> at 21:00 /interactive %systemroot%\system32\cmd.exe Bill Stout ----- Original Message ---- > From: "infolookup () gmail com" <infolookup () gmail com> > To: Erik Soosalu <eriks () nationalfastfreight com>; > listbounce () securityfocus com; pen-test () securityfocus com > Sent: Wednesday, March 12, 2008 4:46:34 AM > Subject: Re: Citrix application breakout - take care of Microsoft > calculator > > A discussion of this nature started a while back where someone noted > that you could if giving regular user rights on a Citrix terminal > still browse the network for shares. > > Right click your desktop, select new shortcut and browse to > system32/cmd.exe get a list of host name and available shares. > > Then open up MS word and create a link to the share, click on it then > you are browsing the share, or network place in question, in some > cases you can even browse the underlining Citrix server that you are > connected too, or create a folder and copy anything to it. > Sent from my Verizon Wireless BlackBerry > > -----Original Message----- > From: "Erik Soosalu" > > Date: Mon, 10 Mar 2008 12:50:40 > To: > Subject: RE: Citrix application breakout - take care of Microsoft > calculator > > > Once you're in Notepad, File->Open, browse to Windows/system32, find > cmd.exe right click and open and you have a command prompt on the box. > Of course, your could specify any UNC and get a file to load from > wherever you want. Not sure what the actual run permissions would be.... > > Erik > > > > ________________________________ > > From: listbounce () securityfocus com on behalf of Stefan Gora > Sent: Fri 3/7/2008 6:13 AM > To: pen-test () securityfocus com > Subject: Citrix application breakout - take care of Microsoft > calculator > > > > Dear all, > > I'm not shure if the following issue is already known or exciting, > nevertheless the following attack vector found during a penetration > test might be interesting: > > A customer has built a Citrix environment for a partner company to > provide access to a specific application. This application was > intended to be the only application accessible for this partner. It > was possible to get a remote task manager with CRTL-F3, but no other > way of interacting with the Citrix Server (e.g. through printing or so). > > Unfortunately they have integrated Microsoft's calculator into the > application. A bad idea - guess why ;-). > > Using the calculator you are able to do funny stuff: Open the > calculator and click "info". Klick on the licence agreement and here > you go, you have got an editor. With this you can use "open file" and > browse the server, find for example Word and rightclick on "Open" - > Word is running, and all other applications which you like as well ... > > I think this can easily be fixed using more restrictive file > permissions, but I thought maybe some of you might find this > information useful. > > Stefan > > -- > -------------------------------------------------------- > Identity Management Symposium 22.-23.04.2008 KA/Ettlingen > http://www.identity-management-symposium.de > > -------------------------------------------------------- > > Stefan Gora > Security Consultant > > Secorvo Security Consulting GmbH > Ettlinger Strasse 12-14, D-76137 Karlsruhe Tel. +49 721 255171-302, > Fax +49 721 255171-100 stefan.gora () secorvo de, http://www.secorvo.de > PGP: 5EAD 34FE F3C1 0FEB 058F 4DD0 E6B3 FF4A > > Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox > > ---------------------------------------------------------------------- > -- > This list is sponsored by: Cenzic > > Need to secure your web apps NOW? > Cenzic finds more, "real" vulnerabilities fast. > Click to try it, buy it or download a solution FREE today! > > http://www.cenzic.com/downloads > ---------------------------------------------------------------------- > -- > > > > > > ---------------------------------------------------------------------- > -- > This list is sponsored by: Cenzic > > Need to secure your web apps NOW? > Cenzic finds more, "real" vulnerabilities fast. > Click to try it, buy it or download a solution FREE today! > > http://www.cenzic.com/downloads > ---------------------------------------------------------------------- > -- ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
-- ("Computers are useless. They can only give you answers." - Pablo Picasso) Shreyas Zare Co-Founder, Technitium eMail: shreyas () technitium com ..::< The Technitium Team >::.. Visit us at www.technitium.com Contact us at theteam () technitium com Technitium Personal Computers We believe in quality. Visit http://pc.technitium.com for details. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Citrix application breakout - take care of Microsoft calculator Stefan Gora (Mar 07)
- RE: Citrix application breakout - take care of Microsoft calculator Thor (Hammer of God) (Mar 07)
- RE: Citrix application breakout - take care of Microsoft calculator Shenk, Jerry A (Mar 08)
- Re: Citrix application breakout - take care of Microsoft calculator Gleb Paharenko (Mar 12)
- Re: Citrix application breakout - take care of Microsoft calculator sherwyn . williams (Mar 13)
- RE: Citrix application breakout - take care of Microsoft calculator Erik Soosalu (Mar 12)
- Re: Citrix application breakout - take care of Microsoft calculator infolookup (Mar 13)
- <Possible follow-ups>
- Re: Citrix application breakout - take care of Microsoft calculator Bill Stout (Mar 17)
- RE: Citrix application breakout - take care of Microsoft calculator Robert S. Slifkin (Mar 18)
- Re: Citrix application breakout - take care of Microsoft calculator Shreyas Zare (Mar 18)
- RE: Citrix application breakout - take care of Microsoft calculator Robert S. Slifkin (Mar 18)
- RE: Citrix application breakout - take care of Microsoft calculator Thor (Hammer of God) (Mar 07)