Vulnerability Development mailing list archives

Re: Citrix ICA Client Access Advisory(?)

From: "Jeremy Sanders" <jsanders () newsouthfederal com>
Date: Wed, 01 Aug 2001 09:32:21 -0500

This is normal. If you have an account on a citrix server then you can open a desktop session anyway. Of course your 
rights are going to be restricted to what a normal domain users rights would be. All that you're doing is specifying a 
specific program to start up. Anytime you run a published app from a Citrix server you actually have a full windows 
session virtualized on the server, you only see the particular app that you are running tho. So you could probably run 
explorer.exe, but you wouldn't be able to run any apps that you wouldn't be able to run if you had a full desktop 
session.

Jeremy Sanders, CCNP CNE
Advanced Systems Engineer
New South Federal Savings Bank

sween <sween () modelm org> 07/31/01 10:38PM >>>


Any help here proving this valid/invalid would be hot.  I have
considerable interest, but limited resources.
Thanks!

Platform:
Windows Terminal Server NT 4.0

Synopsis:
Using an IE Web Client and a Linux Citrix ICA client I was able
to gain access to executables and files on a restricted drive (c:\).

Description:
Originally I was changing the application name in an attempt
gain access to apps, but when I changed it to #gar I got an error message
conveying "The system cannot find the file specified."... which is always
an invitation to play.

Below is the listed launch.ica file that I used to
connect.  The only parameter that was changed was the 'InitialProgram='parameter. 
I simply removed the '#' symbol and it replaced it with a valid
application and its path (c:\wtsrv\system32\cmd.exe).  I was able to
launch cmd.exe, telnet.exe (with arguments), the citrix toolbar, etc. but
had no escalation in priveledges.

The Citrix ICA Client for Linux was easy enough, since it allows you to
create the launch file on the fly...

screenshots:

Initial error with #gar as an application:
                http://www.modelm.org/proof.jpg 

Here is a shot of the edited launch.ica file after execution:
                http://www.modelm.org/proof1.jpg 

------launch.ica---


<!----<[NFuse_setSessionField NFuse_WindowType=closed]>---->

[WFClient]
Version=2
ClientName=

[ApplicationServers]=
30 year old script kiddie=

[30 year old script kiddie]
Address=citrixpooter:1496

#InitialProgram=v:\Documents and Settings\administrator\desktop\launch.ica

InitialProgram=c:\wtsrv\system32\cmd.exe 

DesiredColor=2
TransportDriver=
WinStationDriver=ICA 3.0

Username=
Domain=
Password=

Command=    --any input here would be fantastic

ClientAudio=On

ScreenPercent=80

[EncRC5-0]
DriverNameWin32=pdc0n.dll

[EncRC5-40]
DriverNameWin32=pdc40n.dll

[EncRC5-56]
DriverNameWin32=pdc56n.dll

[EncRC5-128]
DriverNameWin32=pdc128n.dll

------end launch.ica--

--

 ---  -sween                               
| M | http://www.modelm.org                 
 ---  "force feedback computing since 1984."
<meta name="MSSmartTagsPreventParsing" content="TRUE">

Current thread:

Citrix ICA Client Access Advisory(?) sween (Jul 31)
- Re: Citrix ICA Client Access Advisory(?) Jan P Tietze (Aug 01)
- <Possible follow-ups>
- Re: Citrix ICA Client Access Advisory(?) Jeremy Sanders (Aug 01)