| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 07 Oct 2007 10:40:54 -0400 From: <full-disclosure@...hmail.com> To: <full-disclosure@...ts.grok.org.uk>,<pdp.gnucitizen@...glemail.com> Subject: Re: are the NetBIOS-like hacking days over? - wide open citrix services on critical domains -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SHUT UP On Thu, 04 Oct 2007 15:55:06 -0400 "pdp (architect)" <pdp.gnucitizen@...glemail.com> wrote: >The other day I was performing some CITRIX testing, so I had a lot >of >fun with hacking into GUIs, which, as most of you probably know, >are >trivial to break into. I did play around with .ICA files as well, >just >to make sure that the client is not affected by some obvious >client-side vulnerabilities. This exercise led me to reevaluate >great >many things about ICA (Independent Computing Architecture). When >querying Google and Yahoo for public .ICA files, I was presented >with >tones of wide open services, some of which were located on .gov >and >.mil domains. This is madness! No, this is the Web. Through, I >wasn't >expecting what I have found. Hacking like in the movies? > >I did not poke any of the services I found, although it is obvious >what is insecure and what is not when it comes to citrix. It is >enough >to look into the ICA files. With a few lines in bash combined with >my >Google python script, I was able to dump all the ICA files that >Google >knows about and do some interesting grepping on them. What I >discovered was unbelievable. Shall we start with the Global >Logistics >systems or the US Government Federal Funding Citrix portals - all >of >them wide open and susceptible to attacks. Again, no poking on my >side, just simple observation exercises on the information >provided by >Google. > >Just by looking into Google, I was able to find 114 wide open >CITRIX >instances: 10 .gov, 4 .mil, 20 .edu, 27 .com, etc… The research >was >conducted offline, therefore there might be some false positives. >Among the services discovered, there were several critical >applications which looked so interesting that I didn't even dare >look >at theirs ICA files. I am trying to raise the consumer awareness >with >this article. I mean, it is 2007 people, it shouldn't be that >simple. > >I did write and article about my findings which you can read from >here: >http://www.gnucitizen.org/blog/citrix-owning-the-legitimate- >backdoor/ > >I've also created a video that show the lamest way someone can use >to >break into unprotected citrix just to show the concepts. > >CITRIX hacking is just like back in the old days with NetBIOS. It >simple. It is malicious. It is highly effective. And the problem >is >that CITRIX is pretty useful. Here is a dilemma for you: >Let's say that you have a pretty stable desktop app which you >would >like to be available on the Web. What you gonna do? Port it to >XHTML, >JavaScript and CSS? No way! You are most likely going to put it >over >CITRIX. > >I've also wrote a script which makes use of ICAClient ActiveX >controller to enumerate remote Application, Servers and Farms: >http://www.gnucitizen.org/blog/citrix-owning-the-legitimate- >backdoor/enum.js > >Let me know if you find this useful. > >cheers > >-- >pdp (architect) | petko d. petkov >http://www.gnucitizen.org > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkcI7/YACgkQ+dWaEhErNvS36wP8Cxo00/NFSl7Z7Gbn5pZ95JyJozc5 N0oZGocSA2OClztJ4yMSiMwJ5NYXTuAGoYYCqeN0iqbYoPVxjdyEtTKx1g7GDmozGTBI BQva/eK5JoJU5w4/mhW3JwmOyvOhyZ8qL9pPF9717d5f68/A4hRx0VKeM9ghfsEV3V1O wS6ZEhQ= =77ds -----END PGP SIGNATURE----- -- Click for free information on court reporter careers, $100 per hour potential. http://tagline.hushmail.com/fc/Ioyw6h4dB34gPHFk5dCWg95E3wYzBrLQcPADHp9ZYNvj1kzDeO4iLG/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists