lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 8 Oct 2007 10:22:49 -0400
From: "Peter Dawson" <slash.pd@...il.com>
To: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: are the NetBIOS-like hacking days over? -
	wide open citrix services on critical domains

" all of them wide open and susceptible to attacks"

Unless you probes those vectors, will you be able to tell if they are
"suceptible to attacks". !!

be rest assued nobody wants to dick around wiht us-cert.

noneless,  pdp -thats a good write writeup !!

/pd

On 10/4/07, pdp (architect) <pdp.gnucitizen@...glemail.com> wrote:
>
> The other day I was performing some CITRIX testing, so I had a lot of
> fun with hacking into GUIs, which, as most of you probably know, are
> trivial to break into. I did play around with .ICA files as well, just
> to make sure that the client is not affected by some obvious
> client-side vulnerabilities. This exercise led me to reevaluate great
> many things about ICA (Independent Computing Architecture). When
> querying Google and Yahoo for public .ICA files, I was presented with
> tones of wide open services, some of which were located on .gov and
> .mil domains. This is madness! No, this is the Web. Through, I wasn't
> expecting what I have found. Hacking like in the movies?
>
> I did not poke any of the services I found, although it is obvious
> what is insecure and what is not when it comes to citrix. It is enough
> to look into the ICA files. With a few lines in bash combined with my
> Google python script, I was able to dump all the ICA files that Google
> knows about and do some interesting grepping on them. What I
> discovered was unbelievable. Shall we start with the Global Logistics
> systems or the US Government Federal Funding Citrix portals - all of
> them wide open and susceptible to attacks. Again, no poking on my
> side, just simple observation exercises on the information provided by
> Google.
>
> Just by looking into Google, I was able to find 114 wide open CITRIX
> instances: 10 .gov, 4 .mil, 20 .edu, 27 .com, etc… The research was
> conducted offline, therefore there might be some false positives.
> Among the services discovered, there were several critical
> applications which looked so interesting that I didn't even dare look
> at theirs ICA files. I am trying to raise the consumer awareness with
> this article. I mean, it is 2007 people, it shouldn't be that simple.
>
> I did write and article about my findings which you can read from here:
> http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/
>
> I've also created a video that show the lamest way someone can use to
> break into unprotected citrix just to show the concepts.
>
> CITRIX hacking is just like back in the old days with NetBIOS. It
> simple. It is malicious. It is highly effective. And the problem is
> that CITRIX is pretty useful. Here is a dilemma for you:
> Let's say that you have a pretty stable desktop app which you would
> like to be available on the Web. What you gonna do? Port it to XHTML,
> JavaScript and CSS? No way! You are most likely going to put it over
> CITRIX.
>
> I've also wrote a script which makes use of ICAClient ActiveX
> controller to enumerate remote Application, Servers and Farms:
>
> http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/enum.js
>
> Let me know if you find this useful.
>
> cheers
>
> --
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ