lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20071007144055.4E2ACDA827@mailserver7.hushmail.com>
Date: Sun, 07 Oct 2007 10:40:54 -0400
From: <full-disclosure@...hmail.com>
To: <full-disclosure@...ts.grok.org.uk>,<pdp.gnucitizen@...glemail.com>
Subject: Re: are the NetBIOS-like hacking days over? -
	wide open citrix services on critical domains

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SHUT UP

On Thu, 04 Oct 2007 15:55:06 -0400 "pdp (architect)"
<pdp.gnucitizen@...glemail.com> wrote:
>The other day I was performing some CITRIX testing, so I had a lot
>of
>fun with hacking into GUIs, which, as most of you probably know,
>are
>trivial to break into. I did play around with .ICA files as well,
>just
>to make sure that the client is not affected by some obvious
>client-side vulnerabilities. This exercise led me to reevaluate
>great
>many things about ICA (Independent Computing Architecture). When
>querying Google and Yahoo for public .ICA files, I was presented
>with
>tones of wide open services, some of which were located on .gov
>and
>.mil domains. This is madness! No, this is the Web. Through, I
>wasn't
>expecting what I have found. Hacking like in the movies?
>
>I did not poke any of the services I found, although it is obvious
>what is insecure and what is not when it comes to citrix. It is
>enough
>to look into the ICA files. With a few lines in bash combined with
>my
>Google python script, I was able to dump all the ICA files that
>Google
>knows about and do some interesting grepping on them. What I
>discovered was unbelievable. Shall we start with the Global
>Logistics
>systems or the US Government Federal Funding Citrix portals - all
>of
>them wide open and susceptible to attacks. Again, no poking on my
>side, just simple observation exercises on the information
>provided by
>Google.
>
>Just by looking into Google, I was able to find 114 wide open
>CITRIX
>instances: 10 .gov, 4 .mil, 20 .edu, 27 .com, etc… The research
>was
>conducted offline, therefore there might be some false positives.
>Among the services discovered, there were several critical
>applications which looked so interesting that I didn't even dare
>look
>at theirs ICA files. I am trying to raise the consumer awareness
>with
>this article. I mean, it is 2007 people, it shouldn't be that
>simple.
>
>I did write and article about my findings which you can read from
>here:
>http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-
>backdoor/
>
>I've also created a video that show the lamest way someone can use
>to
>break into unprotected citrix just to show the concepts.
>
>CITRIX hacking is just like back in the old days with NetBIOS. It
>simple. It is malicious. It is highly effective. And the problem
>is
>that CITRIX is pretty useful. Here is a dilemma for you:
>Let's say that you have a pretty stable desktop app which you
>would
>like to be available on the Web. What you gonna do? Port it to
>XHTML,
>JavaScript and CSS? No way! You are most likely going to put it
>over
>CITRIX.
>
>I've also wrote a script which makes use of ICAClient ActiveX
>controller to enumerate remote Application, Servers and Farms:
>http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-
>backdoor/enum.js
>
>Let me know if you find this useful.
>
>cheers
>
>--
>pdp (architect) | petko d. petkov
>http://www.gnucitizen.org
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.5

wpwEAQECAAYFAkcI7/YACgkQ+dWaEhErNvS36wP8Cxo00/NFSl7Z7Gbn5pZ95JyJozc5
N0oZGocSA2OClztJ4yMSiMwJ5NYXTuAGoYYCqeN0iqbYoPVxjdyEtTKx1g7GDmozGTBI
BQva/eK5JoJU5w4/mhW3JwmOyvOhyZ8qL9pPF9717d5f68/A4hRx0VKeM9ghfsEV3V1O
wS6ZEhQ=
=77ds
-----END PGP SIGNATURE-----

--
Click for free information on court reporter careers, $100 per hour potential.
http://tagline.hushmail.com/fc/Ioyw6h4dB34gPHFk5dCWg95E3wYzBrLQcPADHp9ZYNvj1kzDeO4iLG/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ