lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <6905b1570710041255v424c5dffp5734b2dba358bb0b@mail.gmail.com>
Date: Thu, 4 Oct 2007 20:55:06 +0100
From: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: are the NetBIOS-like hacking days over? - wide
	open citrix services on critical domains

The other day I was performing some CITRIX testing, so I had a lot of
fun with hacking into GUIs, which, as most of you probably know, are
trivial to break into. I did play around with .ICA files as well, just
to make sure that the client is not affected by some obvious
client-side vulnerabilities. This exercise led me to reevaluate great
many things about ICA (Independent Computing Architecture). When
querying Google and Yahoo for public .ICA files, I was presented with
tones of wide open services, some of which were located on .gov and
.mil domains. This is madness! No, this is the Web. Through, I wasn't
expecting what I have found. Hacking like in the movies?

I did not poke any of the services I found, although it is obvious
what is insecure and what is not when it comes to citrix. It is enough
to look into the ICA files. With a few lines in bash combined with my
Google python script, I was able to dump all the ICA files that Google
knows about and do some interesting grepping on them. What I
discovered was unbelievable. Shall we start with the Global Logistics
systems or the US Government Federal Funding Citrix portals - all of
them wide open and susceptible to attacks. Again, no poking on my
side, just simple observation exercises on the information provided by
Google.

Just by looking into Google, I was able to find 114 wide open CITRIX
instances: 10 .gov, 4 .mil, 20 .edu, 27 .com, etc… The research was
conducted offline, therefore there might be some false positives.
Among the services discovered, there were several critical
applications which looked so interesting that I didn't even dare look
at theirs ICA files. I am trying to raise the consumer awareness with
this article. I mean, it is 2007 people, it shouldn't be that simple.

I did write and article about my findings which you can read from here:
http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/

I've also created a video that show the lamest way someone can use to
break into unprotected citrix just to show the concepts.

CITRIX hacking is just like back in the old days with NetBIOS. It
simple. It is malicious. It is highly effective. And the problem is
that CITRIX is pretty useful. Here is a dilemma for you:
Let's say that you have a pretty stable desktop app which you would
like to be available on the Web. What you gonna do? Port it to XHTML,
JavaScript and CSS? No way! You are most likely going to put it over
CITRIX.

I've also wrote a script which makes use of ICAClient ActiveX
controller to enumerate remote Application, Servers and Farms:
http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/enum.js

Let me know if you find this useful.

cheers

-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ