| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 10 Oct 2007 14:05:46 -0400 From: <full-disclosure@...hmail.com> To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>, <pdp.gnucitizen@...glemail.com> Subject: Re: 0day: Hacking secured CITRIX from outside -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SHUT UP VLADIS On Wed, 10 Oct 2007 11:47:23 -0400 "pdp (architect)" <pdp.gnucitizen@...glemail.com> wrote: >http://www.gnucitizen.org/blog/0day-hacking-secured-citrix-from- >outside > >In the true spirit of GNUCITIZEN half(partial)-disclosure >initiative, >we announce that it is possible to gain user access level on >integrated remote CITRIX servers. The bug/feature does not relay >on >any client/server vulnerabilities nor client/server >misconfiguration >issues. All an attacker needs to do to exploit the weakness is to >lure >a victim, part of an integrated network, to a malicious website or >trick them into opening specially crafted ICA files. The attack >results into remote command execution with the access level of the >current user. > >The success of the attack relays on the fact that the victim (the >proxy) is part of a CITRIX ring to which he/she can perform pass >through authentication. Once a connection is instantiated, the >victim >will unwillingly and transparently login into CITIRIX and perform >several commands specified by the attacker. The attacker can >simply >instruct the remote desktop to download files from a remote TFTP >server and execute them locally. Once the attack is performed, the >local connection is terminated and the CITRIX session is cleared. >No >user interaction is required! > >CAUTION!!! The attack can be used to circumvent/bypass border >firewalls and sneak into private networks. This attack is of type >CRSF >(Cross-site Request forgery), although it does not relay on Web >bugs. >The attack vector works flawlessly on IE and Firefox (when >configured >correctly). It also works with any email client or other types of >file >sharing mechanisms. All versions of CITRIX and CITRIX client are >affected. The attack may fail on certain setups. > >If you manage to re-discover the type of vulnerability outlined in >this post, we encourage you to keep it private. Give some time for >the >folks at CITRIX to react. Currently, I am not aware of any remedy >against the attack. Given CITRIX's popularity among corporations >and >big organizations, it is highly recommended to take this warning >with >extra caution. > >-- >pdp (architect) | petko d. petkov >http://www.gnucitizen.org > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkcNFHoACgkQ+dWaEhErNvQM6AP/ekt3CCtqTxrnVyfYRDz57l9oeJVU vIcKTIuERgLNLSCGdl21CqgAC2KinIfJaK/70KtV/P62Y5spou5/z4owCKNl8iP6czcp 36cXOwpL4+vHsTTebs4onGTDw7TZnSDf2YA+02kk58NYTjEwiav6MzY+pep64teQCj1h 7Sz/9Kc= =nCB2 -----END PGP SIGNATURE----- -- Click here to save up to 50% off a quality steel building. http://tagline.hushmail.com/fc/Ioyw6h4esimyMWnRSMH37RdqH4pxtUNm1CNPeAwNOoshCui4UuKTva/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists