Bugtraq mailing list archives
Citrix ICA Basic Encryption
From: dugsong () MONKEY ORG (Dug Song)
Date: Wed, 29 Mar 2000 09:59:55 -0500
The ICA (Independent Computing Architecture) protocol used in various Citrix products (Winframe, Metaframe) relies on a trivially cracked encryption scheme to protect user authentication. The ICA basic encryption algorithm is a variant of the simple XOR scheme used for saved Winframe passwords: void decrypt(u_char key, u_char *p, int len) { int i; for (i = len; i > 0; i--) p[i] = p[i-1] ^ p[i] ^ key; p[0] ^= (key | 'C'); } Demonstration code to decrypt Winframe passwords stored in appsrv.ini: http://www.monkey.org/~dugsong/icadecrypt.c.txt Demonstration code to sniff (and decrypt) ICA network authentication: http://www.monkey.org/~dugsong/dsniff/ Citrix offers a secure alternative called SecureICA, which uses Diffie-Hellman for key exchange and RC5 to encrypt the underlying transport (now at 128-bit strength worldwide). While this is certainly better than the simple XOR scheme outlined above, it may still be vulnerable to an active man-in-the-middle attack. Caveat user. http://www.citrix.com/products/sica/ Thanks to Jeremie Kass <jeremie () monkey org> for providing me with ICA traffic traces, and to Niels Provos <provos () monkey org> for sifting thru hexdumps with me. :-) -d. --- http://www.monkey.org/~dugsong/
Current thread:
- Re: Esafe Protect Gateway (CVP) does not scan virus under some, (continued)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Alon Rotem (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Alon Rotem (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Hugo.van.der.Kooij () CAIW NL (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Eric Chien (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Jason Brvenik (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Lea, Michael (Mar 24)
- Security Problems with Linux 2.2.x IP Masquerading H D Moore (Mar 27)
- Follow-Up: Security Problems with Linux 2.2.x IP Masquerading H D Moore (Mar 28)
- privacy problems with HTTP cache-control Martin Pool (Mar 28)
- Objectserver vulnerability Howard M. Kash III (Mar 29)
- Citrix ICA Basic Encryption Dug Song (Mar 29)
- Re: Citrix ICA Basic Encryption Weld Pond (Mar 28)
- Re: Citrix ICA Basic Encryption Chris Knight (Mar 29)
- Security Problems with Linux 2.2.x IP Masquerading H D Moore (Mar 27)
- Re: Security Problems with Linux 2.2.x IP Masquerading Olaf Kirch (Mar 30)
- Remote DoS Attack in Windows 2000/NT 4.0 TCP/IP Print Request Server Vulnerability Ussr Labs (Mar 30)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Ian Turner (Mar 27)