Penetration Testing mailing list archives
Re: Breaking MS applications published via Citrix
From: Matt Wagenknecht <matt.wagenknecht () quantum com>
Date: Mon, 10 May 2004 13:41:44 -0600
Office applications, especially Word, are notoriously bad in a Citrix environment. Even if Internet Explorer is not "published" to a user, putting a link (http://specialopssecurity.com) in a document and CTRL+clicking it will launch an Internet Explorer session from the Citrix server. If you are coming form the outside through a "secure gateway", you would have complete access to internal web content..
I have recently discovered that a link pointing to "file://c:/" dumps the word session out of "seemless" mode and gives me a desktop from the Citrix server that has the context of the account I am using, consequently giving me access to all applications on the Citrix box not just those apps published to me.. You can then download whatever application you want and have fun.
Other things to look for:1. Use Dialog boxes to their full potential if you are stuck in a seemless application.. "Save" or "Open" dialog boxes are great for finding EXEs and Right-click, Open.. 2. Look for services running as system that would present a Gui interface. Sometimes the interfaces will allow you to Save or will invoke Windows Help. From there, you could launch a DOS prompt or run other applications as SYSTEM since launched processes inherit the context of the parent process. Privilege escalation complete..
Citrix is so much fun to play with... :c) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Matt Wagenknecht CISSP | MCSE Sr. Security Administrator -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. This email may contain confidential and privileged information for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies of this email message. Chris McNab wrote:
Hi, I've recently seen a number of our clients using Citrix (MetaFrame XP, NFuse, and Secure Gateway) to provide remote access via HTTP+SSL to published MS Office 2000 applications (Word, Excel, PowerPoint), Internet Explorer 6, and other home-grown applications. In terms of hardening, the underlying application servers usually run Win2K Advanced Server, and are part of an Active Directory, so I recommend some strict permissions on executables (cmd.exe, net.exe, wscript.exe, regedt32.exe, etc.), folders, and registry keys as far as the 'AnonXXX' Citrix users are concerned, and object access auditing of potentially sensitive files through Group Policy Objects, to act as an early warning mechanism. What I'd like to know is if any of you have experience with breaking published MS applications through Citrix in this way--in particular MS Office and Internet Explorer 6 to run arbitrary code on the Citrix application server. URLs to work that's already been done would be great too. Thanks, Chris Chris McNab Technical Director Matta 18 Noel Street London W1F 8GN http://www.trustmatta.com ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- Breaking MS applications published via Citrix Chris McNab (May 10)
- Re: Breaking MS applications published via Citrix Matt Wagenknecht (May 10)