0day: Hacking secured CITRIX from outside
http://www.gnucitizen.org/blog/0day-hacking-secured-citrix-from-outside
In the true spirit of GNUCITIZEN half(partial)-disclosure initiative,
we announce that it is possible to gain user access level on
integrated remote CITRIX servers. The bug/feature does not relay on
any client/server vulnerabilities nor client/server misconfiguration
issues. All an attacker needs to do to exploit the weakness is to lure
a victim, part of an integrated network, to a malicious website or
trick them into opening specially crafted ICA files. The attack
results into remote command execution with the access level of the
current user.
The success of the attack relays on the fact that the victim (the
proxy) is part of a CITRIX ring to which he/she can perform pass
through authentication. Once a connection is instantiated, the victim
will unwillingly and transparently login into CITIRIX and perform
several commands specified by the attacker. The attacker can simply
instruct the remote desktop to download files from a remote TFTP
server and execute them locally. Once the attack is performed, the
local connection is terminated and the CITRIX session is cleared. No
user interaction is required!
CAUTION!!! The attack can be used to circumvent/bypass border
firewalls and sneak into private networks. This attack is of type CRSF
(Cross-site Request forgery), although it does not relay on Web bugs.
The attack vector works flawlessly on IE and Firefox (when configured
correctly). It also works with any email client or other types of file
sharing mechanisms. All versions of CITRIX and CITRIX client are
affected. The attack may fail on certain setups.
If you manage to re-discover the type of vulnerability outlined in
this post, we encourage you to keep it private. Give some time for the
folks at CITRIX to react. Currently, I am not aware of any remedy
against the attack. Given CITRIX's popularity among corporations and
big organizations, it is highly recommended to take this warning with
extra caution.
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org