Crashing any Windows NT TSE running MetaFrame 1.8

From: morejunkmail@GMX.NET
Date: 08/08/02 

Date:         Thu, 8 Aug 2002 13:47:04 +0200
From: morejunkmail@GMX.NET
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

PreScriptum: I posted this at thin-world.community.everyone.net
first.
--------------------------------------------------------------------------------

I tried to contact Citrix about this bug i found, but they warn't
interested. (Haven't heared from them.)
So i'm posting it on a public forum for everyone to read.

Any WinNT4 TSE (Terminal Server Edition) running Citrix MetaFrame 1.8 can be
brought to its knees using the Java ICA web terminal interface without even
logging on the server.

All the required runtime files that are needed to do this are copied to the
caching folder of the browser used (eg: IE uses the
TemporaryInternetFilesFolder) when accessing a web terminal.

To put it simple: all a hacker/criminal has to do is to create a mirror site
(or copy
the files from IE cash) of the JAVA ICA environment and make little changes.

The changes are made in the html file that is used to
load the "setting" and makes then the ICA session availible.

eg:
--------------
applet code="com.citrix.JICA.class" archive="jicaengn.jar" width="800"
height="600"
--------------

must be changed to:
--------------
applet code="com.citrix.JICA.class" archive="jicaengn.jar" width=100%
height=100%
--------------

All a hacker has to do now is to load the HTML file in
Internet Explorer then
set the browser to fullscreen( "F11" key is used in
internet Explorer to "FullScreen" the window) and refresh.

At first it may seem that nothing has happened but in
fact all connected users are bumpt off the server and
in most cases the server will "blue screen" and reboot
or freeze.

I don't think anyone else has noticed this
bug/exploit yet, or citrix would have posted a patch by now.

I have confirmed this bug by testing it on 5 different
MetaFrame Servers and they all crashed(!).

Maybe this is a known problem (then I'm an idiot), but I'm pretty sure it's
not.

Use this info in peace.
Tanin Ehrami

PS: This mail may be edited for editorial reasons. 

--
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net

Relevant Pages

  • Re: Cant Mount Mailbox Store or Publick Folder Store
    ... My citrix is working now using ICA Client but after I tried to restart my Mail Server. ... "Mukesh" wrote: ... Either there are network problems or the Microsoft Exchange Server computer is down for maintenance. ...
    (microsoft.public.exchange.admin)
  • Re: How does Citrix run it faster? was Re: Microfocus COBOL 3.2.43 (16bit)
    ... over 25 sites) runs on Citrix served up from servers here in Austin. ... have moved a lot of stuff to zLinux, and in the process would up writing ... When Word loads for the ... doing anything else but managing the screen, while the server is pretty much ...
    (comp.lang.cobol)
  • Long and quite bizzare network problem
    ... I manage a 70 pc lan running win2k server,win2k Citrix ... packet sniffer to look at. ... The metaframe server is expecting that one box to ACK back,but it does ...
    (microsoft.public.win2000.networking)
  • Re: Long and quite bizzare network problem
    ... Is Admin3 the master browser on the network? ... setting on all computers except for the main server (which should be online ... > the remote location are using Citrix over a nailed T1.Main and Citrix ...
    (microsoft.public.win2000.networking)
  • RE: Windows Remote Desktop
    ... SSL/HTTPS then use the Citrix ICA encryption on top of that, ... Citrix can be more secure then RDP. ... change the server information and harder for it to connect to a 'wrong' ... >We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion ...
    (Security-Basics)