[NEWS] Serious Security Flaw in Citrix Client
From: support@securiteam.comDate: 12/27/01
- Previous message: support@securiteam.com: "[NEWS] Caramail Cross-Site Scripting Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 27 Dec 2001 08:11:04 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Serious Security Flaw in Citrix Client
------------------------------------------------------------------------
SUMMARY
A security vulnerability in the Citrix client results in attackers being
able to perform any possible action on the client machine, including
reading any file, placing Trojan code or altering data.
DETAILS
Vulnerable systems:
Citrix client version 6.01
Citrix produces clients that can connect to a terminal server to run thin
client sessions. A popular use of Citrix client / server is the use of
published applications that enables thin clients to run 'heavy'
applications.
An implementation flaw exists in the Citrix client that allows a malicious
web site owner to perform virtually any action on the client machine
without informing the user first or without explicit consent from the
user. This means that anyone with the Citrix client installed (and
probably with IE installed) and who surfs the internet on the same machine
is in danger of exploitation.
When a user has Citrix client installed and has therefore an extension
mapping for .ICA files, the user will NOT be warned when downloading an
ICA file. The user is NOT asked to open or download the file, the ICA
file will just activate the Citrix client, and a connection to a remote
server can be made.
This results in that any malicious website owner (with access to a Citrix
terminal server) can place Trojan code on a client machine without consent
of the client.
Example:
<iframe src="trojan.ica"></iframe>
Trojan.ica will connect to a published application (hosted on a Citrix
Metaframe XP server) without first asking the user and place a (fake)
Trojan file on the clients' hard drive. The published application is
simply a VBS script that copies the Trojan file from the local (terminal
server's) hard drive to the (mapped) client drive.
After the script ran, the connection to the remote server will be broken.
The client is not in any way warned or prompted that the remote server is
writing anything to the client's hard drive. Strange enough, the ActiveX
client that was tested does ask the user for permission before the
published application can write to the client drive (this is the way it
should work).
Just to make it clear, the malicious website owner can not only write to
the client, he can also retrieve a complete listing of any file on the
machine or copy any file/document from the client's machine.
Vendor status:
Citrix was contacted on the 23rd of July and did not take this very
serious at first. They mentioned that this was a known issue and did not
give me the idea that they were actively working on a fix.
Possible fixes (as given by Citrix):
* The Citrix ICA Clients for Apple Macintosh and for Unix have explicit
drive mapping dialogs which control client drive mapping, and also allow
read/write selection. Therefore, these clients will only be attacked if
such drive mappings are configured.
* When using the ICA Client for Java, you can set Java security to prevent
file access by Java applications. This will prevent disk access.
* Client Drive Mapping can be disabled in APPSRV.INI by adding the
setting:
CDMAllowed=Off
* In Internet Explorer, the File Download permission can be disabled. This
would avoid the exploit in the form described.
And a Microsoft's recommended workaround for Outlook:
It's possible to configure the OESU (Outlook Security Update) to block
additional file types, including .ICA.
ADDITIONAL INFORMATION
The information has been provided by <mailto:unhackables@hotmail.com>
Kikkert Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Caramail Cross-Site Scripting Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
