[NT] Citrix Metaframe Presentation Server Policies Bypassing

• Previous message: SecuriTeam: "[TOOL] Cisco Password Cracker"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 6 Oct 2005 17:06:15 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Citrix Metaframe Presentation Server Policies Bypassing
------------------------------------------------------------------------

SUMMARY

 <http://www.citrix.com/> Citrix Presentation Server - "is the world s
most widely deployed presentation server for centrally deploying and
managing applications, especially in a heterogeneous environment, and
delivering their functionality as a service to workers, wherever they may
be."

A vulnerability in Presentation Server allows a user bypass Citrix
policies that have been applied to client name.

DETAILS

Vulnerable Systems:
 * Citrix Metaframe Presentation Server versions 3.0 and 4.0

Citrix Presentation Server policy is used for administrators to restrict
the user environment and these allow applying to: IP client, servers,
Users, o Client Name.

When user used the Web Interface to access to application in Citrix
environment the CLIENT NAME used is WI_*, where (*) is a random value like
 asdfserw34vc342dk this extension allow administrators to use Citrix
policy based in client name "WI_*" This policy can be used to restrict
"printing Mapping, Disk Mapping, Control bandwidth, manage printer driver
environment so..."

When user uses the application in Web interface, he download and execute
automatic file "launch.ica".
If the user "save as" launch.ica in his PC, and edit with notepad. He can
change the value in ClientName that another "WI_" and execute.

When user connects to Citrix with ica file modified to Presentation
Server, the value in clientname is different to the original one and
bypasses the Citrix policies.

Proof of concept:
Here is an example extracted from launch.ica:

 [Encoding]
 InputEncoding=ISO8859_1
 [WFClient]
 Version=2
 ClientName=WI_XXXX -> change this extension with other name to bypass the
citrix policies
 TransportReconnectEnabled=On
 RemoveICAFile=yes
 ProxyType=None
 ProxyTimeout=30000

Vendor Status:
 
<http://support.citrix.com/kb/entry!default.jspa?categoryID=275&externalID=CTX107705> http://support.citrix.com/kb/entry!default.jspa?categoryID=275&externalID=CTX107705

ADDITIONAL INFORMATION

The information has been provided by <mailto:gustavog@grupoiptro.com.ar>
Gustavo Gurmandi.
The original article can be found at:
<http://www.grupoitpro.com.ar/ctxpoliciesbypass.txt>
http://www.grupoitpro.com.ar/ctxpoliciesbypass.txt

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[TOOL] Cisco Password Cracker"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]