Re: Citrix NFuse 1.6 - additional network exposure

From: Bob Fiero (bfiero@mentalfloss.net)
Date: 02/20/02


Date: Wed, 20 Feb 2002 15:01:32 -0500
From: "Bob Fiero" <bfiero@mentalfloss.net>
To: <@securityfocus.com <bugtraq@securityfocus.com>>

On a Citrix server supporting applications running off of a Novell Directory Services network, I found that additional information about the victim network can be discovered.

After opening the applist.asp page and seeing all configured applications, without authentication, I clicked on one of the apps. Another browser window opened with the following error:

There was an error:
This operation requires user credentials to be specified. The following session field was not set: NFUSE_USER

while opening the URL of:

http://nfuse.insecureMSserver.com/launch.asp?NFuse_Application=LookOut&NFuse_MIMEExtension=.ica

I appended &NFUSE_USER=ABM&NFUSE_PASSWORD=byte-me to the URL. Note that the two parameters NFUSE_USER and NFUSE_PASSWORD were supplied with bogus parameters.

After a short period of time, Citrix presented me with a Novell client login screen. By clicking the Advanced button, I was able to browse Novell Directory Services for all tree, organizational units, and server names contained on the network. In the NT/2000 tab of the client, I was able to ascertain the name of the AD domain, and the server name hosting the Citrix published application.

As was and is still the case, as far as I can tell this bug only the exposes network information. But, exposure of information such as this is great for recognizance preceding further attacks.

I tested with a bogus application name after the NFuse_Application parameter, but only with a valid app name is this a problem.



Relevant Pages

  • Re: TIP #175: Add an -async Option to [open]
    ... > useful for writing network code, this functionality needs to be added. ... you try to do some IO just after opening), you'll block in this case - ... things like blocking/non-blocking and fileevents can be implemented. ... # this does not try to download anything yet ...
    (comp.lang.tcl)
  • Re: Problems opening web pages in Publisher
    ... version, it seems from reading in the general newsgroup, that there are ... Are you trying to open the files across a network? ... the files to the hard drive before opening, and don't try to save a copy ... (its a school website and 2002 machine is on a school network) ...
    (microsoft.public.publisher.webdesign)
  • Re: printer status stuck on opening when not connected to domain
    ... Where are you seeing "opening" and in what application? ... said that "the computer hangs and the user has to reboot". ... settings as soon as there is any network connection and keeps retrying ... Jan-Willem- Tekst uit oorspronkelijk bericht niet weergeven - ...
    (microsoft.public.windowsxp.print_fax)
  • Re: obscure problem
    ... Are you certain this PC is opening the same file? ... Have you tried opening the same file from other PCs on the network? ... network copy of an excel spreadsheet. ... Now that she has moved desks, ...
    (microsoft.public.excel.misc)
  • we consist them, then we poorly sit Lakhdar and Mikes blunt pin
    ... Just opening among a response on the part of the network is too numerous for Ayn to bend it. ...
    (sci.crypt)