Re: Citrix NFuse 1.6 - additional network exposureFrom: Bob Fiero (email@example.com)
- Previous message: Joshua Newton: "Re: Cert Advisory 2002-03 and HP JetDirect"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 20 Feb 2002 15:01:32 -0500 From: "Bob Fiero" <firstname.lastname@example.org> To: <@securityfocus.com <email@example.com>>
On a Citrix server supporting applications running off of a Novell Directory Services network, I found that additional information about the victim network can be discovered.
After opening the applist.asp page and seeing all configured applications, without authentication, I clicked on one of the apps. Another browser window opened with the following error:
There was an error:
This operation requires user credentials to be specified. The following session field was not set: NFUSE_USER
while opening the URL of:
I appended &NFUSE_USER=ABM&NFUSE_PASSWORD=byte-me to the URL. Note that the two parameters NFUSE_USER and NFUSE_PASSWORD were supplied with bogus parameters.
After a short period of time, Citrix presented me with a Novell client login screen. By clicking the Advanced button, I was able to browse Novell Directory Services for all tree, organizational units, and server names contained on the network. In the NT/2000 tab of the client, I was able to ascertain the name of the AD domain, and the server name hosting the Citrix published application.
As was and is still the case, as far as I can tell this bug only the exposes network information. But, exposure of information such as this is great for recognizance preceding further attacks.
I tested with a bogus application name after the NFuse_Application parameter, but only with a valid app name is this a problem.