Re: Citrix NFuse 1.6 - additional network exposure

From: Bob Fiero (bfiero@mentalfloss.net)
Date: 02/20/02


Date: Wed, 20 Feb 2002 15:01:32 -0500
From: "Bob Fiero" <bfiero@mentalfloss.net>
To: <@securityfocus.com <bugtraq@securityfocus.com>>

On a Citrix server supporting applications running off of a Novell Directory Services network, I found that additional information about the victim network can be discovered.

After opening the applist.asp page and seeing all configured applications, without authentication, I clicked on one of the apps. Another browser window opened with the following error:

There was an error:
This operation requires user credentials to be specified. The following session field was not set: NFUSE_USER

while opening the URL of:

http://nfuse.insecureMSserver.com/launch.asp?NFuse_Application=LookOut&NFuse_MIMEExtension=.ica

I appended &NFUSE_USER=ABM&NFUSE_PASSWORD=byte-me to the URL. Note that the two parameters NFUSE_USER and NFUSE_PASSWORD were supplied with bogus parameters.

After a short period of time, Citrix presented me with a Novell client login screen. By clicking the Advanced button, I was able to browse Novell Directory Services for all tree, organizational units, and server names contained on the network. In the NT/2000 tab of the client, I was able to ascertain the name of the AD domain, and the server name hosting the Citrix published application.

As was and is still the case, as far as I can tell this bug only the exposes network information. But, exposure of information such as this is great for recognizance preceding further attacks.

I tested with a bogus application name after the NFuse_Application parameter, but only with a valid app name is this a problem.