0day Hacking Secured CITRIX From Outside

Wed, 10 Oct 2007 15:40:34 GMT
by pdp

In the true spirit of GNUCITIZEN half(partial)-disclosure movement, we announce that it is possible to gain user access level on CITRIX. The bug/feature does not rely on any client/server vulnerabilities nor client/server misconfiguration issues. All an attacker needs to do to exploit the weakness is to lure a victim to a malicious website or trick him/her into opening specially crafted ICA files. The attack results into remote command execution inside CITRIX with the access level of the current user.

The success of the attack relies on the fact that the victim is part of a CITRIX ring to which he/she can perform pass-through authentication. Once a connection is instantiated, the victim will unwillingly and transparently login into CITIRIX and perform several commands specified by the attacker. The attacker can simply instruct the remote desktop to download files from a remote TFTP server and execute them locally. Once the attack is performed, the local connection is terminated and the CITRIX session is cleared. No user interaction is required!

If you manage to re-discover the type of vulnerability outlined in this post, I encourage you to keep it private. Give some time for the folks at CITRIX to react. Currently, I am not aware of any remedy against the attack apart from turning off pass-through authentication. Given CITRIX's popularity among corporations and big organizations, it is highly recommended to take this warning with extra caution.

Archived Comments

Adrian PastorAdrian Pastor
Nice work. Let's keep the client-side hacks coming!
vindicvindic
Yes, very nice, thnx for good work ;)
zeridonzeridon
Looks nice, and also i see a storm brewing ... smth. like the 0day pdf.
rootkidrootkid
Oh bummer. Man, I was investigating the same stuff (citrix that is) at the moment, and somehow you are always a leap ahead. I hate that...:) Anyhow, good work as always. I would really like to have a chat with you someday if you happen to be around (any con you are on this year in europe?). Probably we can share ideas, if you like. Cheers.
pdppdp
rootkid, there is nothing on the horizon for me in europe for the rest of this year. feel free to contact me through!
hellboy726hellboy726
Nice!
pdppdp
hellboy726, interesting site you have there! reminds me of 1998... but I like it.
lollol
it just seems to be the category clickmyexecutableiwonthurt "exploit". unfortunately we can't patch users.
pdppdp
no user interaction is required!
wekridwekrid
will this hack also work with csg and cags?
pdppdp
Folk, apparently CITRIX has removed the YouTube videos due to some copyright violation. This is strange and the same time not the right way to handle security advisories. Still haven't got any response from them around the issue and I seriously doubt that this will ever happen. However, I am going to keep the POC private for now and give them a chance to react on the in sensible way.
hackathologyhackathology
Is this the same vulnerability found here? http://support.citrix.com/article/CTX112589
Major FukupMajor Fukup
One of the reasons why you should always give users on these systems minimum rights. Does it require a published desktop? Which virtual channels do you use? Regards M.F.
pdppdp
hackathology, nope, it is different. you should be able to figure it out though.
hackathologyhackathology
got it pdp. I found it
hackathologyhackathology
i found out the clue
NoobNoob
Question: If the user does not have pass through enabled, but does have stored credentials in the client- (username, password, domain) - will the attack still work?
pdppdp
Noob I haven't tested that but it should work in theory.
Kaustubh KumarKaustubh Kumar
Hi All, I need help in hacking citrix which can allow me to open websites in the citrix metaframe.
DHDH
Here is the fix, nice job PDP :-D XenApp 4.5 http://support.citrix.com/article/CTX116954