CITRIX Owning the Legitimate Backdoor

Thu, 04 Oct 2007 16:26:51 GMT
by pdp

The Internet is full of wide open CITRIX gateways. This is madness!

The other day I was performing some CITRIX poking, so I had a lot of fun with breaking GUIs, which, as most of you probably know, are trivial to break into. I did play around with .ICA files as well, just to make sure that the client is not affected by some obvious client-side vulnerabilities. This exercise led me to reevaluate many things about ICA (Independent Computing Architecture). For example, when querying Google and Yahoo for public .ICA files, I was presented with tones of wide open services, some of which were located on .gov and .mil domains.

This is madness! No, this is the Web. Through, I wasn't expecting what I have found. Hacking like in the movies? You bet!

Google: [ext:ica](http://www.google.com/search?q=ext:ica), Yahoo: [originurlextension:ica](http://search.yahoo.com/search?p=originurlextension:ica)

I did not poke any of the services I found, although it is obvious what is insecure and what is not when it comes to citrix. It is enough to look into the ICA file. I am not planning to go into details here but let's say for now that ICA gives you hints about the server, the underlaying transport mechanism and of course the remote application that will be opened.

With a few lines in bash combined with my Google python script, I was able to dump all the ICA files that Google knows about and do some interesting grepping on them. What I discovered was unbelievable. Shall we start with the Global Logistics systems or the US Government Federal Funding Citrix portals - all of them wide open and susceptible to attacks. Again, no poking on my side, just simple observation exercises on the information provided by Google.

### Breaking into Citrix

When performing a Citrix tests, my goal is very simple: "try to open a command shell". Sometimes, `cmd.exe` and `command.com` are blocked, but I can still execute commands by saving them in `.bat` or `.cmd` files. If you care to read the command output, just pause the window with `pause`. It is simple. Let's not forget about Windows Scripting Host (WSH) which is usually not blocked at all.

But to get to the command line, you have to escape the GUI first and when it comes to Windows GUIs, escaping them is like a walk in the park. As soon as you open explorer with File Open/Save/Save as/Print or Help features, you can execute commands. Just for demonstration purposes, I composed a [video](/files/2007/10/hc01.wmv) that shows how it is done:

<iframe class="video" src="//www.youtube.com/embed/1-cXrZIVlTU" frameborder="0" allowfullscreen></iframe>

Here is more. The following example shows an ICA file which just opens `cmd.exe` right in front of your eyes:

[WFClient]
Version=2
TcpBrowserAddress=_some address_

[ApplicationServers]
_PlanVue 03 Tri-City_=

[_PlanVue 03 Tri-City_]
Address=_some address_
InitialProgram=**cmd.exe**
ClientAudio=On
Username=_some user_
Domain=_some domain_
Password=
AudioBandwidthLimit=2
Compress=On
TWIMode=On
ScreenPercent=80
DesiredColor=8
TransportDriver=TCP/IP
WinStationDriver=ICA 3.0
EncryptionLevelSession=EncRC5-128

[EncRC5-128]
DriverNameWin32=PDC128N.DLL
DriverNameWin16=PDC128W.DLL

[Compress]
DriverName=PDCOMP.DLL
DriverNameWin16=PDCOMPW.DLL
DriverNameWin32=PDCOMPN.DLL

It is unbelievable but it works.

Among the ICAs I found, there were a few which do require authentication. For dedicated attackers, this is definitely not the end of the world. Now you probably think that it is time to take out all the bruteforcers and dictionary files and start some heavy drilling. "Hold on! Let's try the backdoors first."

After you connect to Citrix you will land most likely on the Desktop which is protected by the Windows/Netware logon. However, keep in mind that there might be some applications underneath that does not require authentication, just like those we discussed earlier. So how do we find them? Ian Viteks [coded](/files/2007/10/enum.pl) a perl script to do exactly that:

[/files/2007/10/enum.pl](/files/2007/10/enum.pl)

I was intrigued by Ian's script, so I decided to write my own. However, I wasn't very keen on re-reversing citrix so I through I would go the easy way - reusable components. A few minutes on the Citrix' website were enough to get me started. I ended up with the following [script](/files/2007/10/enum.js). Keep in mind that you need to have a copy of the Citrix client in order to get it going:

[/files/2007/10/enum.js](/files/2007/10/enum.js)

I don't know which script is better. Ian's implementation seams to be cross-platformed and quite transparent for the user but it works only for UDP, while my approach works only on Windows and it requires a bit of understanding the architecture but it supports all possible ways Citrix can establish connections, and it can enumerate the Citrix servers and farms as well. Here is a demonstration of how you can use it:

![Hacking CITRIX Screen01](/files/2007/10/screen01.jpg "Hacking CITRIX Screen01")

Conclusion

Ok, it is lame but with pretty much the same success, attackers can hack into quite sensitive services. It is unbelievable to me to find out that pretty much anyone can tap into huge organization with a few dirty Citrix tricks. And here are some stats:

Just by looking into Google, I was able to find **114** wide open CITRIX instances: **10** .gov, **4** .mil, **20** .edu, **27** .com, etc... The research was conducted offline, therefore there might be some false positives. Among the services discovered, there were several critical applications which looked so interesting that I didn't even dare look at them. With a similar success, attackers can perform just simple port scans for service port 1494. The steps described above apply.

Archived Comments

David KierznowskiDavid Kierznowski
pdp, awesome demonstrations and code. I'm sure those new to these attack vectors will love it.
pdppdp
CITRIX hacking is just like back in the old days with NetBIOS. It simple. It is malicious. It is highly effective. And the problem is that CITRIX is pretty useful. Here is a dilemma for you:
Let's say that you have a pretty stable desktop app which you would like to be available on the Web. What are you going to do? Port it to XHTML, JavaScript and CSS? No way! You are most likely going to put it on CITRIX and forget about it.
hackathologyhackathology
Awesome pdp, you are hacking citrix server and i am constantly being challenge by guys to hack them
vindicvindic
heh, it's amazing man, really :)
wirepairwirepair
Hey pdp, that's cool and all but that paper (hackingcitrix.txt) is actually mine, not Ian Vitek's. I wrote it like 4 or 5 years ago ;> Funny to see this stuff still works. Also I wrote a brute forcer in C that works differently than Ian's. http://sh0dan.org/oldfiles/citrix-pab/ peace.
pdppdp
wirepair, my bad, it wasn't really clear to me who is the author of the paper. Let me change the post so it outlines the correct information. BTW, I am working on a bruteforcer as well and it will be based on the top of the ICAClient.
RonaldRonald
How about wrapping it up in a CSRF referer attack. Since most surfers send their referer along the lines, Referer CSRF in order to launch a simple attack on behalve of their IP, instead of ours. :) The mashups can be endless! Oh my...
pdppdp
what do u mean?
RonaldRonald
I mean to simply send a form to their localhost, since when you use a form and submit it for them back where they came from, you could embed cmd commands in a textarea and possibly do it remotely. It works on Tor for example, I was researching a way of shutting Tor down this way, by sending a large payload. But Tor requires authentication I learned. Since Citrix doesn't, it might as well work.
pdppdp
Depending how CITRIX is configured it may or may not require authentication.
I mean to simply send a form to their localhost, since when you use a form and submit it for them back where they came from, you could embed cmd commands in a textarea and possibly do it remotely. It works on Tor for example, I was researching a way of shutting Tor down this way, by sending a large payload. But Tor requires authentication I learned. Since Citrix doesn’t, it might as well work.
I see what u mean. Interesting, through, it needs to be verified. I may play around with this concept over the weekend.
Sp0oKeRSp0oKeR
OMG! awesome article!! Very nice job as always . Regards, Sp0oKeR
Adrian Pastor (pagvac)Adrian Pastor (pagvac)
This is an excellent intro to the survival skills for hacking Citrix. I love the concept of breaking into a company through a backdoor that's already there for me, a.k.a. secure remote access. Citrix, Terminal Services and Microsoft PPTP are some of my favorites!
dinkdink
Evidently there's also a lot of .rdp files (MS Term Server connectoids) out there, although not quite as many. Second one I tried took me right to some desktop app.
pdppdp
dink, you are getting ahead of the time. :) I will get into that as well.
MaverickMaverick
Dude, none of the things you did is called "hacking". Only thing you did is find systems, admin-ed by people who don't know how to properly secure their systems. Wanna hack? Try to get through an Access Gateway. Then i'll be impressed. The above stuff hardly has any skill to it.
NoOneNoOne
You could also use Citrix keyboard shortcuts like "CTRL+F1" or "CTRL+F2" which correspond to "CTRL+ALT+DELETE" and "CTRL+ESC".
CGCG
you can also just use: 
InitialProgram=explorer.exe
then you'll get your windows explorer prompt. fun for checking out those shares on the internal LAN :-) you can also navigate to WINDOWS\System32\cmd.exe and double click to get your cmd prompt. _CG
pdppdp
CG, but that of course depends on the setup really. Although, it does work roughly in 70% of the cases.
NIXNIX
i tested your enum.js, and its not working properly, if i run it agains unix machines :D ... it tells me that they have access, winword, excel, iexplorer and so on. i tried it against *nix machines on which there is no citrix, i still get that they have access, winword, excel and so on ... funny ;)
George OuGeorge Ou
How is this an exploit when all you have is a brute force exhaustive search that performs 1 check per second at most? A simple lockout mechanism (which people should have already implemented) for failed attempts would pretty much rule out this type of attack.
pdppdp
George, you are misunderstanding the whole purpose of the post. All I am showing here is that there are CITIRX instances on very critical domains which are wide open to attacks. No authentication is required - just simple enumeration tactics. The second post I wrote discusses how simple it is to write a CITRIX burteforcer with common windows utilities. Both posts are completely different by nature.
DonnerjackDonnerjack
I've confirmed this same sort of attack repeatedly It will not work over a properly configured firewall and Citrix Web Interface setup. Even following the most basic recommended setups by the firewall vendor and Citrix would stop this style of attack from working. If you would have pointed out that these attacks would only work in poorly configured and mismanaged environments, I would have applauded your efforts. As it is, you're deliberatly misleading the public.
KevinKevin
hey PDP, thanks for the article, pretty timely since I'm assessing a clients citrix install right now. I wasnt able to get any results from your enum.js script however, using the syntax "enum.js apps TCPBrowserAddress=x.x.x.x" and "enum.js apps HTTPBrowserAddress=x.x.x." it seems like its not even trying to connect to the server (sniffing the connection yields 0 packets between my machine and the citrix gateway) do you have any insight on this? Also can you link the SDK pages you used? I can just write my own but its a bit difficult finding the docs on their site...
pdppdp
hi Kevin, you have to be quite familiar with CITRIX in order to make the JS script work. Playing with different options is the key. For example you may need to try to force the client to go over UDP, etc. I would recommend to use the perl script first, cuz it seams to work without too much of configuration. In case your CITRIX is communicating over IPX, NetBios or whatever you have there, use the JavaScript version and play around with the options. Instructions on how to program the client can be found from CITRIX's website. I don't remember the link.
KevinKevin
Ok thanks for the prompt reply. I think I've found the PDF that I need, I've tried the perl script, but that too seems to be having problems. In any case thanks for the files and the articles I'll make it work one way or another :)
pdppdp
cool, just post it here when you are done! ok? :)
KevinKevin
If I get it working I will be happy to :)
CUGCUG
Good write up but I must admit that these security issues are not a result of the Citrix products being insecure but rather the people implementing them being clueless. Exposing ICA to the internet (rather than using a reverse proxy like the secure or access gateway) should be a dismissible offence! You wouldn't expose your SMB shares to the internet. Good write up but it shows there are a lot of clueless people out there calling themselves IT professionals.
pdppdp
CUG, absolutely...
curious1curious1
PDP...You're correct with the weaknesses that you found on the internet, however, the ICA 3.0 protocol hasn't been used by Citrix in more than 5 years and if you're dumb enough to put you ICA presentation server on the web...you get what you deserve. What about a setup using CAGs and RSA through a reverse proxy...do all your same assertions apply? Let me know. Either way, you have a valid point with what you found on google. You should, however, clarify your applicable scenarios. Peace
pdppdp
Apparently CITRIX has removed the YouTube videos due to some copyright violation. This is strange and the same time not the right way to handle situations like this one.
rjhowardrjhoward
Ok, you have my attention and the attention of everyone in my organization. How can we tighten things up? What is this lazy administrator doing to contribute to the issue and how can I improve?
pdppdp
rjhoward, one word: gateways! make sure that you use nfuse or whatever else you want but just never, ever, expose 1494/UDP/TCP on the Internet. Segment as much as possible.
stupidisasstupiddoesstupidisasstupiddoes
Stupid is as stupid does. You can lead a horse, but making it drink is another issue. Secure Gateway and Access Gateway have been available for years. If the Citrix admin is getting away with exposing a Presentation Server in the DMZ, then they deserve to be hacked.
AlanAlan
Hack is a hack. Doesn't matter whether you find it sophisticated or not. If you can get to .mil sites with it, that's obviously something critical. i didnt see the video btw, can someone fix the link:
This video is no longer available due to a copyright claim by Citrix Systems, Inc.
what copyright? :)
pdppdp
video links are updated...
BbbBbb
How about 'hacking' Windows Terminal services http://search.yahoo.com/search?p=originurlextension:rdp http://www.google.com/search?q=ext:rdp As mentioned above this isn't a hack just someone who left the front door open for someone to easily walk through
pdppdp
Bbb, but it is still concerning isn't it? which was the point of the post! right?
BbbBbb
Absolutely very concerning, the fact that you can get Numb-Nut administrators. As I mentioned above.... http://search.yahoo.com/search.....ension:rdp http://www.google.com/search?q=ext:rdp .....you get the same numb-nuts administrating plain old Terminal services as well as any other product. The first line of your article 'The Internet is full of wide open CITRIX gateways' probably put the Sh$ts up many a CITRIX administrator because they implement true CITRIX gateways (that only open for the correct people). I hope people reading this article realise that this is not the way to implement CITRIX for remote access. I can't believe the amount of people who don't follow simple IT Security recommended practices. This is probably why your article should be entitled 'Beware There are Numb-Nut Administrators everywhere!!' ;-) Bbb
IntriguedIntrigued
I found it interesting that some of the servers have user names and domain names in the config files. After looking around I found that some of them give you a remote desktop without authentication with full access by using a user name and domain name (could be dead wrong and it just gives you the remote desktop anyways but none the less its still a blatant hole)
pdppdp
Intrigued, absolutely!
newKidnewKid
I am not a hacker, just a college kid, studying networking, programming, security, the like. I am researching Citrix for a security paper. I clicked on some of these links, to see what would happen, as the read is seriously intriguing to me. Most of them you can't actually get to. One came up but gave me an error and did not display. Please explain; are you telling me that by clicking the links that are returned in the search, that you are actually accessing information running on the server? There is no one on the other end that can see or be alerted of the fact that some remote user is actually getting in unauthenticated? I don't understand. How does this actually work out?
ikkuhqhpikkuhqhp
pdp, I was reading this post but found that the youtube link doesn't work. Could you explain "escaping windows GUI" again please?
free dllsfree dlls
the video can't be play , it says it may removed. Please check.
johnjohn
looking for mentors...i need to learn how to hack
pdppdp
it is not difficult to learn how to hack... use google... or sign up for a course :)
anonanon
The video works by clicking the download link at the bottom of the post: http://www.gnucitizen.org/static/blog/2007/10/hc01.wmv