http://www.eweek.com/article2/0,1895,2193114,00.asp By Lisa Vaas October 8, 2007 A researcher says the Citrix technology running military and government Web site GUI's is full of security holes. The Citrix technology that chugs away underneath Web applications is being used to put up military and government GUIs with security holes you could drive a bus through. Security researcher Petko D. Petkov—aka "pdp"—said in an Oct. 4 posting that his recent testing of Citrix gateways led him to "tons" of "wide-open" Citrix instances, including 10 on government domains and four on military domains. "The Internet is full of wide open CITRIX gateways. This is madness," he wrote. "I mean, it is 2007 people, it shouldn't be that simple." What Petkov means by "wide open" is that when searching on Google or Yahoo for files with Citrix's proprietary ICA (Independent Computing Architecture) extension, the returned files blithely hand over hints about which server is running, the underlying transport mechanism and the remote application that Citrix will open. Petkov said he found several "critical" applications that looked too interesting to even dare to look at among the services he managed to discover. "Shall we start with the Global Logistics systems or the US Government Federal Funding Citrix portals—all of them wide open and susceptible to attacks?" he wrote. "With a similar success, attackers can perform just simple port scans for service port 1494 [a TCP port used by Citrix Presentation Server's ICA Client]." Petkov compares Citrix hacking to "the old days with NetBIOS" in that it's simple, it's malicious, and it's "highly effective." Citrix technology is also ubiquitous, with Windows desktops and applications relying on MetaFrame—now called Citrix Presentation Server. The ICA protocol in question specifies a method of passing data between server and clients. It's not bound to any particular platform, but products that use the protocol—including Citrix's WinFrame and Citrix Presentation Server—are used to allow Windows applications to be run on a Windows server and for supported clients to access the applications. ICA is also supported on multiple Unix server platforms and can be used for access to applications running on those platforms. "And the problem is that CITRIX is pretty useful," Petkov wrote in the posting. "Here is a dilemma for you: Let's say that you have a pretty stable desktop [application that] you would like to [make] available on the Web. What you gonna do? Port it to XHTML, JavaScript and CSS? No way! You are most likely going to put it over CITRIX." Petkov posted a video that demonstrates a Citrix attack with simple enumeration exercises along with a script he says can be used to brute-force the Windows/Netware logon and which can be modified to work against Citrix SSL authorization as well. Petkov also posted on Oct. 5 a script to fine-tune connections when security researchers want to try out various Citrix communication mechanisms and connection options, and a script to use ICAClient ActiveX controller to enumerate remote applications, servers and farms. Citrix had not responded to queries by the time this article posted. Participants on the Full Disclosure security mailing list noted, however, that it's not that Citrix can't be secured—given a competent administrator, that is. "I'd recommend using terminal services over Citrix any day of the week for hosting mature apps on a big box, but that's just my bias," wrote a poster with the moniker "Geoff." "Citrix is able to be secured, but that's like everything else in computing: the admin needs a brain." __________________________________________________________________ CSI 2007 is the only conference that delivers a business-focused overview of enterprise security. It will convene 1,500+ delegates, 80 exhibitors and features 100+ sessions/seminars providing a roadmap for integrating policies and procedures with new tools and techniques. Register now for savings on conference fees and/or free exhibits admission. - www.csiannual.com
This archive was generated by hypermail 2.1.3 : Mon Oct 08 2007 - 22:36:10 PDT