Rumor has it that David Terrell might have once said: > [ presumably this holds true for the other unix clients as well, but > all I have is linux to test on ] > > The Citrix Winframe linux client (used for accessing Winframe and > Windows NT Server Terminal Edition) has a simple configuration section. > Perhaps too simple.... All configuration information is stored in a > directory /usr/lib/ICAClient/config which is mode 777. This in and > of itself is bad news, since any user on the system can overwrite > configuration data. I installed v3.00.15 using the defaults. After running wfcmgr and creating a dummy connection config as a regular user, I did not find anything extra in the appsrv.ini file in /usr/lib/ICAClient/config. All of the session configuration information was stored in ~/.ICAClient/appsrv.ini. This file is created world-readable as is the directory : (, so if others can see into your home directory... I repeated the test as root, with the same results... > > The situation is actually much worse than that. > > When you start up the actual session manager (wfcmgr) you get a listbox > of configured sessions. The data for this listbox is stored in the mode > 777 file /usr/lib/ICAClient/config/appsrv.ini. So there's a single > config file shared between all users. A sample session profile follows: > > [WFClient] > Version=1 > > [ApplicationServers] > broken= > > [broken] > WinStationDriver=ICA 3.0 > TransportDriver=TCP/IP > DesiredColor=2 > Password=0006f6c601930785 > Domain=NTDOM > Username=user > Address=hostname > > Yep. Passwords are stored in some kind of hash. What that hash is doesn't > really matter since you can just bring up wfcmgr and log in as that user. I would be at least moderately concerned about having the hash exposed just because many (most?) users like to synchronize their passwords between all of the systems that they use. As for the hash, well...its weak (as are most XOR schemes). For the Dos/Win32 clients (at least) the fourth character is the length of the remainder of the line. The fifth and sixth are the principal key. The rest is the password. This hash appears to use the same type of scheme. No, the hash algorithm isn't quite that simple...they do a couple of things to introduce noise. But, the mplementation could be better... ; ) > > Terrible. > > I tried mailing both supportat_private and securityat_private but > neither of these addresses exist. > > > Workaround? wfcmgr supports the -icaroot parameter, but you basically > need to copy all the files in for it to work. So duplicate the tree in > your home directory, fix permissions, and do wfcmgr -icaroot $HOME/.ica. > > Alternatively, don't use it. > > Distressing that the company that was "bringing multiuser concurrent logons > to Windows NT" makes such a little effort at understanding multiuser > security.... [further editorialization left to the reader] > > -- > David Terrell > dbtat_private, dbtat_private I may or may not be speaking for Nebcorp, > http://wwn.nebcorp.com/~dbt/ but Nebcorp has spoken for you. -- ______________________________________________________________________________ seregonat_private From wonder into wonder, existance opens ______________________________________________________________________________
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:47:40 PDT