[VulnWatch] Re: Hacking Citrix Faq (+DEF CON presentation)

• Previous message: Steve Fallin: "Software Update Available for Legacy RapidStream Appliances and W atchGuard Firebox Vclass appliances"
• Next in thread: ET LoWNOISE: "[VulnWatch] [LoWNOISE] "Get Knowledge" SunONE Starter Kit - Sun Microsystems/Astaware"
• Reply: ET LoWNOISE: "[VulnWatch] [LoWNOISE] "Get Knowledge" SunONE Starter Kit - Sun Microsystems/Astaware"
• Reply: ET LoWNOISE: "[LoWNOISE] "Get Knowledge" SunONE Starter Kit - Sun Microsystems/Astaware"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!
The URL to my Citrix tools is:
http://www.cqure.net/itools01.html
My DEF CON presentation is also there now!

sh0dan (wirepairat_private) wrote (Citrix quotation):
> 1. Disable MetaFrame XP server broadcast response. CMC |
> Right-click on farm | MetaFrame Settings tab | Uncheck the
> two boxes in the "Broadcast Response" section. This will
> prevent that perl scanner from working.

Maybe... But if it doesn't stop the Citrix client (with the use of
citrix-pa-proxy.pl) to enumerate applications I could write a new PA
scanner that enumerates the applications.
I will check that next week.

Some simple "breaking out from given environment":
Very easy: Start the task manager, choose run... explorer.exe (both the
task manager and run.. can be disabled).
Easy: If not started; start the given application. Choose File->Open and on
a directory; right click and choose explore.
(If there is no open.., search for open..., save as..., attach... or
similar.)
Lots of clicking: Press F1 and search for open... (another help file). Or
try to find a link to web based support (starts IE) or email (starts IE).
(You can sometimes find links that starts commands in new help files).
Even more clicking: Choose print... and try to right click/explore
everywhere. The printer could have it's own help file.

So, conclusion:
===========
Start with:
task manager (Default CTRL+F1 [Citrix client] )
F1 (Help)

Try the following everywhere:
Right click and explore.
F1 if it seams that a new application has started (like printer or help).
Click on everything that looks like an URL or an email. (Tip: Look in the
Help->About or icons on the application)
If you cant find and an URL or email address; try to write one somewhere.

This is for the desktop. Remember; A hacker doesn't need a desktop. Command
prompt is better for a hacker.
CMD.EXE, COMMAND.COM (Yes, it is still there, and has bugs), FTP.EXE and
shell escape with "!" or "! command.com /c regedit.exe".

Prevention?
Applications written for Terminal Services/Citrix/Tarantella is usually
very hard to break out from.
Fire up regedt32 and disable most of windows. Remove execute and read from
almost every file.
Securewave has a nice product:
http://www.securewave.com/products/secureexe/secure_exe.html
Check out their nice live DEMO. I have succeeded to halt their DEMO server
once (cmd /k cmd /k cmd /k cmd /k cmd /k cmd /k you get the point). You can
now only spawn a few processes.
If you know about other similar applications, please mail me.

//Ian Vitek, iXsecurity

• Next message: Muhammad Faisal Rauf Danka: "Re: Yet another XSS vulnerability in PHP NUKE"
• Previous message: Steve Fallin: "Software Update Available for Legacy RapidStream Appliances and W atchGuard Firebox Vclass appliances"
• Next in thread: ET LoWNOISE: "[VulnWatch] [LoWNOISE] "Get Knowledge" SunONE Starter Kit - Sun Microsystems/Astaware"
• Reply: ET LoWNOISE: "[VulnWatch] [LoWNOISE] "Get Knowledge" SunONE Starter Kit - Sun Microsystems/Astaware"
• Reply: ET LoWNOISE: "[LoWNOISE] "Get Knowledge" SunONE Starter Kit - Sun Microsystems/Astaware"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 27 2002 - 21:17:48 PDT