Re: Citrix ICA Client Access Advisory(?)

From: Jan P Tietze (jptietzeat_private)
Date: Wed Aug 01 2001 - 00:24:44 PDT

  • Next message: Paul Rogers: "OBRS - Open Business Reporting Standard"

    sween wrote:
    
    > Any help here proving this valid/invalid would be hot.  I have
    > considerable interest, but limited resources.
    
    This is not a security breach. You have not checked the option "only allow users to
    launch published applications" (or something along the lines of that) in the Citrix
    Connection Configuration dialog for the ica-tcp connector. You might call this
    setting an insecure default, but that's about it.
    
    Jan
    
    > Thanks!
    
    >
    > Platform:
    > Windows Terminal Server NT 4.0
    >
    > Synopsis:
    > Using an IE Web Client and a Linux Citrix ICA client I was able
    > to gain access to executables and files on a restricted drive (c:\).
    >
    > Description:
    > Originally I was changing the application name in an attempt
    > gain access to apps, but when I changed it to #gar I got an error message
    > conveying "The system cannot find the file specified."... which is always
    > an invitation to play.
    >
    > Below is the listed launch.ica file that I used to
    > connect.  The only parameter that was changed was the 'InitialProgram='parameter.
    > I simply removed the '#' symbol and it replaced it with a valid
    > application and its path (c:\wtsrv\system32\cmd.exe).  I was able to
    > launch cmd.exe, telnet.exe (with arguments), the citrix toolbar, etc. but
    > had no escalation in priveledges.
    >
    > The Citrix ICA Client for Linux was easy enough, since it allows you to
    > create the launch file on the fly...
    >
    > screenshots:
    >
    > Initial error with #gar as an application:
    >                http://www.modelm.org/proof.jpg
    >
    > Here is a shot of the edited launch.ica file after execution:
    >                http://www.modelm.org/proof1.jpg
    >
    > ------launch.ica---
    >
    > <!----<[NFuse_setSessionField NFuse_WindowType=closed]>---->
    >
    > [WFClient]
    > Version=2
    > ClientName=
    >
    > [ApplicationServers]=
    > 30 year old script kiddie=
    >
    > [30 year old script kiddie]
    > Address=citrixpooter:1496
    >
    > #InitialProgram=v:\Documents and Settings\administrator\desktop\launch.ica
    >
    > InitialProgram=c:\wtsrv\system32\cmd.exe
    >
    > DesiredColor=2
    > TransportDriver=
    > WinStationDriver=ICA 3.0
    >
    > Username=
    > Domain=
    > Password=
    >
    > Command=   ß--any input here would be fantastic
    >
    > ClientAudio=On
    >
    > ScreenPercent=80
    >
    > [EncRC5-0]
    > DriverNameWin32=pdc0n.dll
    >
    > [EncRC5-40]
    > DriverNameWin32=pdc40n.dll
    >
    > [EncRC5-56]
    > DriverNameWin32=pdc56n.dll
    >
    > [EncRC5-128]
    > DriverNameWin32=pdc128n.dll
    



    This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 07:44:18 PDT