CITRIX: Owning the Legitimate Backdoor
The Internet is full of wide open CITRIX gateways. This is madness!. The other day I was performing some CITRIX testing, so I had a lot of fun with hacking into GUIs, which, as most of you probably know, are trivial to break into. I did play around with .ICA files as well, just to make sure that the client is not affected by some obvious client-side vulnerabilities. This exercise led me to reevaluate great many things about ICA (Independent Computing Architecture). When querying Google and Yahoo for public .ICA files, I was presented with tones of wide open services, some of which were located on .gov and .mil domains.
This is madness! No, this is the Web. Through, I wasn’t expecting what I have found. Hacking like in the movies? You bet!
Google: ext:ica, Yahoo: originurlextension:icaI did not poke any of the services I found, although it is obvious what is insecure and what is not when it comes to citrix. It is enough to look into the ICA files. I am not planning to go into details but let’s say for now that ICA gives you hints about the server, the underlaying transport mechanism and of course the remote application that will be opened.
With a few lines in bash combined with my Google python script, I was able to dump all the ICA files that Google knows about and do some interesting grepping on them. What I discovered was unbelievable. Shall we start with the Global Logistics systems or the US Government Federal Funding Citrix portals - all of them wide open and susceptible to attacks. Again, no poking on my side, just simple observation exercises on the information provided by Google.
When performing a Citrix tests, my goal is very simple: try to open a command shell. Sometimes, cmd.exe and command.com are blocked, but I can still execute commands by saving them in .bat or .cmd files. If you care to read the command output, just pause the window with pause. It is simple. Let’s not forget about Windows Scripting Host (WSH) which is usually not blocked at all.
But to get to the command line, you have to escape the GUI first. And when it comes to Windows GUIs, escaping them is like a walk in the park. As soon as you open explorer with File Open/Save/Save as/Print or Help features, you can execute commands. Just for demonstration purposes, I composed a video that shows how it is done:
The applications I was talking about a little bit earlier can be hacked in the exact same way and pretty much at the same pace. Unfortunately, when it comes to PlanVue, attackers can jump into shell without going through all the hustle. The following example shows an ICA file which just opens cmd.exe right in front of your eyes:
[WFClient]
Version=2
TcpBrowserAddress=some address
[ApplicationServers]
PlanVue 03 Tri-City=
[PlanVue 03 Tri-City]
Address=some address
InitialProgram=cmd.exe
ClientAudio=On
Username=some user
Domain=some domain
Password=
AudioBandwidthLimit=2
Compress=On
TWIMode=On
ScreenPercent=80
DesiredColor=8
TransportDriver=TCP/IP
WinStationDriver=ICA 3.0
EncryptionLevelSession=EncRC5-128
[EncRC5-128]
DriverNameWin32=PDC128N.DLL
DriverNameWin16=PDC128W.DLL
[Compress]
DriverName=PDCOMP.DLL
DriverNameWin16=PDCOMPW.DLL
DriverNameWin32=PDCOMPN.DLLIt is unbelievable but it works. wirepair is one of the first to discuss this quite odd Citrix feature (bug).
Among the ICAs I found, there were a few which do require authentication. I am not sure how familiar you are with Citrix but I must tell you that this is not the end of the world for the attackers. Now you probably think that it is time to take out all the bruteforcers and dictionary files and start some heavy drilling. Hold on! Let’s try the backdoors first.
After you connect to Citrix you will land most likely on the Desktop which is protected by the Windows/Netware logon. However, keep in mind that there may be some applications underneath that does not require authentication, just like those we discussed earlier. So how do we find them? Ian Viteks coded a perl script to do exactly that:
http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/enum.plI was intrigued by Ian’s script, so I decided to write my own. However, I wasn’t very keen on re-hacking citrix so I through I would go the easy way - reusable components. A few minutes on the Citrix’ website were enough to get started. I ended up with the following script. Keep in mind that you need to have a copy of the Citrix client:
http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/enum.jsI don’t know which script is better. Ian’s implementation seams to be cross-platformed and quite transparent for the user but it works only for UDP, while my approach works only on Windows and it requires a bit of understanding the architecture but it supports all possible ways Citrix can establish connections, and it can enumerate the Citrix servers and farms as well. Here is a demonstration of how you can use it:
I can tell u for a fact that both Notepad
and Internet Explorer
require authentication while, Calc does not. Amazing. With pretty much the same success, attackers can hack into these services I talked about earlier. Believe me, these are hardcore application managed by big organizations. It is unbelievable to me to find out that pretty much anyone can tap into huge organization with a few dirty Citrix tricks.
Comments
pdp, awesome demonstrations and code. I’m sure those new to these attack vectors will love it.
CITRIX hacking is just like back in the old days with NetBIOS. It simple. It is malicious. It is highly effective. And the problem is that CITRIX is pretty useful. Here is a dilemma for you:
Awesome pdp, you are hacking citrix server and i am constantly being challenge by guys to hack them
heh, it’s amazing man, really :)
Hey pdp, that’s cool and all but that paper (hackingcitrix.txt) is actually mine, not Ian Vitek’s. I wrote it like 4 or 5 years ago ;> Funny to see this stuff still works. Also I wrote a brute forcer in C that works differently than Ian’s.
http://sh0dan.org/oldfiles/citrix-pab/
peace.
wirepair, my bad, it wasn’t really clear to me who is the author of the paper. Let me change the post so it outlines the correct information. BTW, I am working on a bruteforcer as well but it based on the top of ICAClient.
How about wrapping it up in a CSRF referer attack. Since most surfers send their referer along the lines, Referer CSRF in order to launch a simple attack on behalve of their IP, instead of ours. :) The mashups can be endless!
Oh my…
what do u mean?
I mean to simply send a form to their localhost, since when you use a form and submit it for them back where they came from, you could embed cmd commands in a textarea and possibly do it remotely. It works on Tor for example, I was researching a way of shutting Tor down this way, by sending a large payload. But Tor requires authentication I learned. Since Citrix doesn’t, it might as well work.
Depending how CITRIX configured it may or may not require authentication. As I showed above, there are many different ways someone can penetrate a CITRIX server.
I see what u mean. Interesting, through needs to be verified. I may play around with this concept over the weekend.
OMG! awesome article!!
Very nice job as always .
Regards,
Sp0oKeR
This is an excellent intro to the survival skills for hacking Citrix.
I love the concept of breaking into a company through a backdoor that’s already there for me, a.k.a. secure remote access.
Citrix, Terminal Services and Microsoft PPTP are some of my favorites!
Evidently there’s also a lot of .rdp files (MS Term Server connectoids) out there, although not quite as many. Second one I tried took me right to some desktop app.
dink, you are getting ahead of the time. :) I will get into that as well.
Dude, none of the things you did is called “hacking”. Only thing you did is find systems, admin-ed by people who don’t know how to properly secure their systems. Wanna hack? Try to get through an Access Gateway. Then i’ll be impressed. The above stuff hardly has any skill to it.
You could also use Citrix keyboard shortcuts like “CTRL+F1″ or “CTRL+F2″ which correspond to “CTRL+ALT+DELETE” and “CTRL+ESC”.
you can also just use:
then you’ll get your windows explorer prompt. fun for checking out those shares on the internal LAN :-)
you can also navigate to
WINDOWS\System32\cmd.exeand double click to get your cmd prompt._CG
CG, but that of course depends on the setup really. Although, it does work roughly in 70% of the cases.
i tested your enum.js, and its not working properly, if i run it agains unix machines :D … it tells me that they have access, winword, excel, iexplorer and so on. i tried it against *nix machines on which there is no citrix, i still get that they have access, winword, excel and so on … funny ;)
How is this an exploit when all you have is a brute force exhaustive search that performs 1 check per second at most? A simple lockout mechanism (which people should have already implemented) for failed attempts would pretty much rule out this type of attack.
George, you are misunderstanding the whole purpose of the post. All I am showing here is that there are CITIRX instances on very critical domains which are wide open to attacks. No authentication is required - just simple enumeration tactics. The second post I wrote discusses how simple it is to write a CITRIX burteforcer with common windows utilities. Both posts are completely different by nature.
I’ve confirmed this same sort of attack repeatedly It will not work over a properly configured firewall and Citrix Web Interface setup. Even following the most basic recommended setups by the firewall vendor and Citrix would stop this style of attack from working. If you would have pointed out that these attacks would only work in poorly configured and mismanaged environments, I would have applauded your efforts. As it is, you’re deliberatly misleading the public.
The post is about what I found exposed on the Web? Isn’t that clear enough?
hey PDP, thanks for the article, pretty timely since I’m assessing a clients citrix install right now. I wasnt able to get any results from your enum.js script however, using the syntax “enum.js apps TCPBrowserAddress=x.x.x.x” and “enum.js apps HTTPBrowserAddress=x.x.x.” it seems like its not even trying to connect to the server (sniffing the connection yields 0 packets between my machine and the citrix gateway) do you have any insight on this? Also can you link the SDK pages you used? I can just write my own but its a bit difficult finding the docs on their site…
hi Kevin, you have to be quite familiar with CITRIX in order to make the JS script work. Playing with different options is the key. For example you may need to try to force the client to go over UDP, etc. I would recommend to use the perl script first, cuz it seams to work without too much of configuration. In case your CITRIX is communicating over IPX, NetBios or whatever you have there, use the JavaScript version and play around with the options.
Instructions on how to program the client can be found from CITRIX’s website. I don’t remember the link.
Ok thanks for the prompt reply. I think I’ve found the PDF that I need, I’ve tried the perl script, but that too seems to be having problems. In any case thanks for the files and the articles I’ll make it work one way or another :)
cool, just post it here when you are done! ok? :)
If I get it working I will be happy to :)
Good write up but I must admit that these security issues are not a result of the Citrix products being insecure but rather the people implementing them being clueless. Exposing ICA to the internet (rather than using a reverse proxy like the secure or access gateway) should be a dismissible offence! You wouldn’t expose your SMB shares to the internet…. Good write up but it shows there are a lot of clueless people out there calling themselves IT professionals…
CUG, absolutely… and the thing is that CITRIX is actually extremely useful platform. I love it, it just works. However, like in the real life, the things that taste nice are not good for your health.
PDP…You’re correct with the weaknesses that you found on the internet, however, the ICA 3.0 protocol hasn’t been used by Citrix in more than 5 years and if you’re dumb enough to put you ICA presentation server on the web…you get what you deserve. What about a setup using CAGs and RSA through a reverse proxy…do all your same assertions apply? Let me know. Either way, you have a valid point with what you found on google. You should, however, clarify your applicable scenarios.
Peace
Folk, apparently CITRIX has removed the YouTube videos due to some copyright violation. This is strange and the same time not the right way to handle security advisories. Still haven’t got any response from them around the issue and I seriously doubt that this will ever happen. However, I am going to keep the POC private for now and give them a chance to react on the in sensible way.
Maverick, since it is known for ages…. why didn’t you flagged it then? I am not releasing a new vulnerability!
BTW, what do you define as hacking? Cuz I am tired of listing to people who define reverse engineering and C exploit writing as hacking. That has nothing to do with hacking. That’s stupid methodology everyone can learn in a month. There is nothing creative about it!
Ok, you have my attention and the attention of everyone in my organization. How can we tighten things up? What is this lazy administrator doing to contribute to the issue and how can I improve?
rjhoward, one word: gateways! make sure that you use nfuse or whatever else you want but just never, ever, expose 1494/UDP/TCP on the Internet. Segment as much as possible.
Unfortunately, all this will make your work 100% more intensive. So, there is no space for laziness :)
Stupid is as stupid does. You can lead a horse, but making it drink is another issue. Secure Gateway and Access Gateway have been available for years. If the Citrix admin is getting away with exposing a Presentation Server in the DMZ, then they deserve to be hacked.
Hack is a hack. Doesn’t matter whether you find it sophisticated or not. If you can get to .mil sites with it, that’s obviously something critical.
i didnt see the video btw, can someone fix the link:
what copyright? :)
the videos can be found at the bottom of this post: http://www.gnucitizen.org/blog.....ceful-way/
How about ‘hacking’ Windows Terminal services
http://search.yahoo.com/search.....ension:rdp
http://www.google.com/search?q=ext:rdp
As mentioned above this isn’t a hack just someone who left the front door open for someone to easily walk through
Bbb, but it is still concerning isn’t it? which was the point of the post! right?
Absolutely very concerning, the fact that you can get Numb-Nut administrators.
As I mentioned above….
http://search.yahoo.com/search…..ension:rdp
http://www.google.com/search?q=ext:rdp
…..you get the same numb-nuts administrating plain old Terminal services as well as any other product.
The first line of your article ‘The Internet is full of wide open CITRIX gateways’ probably put the Sh$ts up many a CITRIX administrator because they implement true CITRIX gateways (that only open for the correct people). I hope people reading this article realise that this is not the way to implement CITRIX for remote access.
I can’t believe the amount of people who don’t follow simple IT Security recommended practices. This is probably why your article should be entitled ‘Beware There are Numb-Nut Administrators everywhere!!’ ;-)
Bbb
I found it interesting that some of the servers have user names and domain names in the config files. After looking around I found that some of them give you a remote desktop without authentication with full access by using a user name and domain name (could be dead wrong and it just gives you the remote desktop anyways but none the less its still a blatant hole)
Intrigued, absolutely!
I am not a hacker, just a college kid, studying networking, programming, security, the like. I am researching Citrix for a security paper. I clicked on some of these links, to see what would happen, as the read is seriously intriguing to me. Most of them you can’t actually get to. One came up but gave me an error and did not display. Please explain; are you telling me that by clicking the links that are returned in the search, that you are actually accessing information running on the server? There is no one on the other end that can see or be alerted of the fact that some remote user is actually getting in unauthenticated? I don’t understand. How does this actually work out?
pdp, I was reading this post but found that the youtube link doesn’t work. Could you explain “escaping windows GUI” again please?
the video can’t be play , it says it may removed. Please check.