0day Hacking Secured CITRIX From Outside

Wed, 10 Oct 2007 15:40:34 GMT
by pdp

In the true spirit of GNUCITIZEN half(partial)-disclosure movement, we announce that it is possible to gain user access level on CITRIX. The bug/feature does not rely on any client/server vulnerabilities nor client/server misconfiguration issues. All an attacker needs to do to exploit the weakness is to lure a victim to a malicious website or trick him/her into opening specially crafted ICA files. The attack results into remote command execution inside CITRIX with the access level of the current user.

The success of the attack relies on the fact that the victim is part of a CITRIX ring to which he/she can perform pass-through authentication. Once a connection is instantiated, the victim will unwillingly and transparently login into CITIRIX and perform several commands specified by the attacker. The attacker can simply instruct the remote desktop to download files from a remote TFTP server and execute them locally. Once the attack is performed, the local connection is terminated and the CITRIX session is cleared. No user interaction is required!

If you manage to re-discover the type of vulnerability outlined in this post, I encourage you to keep it private. Give some time for the folks at CITRIX to react. Currently, I am not aware of any remedy against the attack apart from turning off pass-through authentication. Given CITRIX's popularity among corporations and big organizations, it is highly recommended to take this warning with extra caution.

Archived Comments

Adrian PastorAdrian Pastor
Nice work. Let's keep the client-side hacks coming!
Yes, very nice, thnx for good work ;)
Looks nice, and also i see a storm brewing ... smth. like the 0day pdf.
Oh bummer. Man, I was investigating the same stuff (citrix that is) at the moment, and somehow you are always a leap ahead. I hate that...:) Anyhow, good work as always. I would really like to have a chat with you someday if you happen to be around (any con you are on this year in europe?). Probably we can share ideas, if you like. Cheers.
rootkid, there is nothing on the horizon for me in europe for the rest of this year. feel free to contact me through!
hellboy726, interesting site you have there! reminds me of 1998... but I like it.
it just seems to be the category clickmyexecutableiwonthurt "exploit". unfortunately we can't patch users.
no user interaction is required!
will this hack also work with csg and cags?
Folk, apparently CITRIX has removed the YouTube videos due to some copyright violation. This is strange and the same time not the right way to handle security advisories. Still haven't got any response from them around the issue and I seriously doubt that this will ever happen. However, I am going to keep the POC private for now and give them a chance to react on the in sensible way.
Is this the same vulnerability found here? http://support.citrix.com/article/CTX112589
Major FukupMajor Fukup
One of the reasons why you should always give users on these systems minimum rights. Does it require a published desktop? Which virtual channels do you use? Regards M.F.
hackathology, nope, it is different. you should be able to figure it out though.
got it pdp. I found it
i found out the clue
Question: If the user does not have pass through enabled, but does have stored credentials in the client- (username, password, domain) - will the attack still work?
Noob I haven't tested that but it should work in theory.
Kaustubh KumarKaustubh Kumar
Hi All, I need help in hacking citrix which can allow me to open websites in the citrix metaframe.
Here is the fix, nice job PDP :-D XenApp 4.5 http://support.citrix.com/article/CTX116954