Sat, 13 Oct 2007 12:38:55 GMT
by pdp

I am planning to be very quick and brief with this post and to try to clarify some misconception regarding some of our latest posts and projects on GNUCITIZEN.

The first general misconception is regarding the CITRIX posts. Let's start with "CITRIX: Owning the Legitimate Backdoor", shall we? A lot of GNUCITIZEN's readers thought that I am showing new attack techniques. No, they are not new! In fact, I have provided you with a script and a link to a paper that was published back in 2002. However, my intention was not to familiarize you with the techniques but to draw your attention to the ridiculous number of wide open CITIRIX service located on government and military facilities. I don't know about you but to me this is concerning. It has become even more concerning when I accidentally stumbled accross some nuclear power I don't know what, a global logistics system and US Federal funding portal. Since, I don't have the time and the facilities to contact each of the affected organization individually I decided to go public and let the people know about the problem, hoping that someone will bother. Fortunately for all of us, the operation was successful!

Then me and Adrian published a post ("BT Home Flub: Pwnin the BT Home Hub") on the vulnerabilities we found in BT Home Hub/Thomson/Alcatel Speedtouch 7G router, currently affecting more then 2 000 000+ (two millions plus) users. We don't even know the exact number. We believe that it is has to be at least 4 or 5 millions (GLOBALLY!) mainly because of similar issues found on the Speedtouch routers shipped by other ISPs.

I would like to draw your attention to some of the details published regarding this vulnerability. First of all it is remote. Second of all, attackers can completely hijack the victim, including but not only, their INTERNET TRAFFIC_, their _VOIP calls, their BANK ACCOUNTS_, their _SOCIAL PROFILES_, and of course, they can purchase goods on the behalf of the victim, perform _IDENTITY THEFT stunts, etc, etc, etc. The attack is a combination of a Cross-site scripting, Cross-site request forgery and Authentication Bypass vulnerabilities. This means that no matter how strong your password is, you are still vulnerable. Period!

Next, two follow up posts were published on some rather concerning CITRIX and Microsoft Terminal Services issues. The first one, titled "Remote Desktop Command Fixation Attacks", is about how easy it is to trick someone to authenticate a RDP or ICA session and as such let the bad guys in. People from FD and BUGTRAQ have responded with some very interesting but quite groundless claims. stating that this is not an issues and that if you can make the user click on a RDP or ICA file then you can make them click on anything (i.e. .exe and .bat files). Bollocks! Let me tell you something! Executables and shell scripts are blocked by default by most open source and commercial grade filters and mail gateways - RDP and ICA are not. People use remote desktop facilities all the time. We've been testing some of the world top financial organizations and all of them use RDP or ICA. And the victim doesn't have to do anything but to log in.

The second post "0day: Hacking secured CITRIX from outside" expands on the previous one and provides some details on how easy it is to penetrate CITRIX by simply tricking unaware user to visit a malicious website. In this case, the victim does not have to authenticate or perform any interaction. The attack is automatic, transparent and quite dangerous.

Last but not least, I would like to bring some light on what I meant when I said that "Security in depth does not exist". IT security is not only about keeping the perimeter safe. There is a lot more then that. Sometimes, it is so hard to get the security right that attacks are just inevitable. Sometimes systems are set in such an impossible way that it is extremely hard and very expensive to set them the right way. This is all the time. Security in depth is hard to implement. You may think that you implement it the right away but as they say: "a system is as secure as the weakest link". Luckily we have a Black PR/Crisis PR consultant on board, here at GNUCITIZEN, to explain to us how to handle the security problem the right way.

Archived Comments

Re:Citrix At least (i hope) they fixed the SQL injection is the CDN login system.
I still think there is something amiss. I have no problems with any of your postings except, again, that last paragraph in this one about security in depth. "a system is as secure as the weakest link" That is correct, but that is also what security in depth is trying to combat, in part. If you have a chain and one link is broken, the whole chain breaks (attacker wins). But if you have a series of chains overlapping each other and providing support when one chain is broken by a weak link, that is security in depth. An attacker has to break through several layers in order to penetrate properly implemented defense in depth. Defense in depth helps to: a) cover for inevitable deficiencies in various security layers (protocols, systems, devices, software, web apps...) b) cover for human mistake c) attempt to anticipate unexpected attacks from skilled, creative attackers d) raises the bar for attacker knowledge; an attacker may have a few key skills, but proper defense in depth may mean the attacker can only break through a couple security measures, but can't quite own everything else. Hopefully it takes enough time that they get found out or holes are closed. e) mitigates successful attacks Some of your attacks are successful and scary because defense in depth is not being properly practiced. Then again, it is hard to defend in depth when we're not even sure where the next attack will come from. User George runs a personal firewall, router/firewall on the network, AV, changes passwords...and then you pop him with a bad script that asks his credentials from a web page? That's simply a chink in the armor, a hole in the defense in depth. But if my web server has a vulnerable web app and you pop into it, but my web server runs jailed, did you own my system? Not yet, perhaps. That's defense in depth. Now, I think you can form some points on two things: 1) Defense in depth adds complexity. Man, does it! But until perfect security comes around (and I posit that it never will, especially as long as humans are involved), the added complexity needs to be weighed against the defense gained. 2) Defense in depth isn't being practiced in large scale because it isn't economical. This might be an interesting research idea to poll large scale IT security teams and see if they utilize defense in depth concepts. I suspect most large companies do a combination...a sort of partial defense in depth strategy that still has plenty of holes and weaknesses. But does that make is useless and broken? That's an interesting question... An additional attack on the concept might come from how defense in depth masks the holes in each layer. If you have a mesh of chains all holding your organization's security in place, if one breaks, you might not notice the break because nothing came crashing down. This is a danger with defense in depth, and could be a point against the concept. I don't mean to pounce on this one issue, but I think it takes away from your recent excellent posts and revelations. Just like attacks make our networks stronger, proper discussion and challenges make our ideas and goals stronger. :) Keep up the good work, pdp and others at gnucitizen.
Regarding the ICA/RDP-issued. Are servers generally set up to allow users to donwload and execute any random file to/on the ICA/RDP-server? I guess this would be a great flaw in itself. If this is allowed, any user can bring down the server by downloading malware. I thought the point was to only allow users to execute installed applications that are white-listed by the admins.