slash.pd at gmail
Oct 8, 2007, 7:22 AM
Post #4 of 4
(381 views)
Permalink
|
|
Re: are the NetBIOS-like hacking days over? - wide open citrix services on critical domains
[In reply to]
|
|
" all of them wide open and susceptible to attacks"
Unless you probes those vectors, will you be able to tell if they are
"suceptible to attacks". !!
be rest assued nobody wants to dick around wiht us-cert.
noneless, pdp -thats a good write writeup !!
/pd
On 10/4/07, pdp (architect) <pdp.gnucitizen [at] googlemail> wrote:
>
> The other day I was performing some CITRIX testing, so I had a lot of
> fun with hacking into GUIs, which, as most of you probably know, are
> trivial to break into. I did play around with .ICA files as well, just
> to make sure that the client is not affected by some obvious
> client-side vulnerabilities. This exercise led me to reevaluate great
> many things about ICA (Independent Computing Architecture). When
> querying Google and Yahoo for public .ICA files, I was presented with
> tones of wide open services, some of which were located on .gov and
> .mil domains. This is madness! No, this is the Web. Through, I wasn't
> expecting what I have found. Hacking like in the movies?
>
> I did not poke any of the services I found, although it is obvious
> what is insecure and what is not when it comes to citrix. It is enough
> to look into the ICA files. With a few lines in bash combined with my
> Google python script, I was able to dump all the ICA files that Google
> knows about and do some interesting grepping on them. What I
> discovered was unbelievable. Shall we start with the Global Logistics
> systems or the US Government Federal Funding Citrix portals - all of
> them wide open and susceptible to attacks. Again, no poking on my
> side, just simple observation exercises on the information provided by
> Google.
>
> Just by looking into Google, I was able to find 114 wide open CITRIX
> instances: 10 .gov, 4 .mil, 20 .edu, 27 .com, etc… The research was
> conducted offline, therefore there might be some false positives.
> Among the services discovered, there were several critical
> applications which looked so interesting that I didn't even dare look
> at theirs ICA files. I am trying to raise the consumer awareness with
> this article. I mean, it is 2007 people, it shouldn't be that simple.
>
> I did write and article about my findings which you can read from here:
> http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/
>
> I've also created a video that show the lamest way someone can use to
> break into unprotected citrix just to show the concepts.
>
> CITRIX hacking is just like back in the old days with NetBIOS. It
> simple. It is malicious. It is highly effective. And the problem is
> that CITRIX is pretty useful. Here is a dilemma for you:
> Let's say that you have a pretty stable desktop app which you would
> like to be available on the Web. What you gonna do? Port it to XHTML,
> JavaScript and CSS? No way! You are most likely going to put it over
> CITRIX.
>
> I've also wrote a script which makes use of ICAClient ActiveX
> controller to enumerate remote Application, Servers and Farms:
>
> http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/enum.js
>
> Let me know if you find this useful.
>
> cheers
>
> --
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
|
