Home page logo

bugtraq logo Bugtraq mailing list archives

Citrix ICA Basic Encryption
From: dugsong () MONKEY ORG (Dug Song)
Date: Wed, 29 Mar 2000 09:59:55 -0500

The ICA (Independent Computing Architecture) protocol used in various
Citrix products (Winframe, Metaframe) relies on a trivially cracked
encryption scheme to protect user authentication.

The ICA basic encryption algorithm is a variant of the simple XOR
scheme used for saved Winframe passwords:

        void decrypt(u_char key, u_char *p, int len)
          int i;

          for (i = len; i > 0; i--)
            p[i] = p[i-1] ^ p[i] ^ key;

          p[0] ^= (key | 'C');

Demonstration code to decrypt Winframe passwords stored in appsrv.ini:


Demonstration code to sniff (and decrypt) ICA network authentication:


Citrix offers a secure alternative called SecureICA, which uses
Diffie-Hellman for key exchange and RC5 to encrypt the underlying
transport (now at 128-bit strength worldwide). While this is certainly
better than the simple XOR scheme outlined above, it may still be
vulnerable to an active man-in-the-middle attack. Caveat user.


Thanks to Jeremie Kass <jeremie () monkey org> for providing me with ICA
traffic traces, and to Niels Provos <provos () monkey org> for sifting thru
hexdumps with me. :-)



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]