Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Security of Citrix server to client protocol
From: Peter Van Epp <vanepp () SFU CA>
Date: Thu, 14 Sep 2000 12:03:15 -0700

Peter Van Epp wrote:

        My question is can any one tell me I don't even need to look because
the server client protocol is (for instance) a full IP connection and full of
holes? Has anyone been able to compromise a client machine by breaking in to
the server on Citrix?


The Citrix client has the ability to map local file systems to a drive
on the Citrix server, by default the linux client mounts the /tmp
directory to the R drive.  If someone gains access to the server, they

        Thanks, that right there tells me that Citrix isn't worth considering
in this application (which is what I was afraid of). I guess I'll have to have
a look at the ATT VNC (? never remember the right acronym :-)) product which
I believe is open source and our NT folks are using (within SSH tunnels) to
do remote administration. All I want is a stream of keystrokes from the secure
net out and a stream of video drawing commands (and only those) allowed in
to a gateway machine which will basically pass video drawing commands to
a client side rendering engine (and only there), anything else gets tossed and
alarm about an attack raised. I don't want anything other than drawing commands
to the video screen coming in to the network, and certainly no file sharing.
I'd be real tempted to do without an operating system, only two ethernet
drivers and a dirt simple filter program running on a PC loaded from DOS to
do the program loading.

Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]