Penetration Testing: Re: Citrix application breakout - take care of Microsoft calculator

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Penetration Testing mailing list archives

Re: Citrix application breakout - take care of Microsoft calculator

From: Bill Stout <billbrietstout () yahoo com>
Date: Sun, 16 Mar 2008 21:32:05 -0700 (PDT)


Or this command string, which will pop up a second command window, but with 'system' privileges.
 
c:\> at 21:00 /interactive %systemroot%\system32\cmd.exe

 
Bill Stout


----- Original Message ----

From: "infolookup () gmail com" <infolookup () gmail com>
To: Erik Soosalu <eriks () nationalfastfreight com>; listbounce () securityfocus com; pen-test () securityfocus com
Sent: Wednesday, March 12, 2008 4:46:34 AM
Subject: Re: Citrix application breakout - take care of Microsoft calculator

A discussion of this nature started a while back where someone noted that you 
could if giving regular user rights on a Citrix terminal still browse the 
network for shares.

Right click your desktop, select new shortcut and browse to system32/cmd.exe get 
a list of host name and available shares.

Then open up MS word and create a link to the share, click on it then you are 
browsing the share, or network place in question, in some cases you can even 
browse the underlining Citrix server that you are connected too, or create a 
folder and copy anything to it.
Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: "Erik Soosalu" 

Date: Mon, 10 Mar 2008 12:50:40 
To:
Subject: RE: Citrix application breakout - take care of Microsoft calculator

Once you're in Notepad, File->Open, browse to Windows/system32, find cmd.exe 
right click and open and you have a command prompt on the box. Of course, your 
could specify any UNC and get a file to load from wherever you want. Not sure 
what the actual run permissions would be....

Erik

________________________________

From: listbounce () securityfocus com on behalf of Stefan Gora
Sent: Fri 3/7/2008 6:13 AM
To: pen-test () securityfocus com
Subject: Citrix application breakout - take care of Microsoft calculator

Dear all,

I'm not shure if the following issue is already known or exciting,
nevertheless the following attack vector found during a penetration test
might be interesting:

A customer has built a Citrix environment for a partner company to
provide access to a specific application. This application was intended
to be the only application accessible for this partner. It was possible
to get a remote task manager with CRTL-F3, but no other way of
interacting with the Citrix Server (e.g. through printing or so).

Unfortunately they have integrated Microsoft's calculator into the
application. A bad idea - guess why ;-).

Using the calculator you are able to do funny stuff: Open the calculator
and click "info". Klick on the licence agreement and here you go, you
have got an editor. With this you can use "open file" and browse the
server, find for example Word and rightclick on "Open" - Word is
running, and all other applications which you like as well ...

I think this can easily be fixed using more restrictive file
permissions, but I thought maybe some of you might find this information
useful.

Stefan

--
--------------------------------------------------------
Identity Management Symposium 22.-23.04.2008 KA/Ettlingen
http://www.identity-management-symposium.de 

--------------------------------------------------------

Stefan Gora
Security Consultant

Secorvo Security Consulting GmbH
Ettlinger Strasse 12-14, D-76137 Karlsruhe
Tel. +49 721 255171-302, Fax +49 721 255171-100
stefan.gora () secorvo de, http://www.secorvo.de 
PGP: 5EAD 34FE F3C1 0FEB 058F 4DD0 E6B3 FF4A

Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads 
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads 
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

By Date By Thread

Current thread:

RE: Citrix application breakout - take care of Microsoft calculator, (continued)
- Re: Citrix application breakout - take care of Microsoft calculator Gleb Paharenko (Mar 12)
  - Re: Citrix application breakout - take care of Microsoft calculator sherwyn . williams (Mar 13)
- RE: Citrix application breakout - take care of Microsoft calculator Erik Soosalu (Mar 12)
  - Re: Citrix application breakout - take care of Microsoft calculator infolookup (Mar 13)
- Re: Citrix application breakout - take care of Microsoft calculator Bill Stout (Mar 17)
  - RE: Citrix application breakout - take care of Microsoft calculator Robert S. Slifkin (Mar 18)
    - Re: Citrix application breakout - take care of Microsoft calculator Shreyas Zare (Mar 18)