Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Citrix application breakout - take care of Microsoft calculator
From: "Robert S. Slifkin" <rob () SLIFKIN NET>
Date: Mon, 17 Mar 2008 16:37:48 -0400

Yes, that can be particularly dangerous.  From there you can launch the
explorer shell to get a full desktop and everything with System
privileges.   


____________________________________
Robert S. Slifkin
Email: Rob () slifkin net
Phone: 203.962.3878

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Bill Stout
Sent: Monday, March 17, 2008 12:32 AM
To: pen-test () securityfocus com
Subject: Re: Citrix application breakout - take care of Microsoft
calculator


Or this command string, which will pop up a second command window, but
with 'system' privileges.
 
c:\> at 21:00 /interactive %systemroot%\system32\cmd.exe

 
Bill Stout


----- Original Message ----
From: "infolookup () gmail com" <infolookup () gmail com>
To: Erik Soosalu <eriks () nationalfastfreight com>; 
listbounce () securityfocus com; pen-test () securityfocus com
Sent: Wednesday, March 12, 2008 4:46:34 AM
Subject: Re: Citrix application breakout - take care of Microsoft 
calculator

A discussion of this nature started a while back where someone noted 
that you could if giving regular user rights on a Citrix terminal 
still browse the network for shares.

Right click your desktop, select new shortcut and browse to 
system32/cmd.exe get a list of host name and available shares.

Then open up MS word and create a link to the share, click on it then 
you are browsing the share, or network place in question, in some 
cases you can even browse the underlining Citrix server that you are 
connected too, or create a folder and copy anything to it.
Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: "Erik Soosalu" 

Date: Mon, 10 Mar 2008 12:50:40
To:
Subject: RE: Citrix application breakout - take care of Microsoft 
calculator


Once you're in Notepad, File->Open, browse to Windows/system32, find 
cmd.exe right click and open and you have a command prompt on the box.

Of course, your could specify any UNC and get a file to load from 
wherever you want. Not sure what the actual run permissions would
be....

Erik



________________________________

From: listbounce () securityfocus com on behalf of Stefan Gora
Sent: Fri 3/7/2008 6:13 AM
To: pen-test () securityfocus com
Subject: Citrix application breakout - take care of Microsoft 
calculator



Dear all,

I'm not shure if the following issue is already known or exciting, 
nevertheless the following attack vector found during a penetration 
test might be interesting:

A customer has built a Citrix environment for a partner company to 
provide access to a specific application. This application was 
intended to be the only application accessible for this partner. It 
was possible to get a remote task manager with CRTL-F3, but no other 
way of interacting with the Citrix Server (e.g. through printing or
so).

Unfortunately they have integrated Microsoft's calculator into the 
application. A bad idea - guess why ;-).

Using the calculator you are able to do funny stuff: Open the 
calculator and click "info". Klick on the licence agreement and here 
you go, you have got an editor. With this you can use "open file" and 
browse the server, find for example Word and rightclick on "Open" - 
Word is running, and all other applications which you like as well ...

I think this can easily be fixed using more restrictive file 
permissions, but I thought maybe some of you might find this 
information useful.

Stefan

--
--------------------------------------------------------
Identity Management Symposium 22.-23.04.2008 KA/Ettlingen 
http://www.identity-management-symposium.de

--------------------------------------------------------

Stefan Gora
Security Consultant

Secorvo Security Consulting GmbH
Ettlinger Strasse 12-14, D-76137 Karlsruhe Tel. +49 721 255171-302, 
Fax +49 721 255171-100 stefan.gora () secorvo de, http://www.secorvo.de
PGP: 5EAD 34FE F3C1 0FEB 058F 4DD0 E6B3 FF4A

Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox

----------------------------------------------------------------------
--
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
----------------------------------------------------------------------
--





----------------------------------------------------------------------
--
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
----------------------------------------------------------------------
--

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault