From: Marc Ouwerkerk (marc@olderchurch.nl)
Date: Mon Aug 14 2006 - 11:12:20 EDT
If you have a valid user name and login, you can check if one of the MS
applications installed (Word, Access, etc) have VBA enabled. You can then
execute any dll that you upload to the machine.
Marc Ouwerkerk
-----Original Message-----
From: Ben Nell [mailto:enemy.cow@gmail.com]
Sent: maandag 14 augustus 2006 5:56
To: pen-test@securityfocus.com
Subject: Re: Citrix exploits?
On 11 Aug 2006 22:35:38 -0000, 09Sparky@gmail.com <09Sparky@gmail.com>
wrote:
> Does anyone have any good techniques or exploits available for Citrix
(web)? I am working on exploiting a citrix server with a front end webpage,
but am unsuccessful. Any suggestions/thoughts?
Do you have a valid user name and login for the Citrix farm? If the
launch.ica files (provided as links, once logged into the web
interface) can be downloaded and opened in a text editor, they will provide
you with information about the connection that the farm is set up to use.
Is the web interface using SSL? If the site's running over SSL, it's
possible that they have their farm behind a Citrix Access Gateway (AG) or
MetaFrame Secure Acess Manager (MSAM). In the case that an AG or MSAM is
deployed, the connection is encrypted on the backend, otherwise you should
be able to capture session information on the backend. You can tell if one
of these technologies is in use because ports 1494 (ICA) and 2598 (session
reliability) will not be open in such a setup.
I would also note the type of farm that's set up. Citrix "best practice"
suggests setting up a farm using the naming convention "meta01" for the
first server in the farm and moving up. I would check for additional DNS
names using the same convention.
----------------------------------------------------------------------------
-- This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@cenzic.com for details. ---------------------------------------------------------------------------- -- ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@cenzic.com for details. ------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:43 EDT