RE: Citrix application breakout - take care of Microsoft calculator

From: Shenk, Jerry A (jshenk@decommunications.com)
Date: Sat Mar 08 2008 - 06:51:40 EST

• Next message: davemitch@mailinator.com: "directory traversal vulnerability"
• Previous message: Joey Peloquin: "Re: Help - Can I do an external pen-test in this network?"
• In reply to: Thor (Hammer of God): "RE: Citrix application breakout - take care of Microsoft calculator"
• Next in thread: Gleb Paharenko: "Re: Citrix application breakout - take care of Microsoft calculator"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

While you have calc open, you can also go to options, internet options
(why is THAT there?) or options, home, and click on the "help and
support" link and it opens the "Help and Support Center" which has an
option for searching forums which after a few clicks will launch IE.

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Thor (Hammer of God)
Sent: Friday, March 07, 2008 1:37 PM
To: Stefan Gora; pen-test@securityfocus.com
Subject: RE: Citrix application breakout - take care of Microsoft
calculator

Yep, XP and Server 2003's "calc" launches Notepad when you view the
eula.txt ;) Vista and 2008 do not... they just open a pop-up window in
the same calc.exe process. Any time you deploy remote desktop/remote
app solutions, you really need to ensure that you've covered all your
bases and ensured that you don't just count on the remote app deployment
mechanism to secure you -- you've got to have your permissions tight.

t

> -----Original Message-----
> From: listbounce@securityfocus.com
> [mailto:listbounce@securityfocus.com] On Behalf Of Stefan Gora
> Sent: Friday, March 07, 2008 3:14 AM
> To: pen-test@securityfocus.com
> Subject: Citrix application breakout - take care of Microsoft
> calculator
>
> Dear all,
>
> I'm not shure if the following issue is already known or exciting,
> nevertheless the following attack vector found during a penetration
> test
> might be interesting:
>
> A customer has built a Citrix environment for a partner company to
> provide access to a specific application. This application was
intended
> to be the only application accessible for this partner. It was
possible
> to get a remote task manager with CRTL-F3, but no other way of
> interacting with the Citrix Server (e.g. through printing or so).
>
> Unfortunately they have integrated Microsoft's calculator into the
> application. A bad idea - guess why ;-).
>
> Using the calculator you are able to do funny stuff: Open the
> calculator
> and click "info". Klick on the licence agreement and here you go, you
> have got an editor. With this you can use "open file" and browse the
> server, find for example Word and rightclick on "Open" - Word is
> running, and all other applications which you like as well ...
>
> I think this can easily be fixed using more restrictive file
> permissions, but I thought maybe some of you might find this
> information
> useful.
>
> Stefan
>
> --
> --------------------------------------------------------
> Identity Management Symposium 22.-23.04.2008 KA/Ettlingen
> http://www.identity-management-symposium.de
> --------------------------------------------------------
>
> Stefan Gora
> Security Consultant
>
> Secorvo Security Consulting GmbH
> Ettlinger Strasse 12-14, D-76137 Karlsruhe
> Tel. +49 721 255171-302, Fax +49 721 255171-100
> stefan.gora@secorvo.de, http://www.secorvo.de
> PGP: 5EAD 34FE F3C1 0FEB 058F 4DD0 E6B3 FF4A
>
> Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox
>
>
-----------------------------------------------------------------------
> -
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
>
-----------------------------------------------------------------------
> -

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: davemitch@mailinator.com: "directory traversal vulnerability"
• Previous message: Joey Peloquin: "Re: Help - Can I do an external pen-test in this network?"
• In reply to: Thor (Hammer of God): "RE: Citrix application breakout - take care of Microsoft calculator"
• Next in thread: Gleb Paharenko: "Re: Citrix application breakout - take care of Microsoft calculator"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:27 EDT