Re: Citrix application breakout - take care of Microsoft calculator

From: Bill Stout (billbrietstout@yahoo.com)
Date: Sun Mar 16 2008 - 23:32:05 EST

• Next message: Robert S. Slifkin: "RE: Citrix application breakout - take care of Microsoft calculator"
• Previous message: lab: "Remove duplicate chains in Rainbow Tables : "rm_duplicate_chains" released"
• Maybe in reply to: Stefan Gora: "Citrix application breakout - take care of Microsoft calculator"
• Next in thread: Robert S. Slifkin: "RE: Citrix application breakout - take care of Microsoft calculator"
• Reply: Robert S. Slifkin: "RE: Citrix application breakout - take care of Microsoft calculator"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Or this command string, which will pop up a second command window, but with 'system' privileges.
 
c:\> at 21:00 /interactive %systemroot%\system32\cmd.exe

 
Bill Stout

----- Original Message ----
> From: "infolookup@gmail.com" <infolookup@gmail.com>
> To: Erik Soosalu <eriks@nationalfastfreight.com>; listbounce@securityfocus.com; pen-test@securityfocus.com
> Sent: Wednesday, March 12, 2008 4:46:34 AM
> Subject: Re: Citrix application breakout - take care of Microsoft calculator
>
> A discussion of this nature started a while back where someone noted that you
> could if giving regular user rights on a Citrix terminal still browse the
> network for shares.
>
> Right click your desktop, select new shortcut and browse to system32/cmd.exe get
> a list of host name and available shares.
>
> Then open up MS word and create a link to the share, click on it then you are
> browsing the share, or network place in question, in some cases you can even
> browse the underlining Citrix server that you are connected too, or create a
> folder and copy anything to it.
> Sent from my Verizon Wireless BlackBerry
>
> -----Original Message-----
> From: "Erik Soosalu"
>
> Date: Mon, 10 Mar 2008 12:50:40
> To:
> Subject: RE: Citrix application breakout - take care of Microsoft calculator
>
>
> Once you're in Notepad, File->Open, browse to Windows/system32, find cmd.exe
> right click and open and you have a command prompt on the box. Of course, your
> could specify any UNC and get a file to load from wherever you want. Not sure
> what the actual run permissions would be....
>
> Erik
>
>
>
> ________________________________
>
> From: listbounce@securityfocus.com on behalf of Stefan Gora
> Sent: Fri 3/7/2008 6:13 AM
> To: pen-test@securityfocus.com
> Subject: Citrix application breakout - take care of Microsoft calculator
>
>
>
> Dear all,
>
> I'm not shure if the following issue is already known or exciting,
> nevertheless the following attack vector found during a penetration test
> might be interesting:
>
> A customer has built a Citrix environment for a partner company to
> provide access to a specific application. This application was intended
> to be the only application accessible for this partner. It was possible
> to get a remote task manager with CRTL-F3, but no other way of
> interacting with the Citrix Server (e.g. through printing or so).
>
> Unfortunately they have integrated Microsoft's calculator into the
> application. A bad idea - guess why ;-).
>
> Using the calculator you are able to do funny stuff: Open the calculator
> and click "info". Klick on the licence agreement and here you go, you
> have got an editor. With this you can use "open file" and browse the
> server, find for example Word and rightclick on "Open" - Word is
> running, and all other applications which you like as well ...
>
> I think this can easily be fixed using more restrictive file
> permissions, but I thought maybe some of you might find this information
> useful.
>
> Stefan
>
> --
> --------------------------------------------------------
> Identity Management Symposium 22.-23.04.2008 KA/Ettlingen
> http://www.identity-management-symposium.de
>
> --------------------------------------------------------
>
> Stefan Gora
> Security Consultant
>
> Secorvo Security Consulting GmbH
> Ettlinger Strasse 12-14, D-76137 Karlsruhe
> Tel. +49 721 255171-302, Fax +49 721 255171-100
> stefan.gora@secorvo.de, http://www.secorvo.de
> PGP: 5EAD 34FE F3C1 0FEB 058F 4DD0 E6B3 FF4A
>
> Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Robert S. Slifkin: "RE: Citrix application breakout - take care of Microsoft calculator"
• Previous message: lab: "Remove duplicate chains in Rainbow Tables : "rm_duplicate_chains" released"
• Maybe in reply to: Stefan Gora: "Citrix application breakout - take care of Microsoft calculator"
• Next in thread: Robert S. Slifkin: "RE: Citrix application breakout - take care of Microsoft calculator"
• Reply: Robert S. Slifkin: "RE: Citrix application breakout - take care of Microsoft calculator"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:28 EDT