Re: Citrix application breakout - take care of Microsoft calculator

From: Shreyas Zare (shreyas@technitium.com)
Date: Tue Mar 18 2008 - 05:19:13 EST

• Next message: Radu Oprisan: "Re: anonymous Zonetransfer (AXFR) exploatation"
• Previous message: Marco Crotta: "Re: Looking for a fuzzer/source code analyzer on customer developed code"
• In reply to: Robert S. Slifkin: "RE: Citrix application breakout - take care of Microsoft calculator"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Also, you can disable the Task Scheduler service so that AT wont work.

On 3/18/08, Robert S. Slifkin <rob@slifkin.net> wrote:
> Yes, that can be particularly dangerous. From there you can launch the
> explorer shell to get a full desktop and everything with System
> privileges.
>
>
> ____________________________________
> Robert S. Slifkin
> Email: Rob@slifkin.net
> Phone: 203.962.3878
>
> -----Original Message-----
> From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
> On Behalf Of Bill Stout
> Sent: Monday, March 17, 2008 12:32 AM
> To: pen-test@securityfocus.com
> Subject: Re: Citrix application breakout - take care of Microsoft
> calculator
>
>
> Or this command string, which will pop up a second command window, but
> with 'system' privileges.
>
> c:\> at 21:00 /interactive %systemroot%\system32\cmd.exe
>
>
> Bill Stout
>
>
> ----- Original Message ----
> > From: "infolookup@gmail.com" <infolookup@gmail.com>
> > To: Erik Soosalu <eriks@nationalfastfreight.com>;
> > listbounce@securityfocus.com; pen-test@securityfocus.com
> > Sent: Wednesday, March 12, 2008 4:46:34 AM
> > Subject: Re: Citrix application breakout - take care of Microsoft
> > calculator
> >
> > A discussion of this nature started a while back where someone noted
> > that you could if giving regular user rights on a Citrix terminal
> > still browse the network for shares.
> >
> > Right click your desktop, select new shortcut and browse to
> > system32/cmd.exe get a list of host name and available shares.
> >
> > Then open up MS word and create a link to the share, click on it then
> > you are browsing the share, or network place in question, in some
> > cases you can even browse the underlining Citrix server that you are
> > connected too, or create a folder and copy anything to it.
> > Sent from my Verizon Wireless BlackBerry
> >
> > -----Original Message-----
> > From: "Erik Soosalu"
> >
> > Date: Mon, 10 Mar 2008 12:50:40
> > To:
> > Subject: RE: Citrix application breakout - take care of Microsoft
> > calculator
> >
> >
> > Once you're in Notepad, File->Open, browse to Windows/system32, find
> > cmd.exe right click and open and you have a command prompt on the box.
>
> > Of course, your could specify any UNC and get a file to load from
> > wherever you want. Not sure what the actual run permissions would
> be....
> >
> > Erik
> >
> >
> >
> > ________________________________
> >
> > From: listbounce@securityfocus.com on behalf of Stefan Gora
> > Sent: Fri 3/7/2008 6:13 AM
> > To: pen-test@securityfocus.com
> > Subject: Citrix application breakout - take care of Microsoft
> > calculator
> >
> >
> >
> > Dear all,
> >
> > I'm not shure if the following issue is already known or exciting,
> > nevertheless the following attack vector found during a penetration
> > test might be interesting:
> >
> > A customer has built a Citrix environment for a partner company to
> > provide access to a specific application. This application was
> > intended to be the only application accessible for this partner. It
> > was possible to get a remote task manager with CRTL-F3, but no other
> > way of interacting with the Citrix Server (e.g. through printing or
> so).
> >
> > Unfortunately they have integrated Microsoft's calculator into the
> > application. A bad idea - guess why ;-).
> >
> > Using the calculator you are able to do funny stuff: Open the
> > calculator and click "info". Klick on the licence agreement and here
> > you go, you have got an editor. With this you can use "open file" and
> > browse the server, find for example Word and rightclick on "Open" -
> > Word is running, and all other applications which you like as well ...
> >
> > I think this can easily be fixed using more restrictive file
> > permissions, but I thought maybe some of you might find this
> > information useful.
> >
> > Stefan
> >
> > --
> > --------------------------------------------------------
> > Identity Management Symposium 22.-23.04.2008 KA/Ettlingen
> > http://www.identity-management-symposium.de
> >
> > --------------------------------------------------------
> >
> > Stefan Gora
> > Security Consultant
> >
> > Secorvo Security Consulting GmbH
> > Ettlinger Strasse 12-14, D-76137 Karlsruhe Tel. +49 721 255171-302,
> > Fax +49 721 255171-100 stefan.gora@secorvo.de, http://www.secorvo.de
> > PGP: 5EAD 34FE F3C1 0FEB 058F 4DD0 E6B3 FF4A
> >
> > Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox
> >
> > ----------------------------------------------------------------------
> > --
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> > ----------------------------------------------------------------------
> > --
> >
> >
> >
> >
> >
> > ----------------------------------------------------------------------
> > --
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> > ----------------------------------------------------------------------
> > --
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>

-- 
("Computers are useless. They can only give you answers." - Pablo Picasso)
Shreyas Zare
Co-Founder, Technitium
eMail: shreyas@technitium.com
..::< The Technitium Team >::..
Visit us at www.technitium.com
Contact us at theteam@technitium.com
Technitium Personal Computers
We believe in quality.
Visit http://pc.technitium.com for details.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Radu Oprisan: "Re: anonymous Zonetransfer (AXFR) exploatation"
• Previous message: Marco Crotta: "Re: Looking for a fuzzer/source code analyzer on customer developed code"
• In reply to: Robert S. Slifkin: "RE: Citrix application breakout - take care of Microsoft calculator"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:28 EDT