The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Citrix Metaframe Presentation Server Policies Bypassing
------------------------------------------------------------------------
SUMMARY
<http://www.citrix.com/> Citrix Presentation Server - "is the world s
most widely deployed presentation server for centrally deploying and
managing applications, especially in a heterogeneous environment, and
delivering their functionality as a service to workers, wherever they may
be."
A vulnerability in Presentation Server allows a user bypass Citrix
policies that have been applied to client name.
DETAILS
Vulnerable Systems:
* Citrix Metaframe Presentation Server versions 3.0 and 4.0
Citrix Presentation Server policy is used for administrators to restrict
the user environment and these allow applying to: IP client, servers,
Users, o Client Name.
When user used the Web Interface to access to application in Citrix
environment the CLIENT NAME used is WI_*, where (*) is a random value like
asdfserw34vc342dk this extension allow administrators to use Citrix
policy based in client name "WI_*" This policy can be used to restrict
"printing Mapping, Disk Mapping, Control bandwidth, manage printer driver
environment so..."
When user uses the application in Web interface, he download and execute
automatic file "launch.ica".
If the user "save as" launch.ica in his PC, and edit with notepad. He can
change the value in ClientName that another "WI_" and execute.
When user connects to Citrix with ica file modified to Presentation
Server, the value in clientname is different to the original one and
bypasses the Citrix policies.
Proof of concept:
Here is an example extracted from launch.ica:
[Encoding]
InputEncoding=ISO8859_1
[WFClient]
Version=2
ClientName=WI_XXXX -> change this extension with other name to bypass the
citrix policies
TransportReconnectEnabled=On
RemoveICAFile=yes
ProxyType=None
ProxyTimeout=30000
Vendor Status:
<http://support.citrix.com/kb/entry!default.jspa?categoryID=275&externalID=CTX107705>
http://support.citrix.com/kb/entry!default.jspa?categoryID=275&externalID=CTX107705
ADDITIONAL INFORMATION
The information has been provided by <mailto:gustavog@grupoiptro.com.ar>
Gustavo Gurmandi.
The original article can be found at:
<http://www.grupoitpro.com.ar/ctxpoliciesbypass.txt>
http://www.grupoitpro.com.ar/ctxpoliciesbypass.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
