Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Citrix exploits?

from [r@d] Network Security [Permanent Link]
Subject: Re: Citrix exploits?
Date: Fri, 18 Aug 2006 22:54:38 +0200
This is quite hard to do, because Citrix Web Interface, usually is installed in conjuntion with Citrix Access Gateway or Citrix Secure Gateway, that inherits a ticketing system to validate the requisted session. If you could break the Citrix Web Interface by exploiting one of the .dll's its using, or finding error's in the .cs or .js files included with Web Interface (serverside/clientside folder) it would be possible to get unauthorized access to the application list, once there, it should be no problem requesting a ticket for a session. Citrix has several security bulletins on their website (support.citrix.com) how this is done with two factor 'protected' sites, where if two factor fails, a path to the applist.htm is available to get unauthorized access to the application list. Still you would need a username/password (ie test/test) to initially authenticatie. A more easy option: Usually Citrix Web Interface is installed as local administrator on IIS, break IIS, and you break Web Interface.

regards, Rajendra Soebhag

----- Original Message ----- From: "Marc Ouwerkerk" <marc@olderchurch.nl>
To: "'Ben Nell'" <enemy.cow@gmail.com>; <pen-test@securityfocus.com>
Sent: Monday, August 14, 2006 5:12 PM
Subject: RE: Citrix exploits?


If you have a valid user name and login, you can check if one of the MS
applications installed (Word, Access, etc) have VBA enabled. You can then
execute any dll that you upload to the machine.


Marc Ouwerkerk

-----Original Message-----
From: Ben Nell [mailto:enemy.cow@gmail.com]
Sent: maandag 14 augustus 2006 5:56
To: pen-test@securityfocus.com
Subject: Re: Citrix exploits?

On 11 Aug 2006 22:35:38 -0000, 09Sparky@gmail.com <09Sparky@gmail.com>
wrote:
Does anyone have any good techniques or exploits available for Citrix
(web)? I am working on exploiting a citrix server with a front end webpage,
but am unsuccessful. Any suggestions/thoughts?

Do you have a valid user name and login for the Citrix farm? If the
launch.ica files (provided as links, once logged into the web
interface) can be downloaded and opened in a text editor, they will provide
you with information about the connection that the farm is set up to use.
Is the web interface using SSL? If the site's running over SSL, it's
possible that they have their farm behind a Citrix Access Gateway (AG) or
MetaFrame Secure Acess Manager (MSAM). In the case that an AG or MSAM is
deployed, the connection is encrypted on the backend, otherwise you should
be able to capture session information on the backend. You can tell if one
of these technologies is in use because ports 1494 (ICA) and 2598 (session
reliability) will not be open in such a setup.

I would also note the type of farm that's set up.  Citrix "best practice"
suggests setting up a farm using the naming convention "meta01" for the
first server in the farm and moving up.  I would check for additional DNS
names using the same convention.

----------------------------------------------------------------------------
--
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to
rise, you need to proactively protect your applications from hackers. Cenzic
has the most comprehensive solutions to meet your application security
penetration testing and vulnerability management needs. You have an option
to go with a managed service (Cenzic ClickToSecure) or an enterprise
software (Cenzic Hailstorm). Download FREE whitepaper on how a managed
service can help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
----------------------------------------------------------------------------
--



------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Injected, whats next, Brendan Dolan-Gavitt
Next by Date:  Re: brute-force with tsgrinder, Thor (Hammer of God)
Previous by Thread:  RE: Citrix exploits?, Marc Ouwerkerk
Next by Thread:  Re: Re: Citrix exploits?, 09sparky
Indexes:  [Date] [Thread] [Top] [All Lists]