Re: Citrix application breakout - take care of Microsoft calculator

If you are looking to harden Kiosk I think the first step would be to disable 
the windows key from the keyboard, once you press Win key + U for utility 
manager you can do some really funky stuff, I read an article in 2600 this week 
detailing this.
Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: "Gleb Paharenko" <gpaharenko@gmail.com>

Date: Mon, 10 Mar 2008 09:55:27 
To:"Stefan Gora" <stefan.gora@secorvo.de>
Cc:pen-test@securityfocus.com
Subject: Re: Citrix application breakout - take care of Microsoft calculator


Thank you Stefan.

A question for all. Is there some checklist about what should be
stripped out of the default Windows shippment for similar cases?

 I'm especially interested in hardening windows for kiosks. There
bunch of applications (screen keyboard, notepad, others?) which should
be removed.

2008/3/7, Stefan Gora <stefan.gora@secorvo.de>:
> Dear all,
>
>  I'm not shure if the following issue is already known or exciting,
>  nevertheless the following attack vector found during a penetration test
>  might be interesting:
>
>  A customer has built a Citrix environment for a partner company to
>  provide access to a specific application. This application was intended
>  to be the only application accessible for this partner. It was possible
>  to get a remote task manager with CRTL-F3, but no other way of
>  interacting with the Citrix Server (e.g. through printing or so).
>
>  Unfortunately they have integrated Microsoft's calculator into the
>  application. A bad idea - guess why ;-).
>
>  Using the calculator you are able to do funny stuff: Open the calculator
>  and click "info". Klick on the licence agreement and here you go, you
>  have got an editor. With this you can use "open file" and browse the
>  server, find for example Word and rightclick on "Open" - Word is
>  running, and all other applications which you like as well ...
>
>  I think this can easily be fixed using more restrictive file
>  permissions, but I thought maybe some of you might find this information
>  useful.
>
>  Stefan
>
>  --
>  --------------------------------------------------------
>  Identity Management Symposium 22.-23.04.2008 KA/Ettlingen
>  http://www.identity-management-symposium.de
>  --------------------------------------------------------
>
>  Stefan Gora
>  Security Consultant
>
>  Secorvo Security Consulting GmbH
>  Ettlinger Strasse 12-14, D-76137 Karlsruhe
>  Tel. +49 721 255171-302, Fax +49 721 255171-100
>  stefan.gora@secorvo.de, http://www.secorvo.de
>  PGP: 5EAD 34FE F3C1 0FEB  058F 4DD0 E6B3 FF4A
>
>  Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox
>
>  ------------------------------------------------------------------------
>  This list is sponsored by: Cenzic
>
>  Need to secure your web apps NOW?
>  Cenzic finds more, "real" vulnerabilities fast.
>  Click to try it, buy it or download a solution FREE today!
>
>  http://www.cenzic.com/downloads
>  ------------------------------------------------------------------------


-- 
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------