Citrix Opens Security Holes in Military, Federal Web Site

Citrix Opens Security Holes in Military, Federal Web Site
Citrix Opens Security Holes in Military, Federal Web Site

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By Lisa Vaas
October 8, 2007

A researcher says the Citrix technology running military and government 
Web site GUI's is full of security holes.

The Citrix technology that chugs away underneath Web applications is 
being used to put up military and government GUIs with security holes 
you could drive a bus through.

Security researcher Petko D. Petkov=E2=80=94aka "pdp"=E2=80=94said in an Oct. 4 posting 
that his recent testing of Citrix gateways led him to "tons" of 
"wide-open" Citrix instances, including 10 on government domains and 
four on military domains.

"The Internet is full of wide open CITRIX gateways. This is madness," he 
wrote. "I mean, it is 2007 people, it shouldn't be that simple."

What Petkov means by "wide open" is that when searching on Google or 
Yahoo for files with Citrix's proprietary ICA (Independent Computing 
Architecture) extension, the returned files blithely hand over hints 
about which server is running, the underlying transport mechanism and 
the remote application that Citrix will open.

Petkov said he found several "critical" applications that looked too 
interesting to even dare to look at among the services he managed to 

"Shall we start with the Global Logistics systems or the US Government 
Federal Funding Citrix portals=E2=80=94all of them wide open and susceptible to 
attacks?" he wrote. "With a similar success, attackers can perform just 
simple port scans for service port 1494 [a TCP port used by Citrix 
Presentation Server's ICA Client]."

Petkov compares Citrix hacking to "the old days with NetBIOS" in that 
it's simple, it's malicious, and it's "highly effective."

Citrix technology is also ubiquitous, with Windows desktops and 
applications relying on MetaFrame=E2=80=94now called Citrix Presentation Server. 
The ICA protocol in question specifies a method of passing data between 
server and clients.

It's not bound to any particular platform, but products that use the 
protocol=E2=80=94including Citrix's WinFrame and Citrix Presentation Server=E2=80=94are 
used to allow Windows applications to be run on a Windows server and for 
supported clients to access the applications. ICA is also supported on 
multiple Unix server platforms and can be used for access to 
applications running on those platforms.

"And the problem is that CITRIX is pretty useful," Petkov wrote in the 
posting. "Here is a dilemma for you: Let's say that you have a pretty 
stable desktop [application that] you would like to [make] available on 
the Web. What you gonna do? Port it to XHTML, JavaScript and CSS? No 
way! You are most likely going to put it over CITRIX."

Petkov posted a video that demonstrates a Citrix attack with simple 
enumeration exercises along with a script he says can be used to 
brute-force the Windows/Netware logon and which can be modified to work 
against Citrix SSL authorization as well. Petkov also posted on Oct. 5 a 
script to fine-tune connections when security researchers want to try 
out various Citrix communication mechanisms and connection options, and 
a script to use ICAClient ActiveX controller to enumerate remote 
applications, servers and farms.

Citrix had not responded to queries by the time this article posted.

Participants on the Full Disclosure security mailing list noted, 
however, that it's not that Citrix can't be secured=E2=80=94given a competent 
administrator, that is.

"I'd recommend using terminal services over Citrix any day of the week 
for hosting mature apps on a big box, but that's just my bias," wrote a 
poster with the moniker "Geoff." "Citrix is able to be secured, but 
that's like everything else in computing: the admin needs a brain."

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - 


Site design & layout copyright © 1986-2015 CodeGods