Monday, March 9, 2009

Abusing Citrix - Part 1

I've worked with Citrix for a little while now and I'm really trying to spend a little more of my free time with it instead this security stuff, but it's really hard because the security stuff is just so much fun. Well I thought I would combine the two, so I set up a small Citrix farm in a lab and now i'll see how many ways I can abuse the farm from an Evil Bob perspective. I'm going to start basic with a poorly secured farm, abuse that a little, then tighten it up a bit and abuse it some more.

Let's just see how it goes.

First of all lets lay out my goal. I want to break out of the given program/environment, have a look around and see what I can do that I'm not supposed to. In later posts I'll show the very worst that can happen but for now I'll just have a little fun.

First I log into Citrix as a restricted user and I can see that I only have 2 published programs. Notepad and a Desktop. I'll address Notepad in this post.

Well instead of Notepad I might like to browse the web, good job I can go to the help menu and right click on the top left of the toolbar then isn't it.

And with the power of a "Jump to URL" ......

And there we have a browser.

But what if I want to browse the Citrix servers hard drive? Surely I need Windows Explorer. Of course not. i just Jump to C:\Windows\System32

And what's that I see? cmd.exe

So from a published application like Notepad we got a shell in well under a couple of minutes. We could use the shell to further enumerate the network, launch programs, map shares, anything really. Oh, and we had a browser that we could use to download tools, pop the box from a downloaded exploit, browse to a Meterpreter listener, I'm sure you get the point.

So this one was easy, next i'm going to start applying policies to lock the Citrix server down and see what fun can be had then.

Stay tuned.

BTW - Here's a link to Epy()nxs' video on the notepad trick.

Xp notepad trick from epyonx125 on Vimeo.


Anonymous said...

Hrm... guess I'm going to go re-audit our Citrix farm

SynJunkie said...

Thats great. But there is more to come in this series of posts for March.

Anonymous said...


SynJunkie said...

Yep, heard of all those and implemented many in the set up for these posts. My point is that many implementations don't use all of them properly and test the security of the citrix environment against the threats.

But you are right, with the correct security measures in place it can be locked down considerably.