Sunday, March 15, 2009

Abusing Citrix - Part 3

So in the parts 1 & 2 I have shown that citrix servers with varying degrees of security have weaknesses that can be exploited to gain access to parts of the operating system that may be useful to an attacker or mischievous user. I also hinted at how web access could be misused to provide the attacker with additional tools. Here I'll quickly demonstrate an example of just one site hosting such tools.

A few months ago Patrick Grey on the brilliant Risky Buisness podcast interview Paul Craig. Paul talked about a set of tools he had developed for exploiting Kiosks, the IKAT (Internet Kiosk Attack Tool) tool. Well I figured that IKAT would be perfect for this blog post. Although the Citrix server isn't necessarily a kiosk, it is a system that provides a restricted interface that with a little fumbling around (see parts 1 & 2 of this series) you might be able to gain access to the web.

Once you have web access you could browse to the IKAT site and use the tools to have your wicked way with the poor Citrix server. Well what if you have restricted internet access and the IKAT site is on a known list of hacker sites and is blocked? Well thanks to Paul making the toolkit available you can host your own using IKAT Portable.

Anyway, heres just a few things that IKAT can do for you.

As you can see in the screenshot below, the Save and Save As dialogue boxes have been disabled.

Using IKAT getting to these options isn't difficult at all.

IKAT can also provide details on the host Citrix Server which might be of use for a more targeted attack.

Or you can download and launch a shell from IKAT's binary tools section...

and get even more information using a built in tool such as Systeminfo.

IKAT can do plenty more than I have demonstrated here and I encourage people to take a look at Paul's site at

Coming up......More Citrixy Stuff

No comments: