<div>" all of them wide open and susceptible to attacks"</div>
<div> </div>
<div>Unless you probes those vectors, will you be able to tell if they are "suceptible to attacks". !!<br><br>be rest assued nobody wants to dick around wiht us-cert.</div>
<div> </div>
<div>noneless, pdp -thats a good write writeup !!</div>
<div> </div>
<div>/pd</div>
<div> </div>
<div><span class="gmail_quote">On 10/4/07, <b class="gmail_sendername">pdp (architect)</b> <<a href="mailto:pdp.gnucitizen@googlemail.com">pdp.gnucitizen@googlemail.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">The other day I was performing some CITRIX testing, so I had a lot of<br>fun with hacking into GUIs, which, as most of you probably know, are
<br>trivial to break into. I did play around with .ICA files as well, just<br>to make sure that the client is not affected by some obvious<br>client-side vulnerabilities. This exercise led me to reevaluate great<br>many things about ICA (Independent Computing Architecture). When
<br>querying Google and Yahoo for public .ICA files, I was presented with<br>tones of wide open services, some of which were located on .gov and<br>.mil domains. This is madness! No, this is the Web. Through, I wasn't
<br>expecting what I have found. Hacking like in the movies?<br><br>I did not poke any of the services I found, although it is obvious<br>what is insecure and what is not when it comes to citrix. It is enough<br>to look into the ICA files. With a few lines in bash combined with my
<br>Google python script, I was able to dump all the ICA files that Google<br>knows about and do some interesting grepping on them. What I<br>discovered was unbelievable. Shall we start with the Global Logistics<br>systems or the US Government Federal Funding Citrix portals - all of
<br>them wide open and susceptible to attacks. Again, no poking on my<br>side, just simple observation exercises on the information provided by<br>Google.<br><br>Just by looking into Google, I was able to find 114 wide open CITRIX
<br>instances: 10 .gov, 4 .mil, 20 .edu, 27 .com, etc… The research was<br>conducted offline, therefore there might be some false positives.<br>Among the services discovered, there were several critical<br>applications which looked so interesting that I didn't even dare look
<br>at theirs ICA files. I am trying to raise the consumer awareness with<br>this article. I mean, it is 2007 people, it shouldn't be that simple.<br><br>I did write and article about my findings which you can read from here:
<br><a href="http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/">http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/</a><br><br>I've also created a video that show the lamest way someone can use to
<br>break into unprotected citrix just to show the concepts.<br><br>CITRIX hacking is just like back in the old days with NetBIOS. It<br>simple. It is malicious. It is highly effective. And the problem is<br>that CITRIX is pretty useful. Here is a dilemma for you:
<br>Let's say that you have a pretty stable desktop app which you would<br>like to be available on the Web. What you gonna do? Port it to XHTML,<br>JavaScript and CSS? No way! You are most likely going to put it over<br>
CITRIX.<br><br>I've also wrote a script which makes use of ICAClient ActiveX<br>controller to enumerate remote Application, Servers and Farms:<br><a href="http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/enum.js">
http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/enum.js</a><br><br>Let me know if you find this useful.<br><br>cheers<br><br>--<br>pdp (architect) | petko d. petkov<br><a href="http://www.gnucitizen.org">
http://www.gnucitizen.org</a><br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html
</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br></blockquote></div><br><br clear="all">