G CITRIX

1. HACKIN G CITRIX

2. Citrix Presentation Server 4.5 • New version is called XenApp/Server Common Deployments • Nfuse classic • CSG – Citrix Secure Gateway Citrix Components • Server farm • Citrix XML service • ICA client device • Nfuse Web server • CSG – Citrix Secure Gateway • STA – Secure Ticketing Authority

3. NFuse Classic Different Interfaces • Browser accessible http://server/Citrix/AccessPlatform/auth/login.aspx • Program neighbourhood http://server/Citrix/PNAgent/config.xml • Gateway for Citrix Conferencing Manager http://server/Citrix/cmguest

4. NFuse Network NFuse Displays Application List NFuse Sends Credentials To XML Service To Validate If Valid, XML Service Retrieves Application List From Farm Browser Enters Credentials Into NFuse Web Page User Selects Application And Receives An ICA File ICA Client Loads ICA File And Connects To Citrix Farm ICA Client Device ICA Client Doesn’t NEED NFuse To Connect To Server Farm Browser ICA Client

5. NFuse Network Common Basic Deployment For Remote Network Application Exposure XML Service Can Sit On Independent Web Server XML Service Can Sit On One Of The App Servers XML Service Can Sit On The Nfuse Server Holes In Firewall Please ICA Client Device Browser ICA Client

6. Citrix Secure Gateway ICA Client Device Browser ICA Client User Selects Application And NFuse Requests Ticket From STA If Valid, XML Service Retrieves Application List From Farm CSG Verifies Ticket Against STA NFuse Sends Credentials To XML Service To Validate Ticket Returned To Browser As Part Of ICA File If Verified Then Access Is Provided To Server Farm More Secure As Server Farm Not Exposed. Firewalls In Between Segments ICA Client Connects To CSG (SSL) And Sends Ticket Browser Enters Credentials Into NFuse Web Page ICA File And Ticket Format Explained Later

7. Places To Sniff • Cleartext credentials posted to login form • Web Cookie • ICA file returned from NFuse USE HTTPS HTTP Traffic Between Browser And Nfuse ICA Client Device Browser ICA Client

8. Places To Sniff a -> M E G B b -> M H G C c -> M G G D d -> M B G E e -> M A G F f -> M D G G g -> M C G H h -> M N G I i -> M M G J j -> M P G K k -> M O G L l -> M J G M m -> M I G N n -> M L G O o -> M K G P • Cleartext XML contains ‘encoded’ credentials USE HTTPS USE SSLRelay HTTP Traffic Between NFuse And XML Service Password t N B H E te N B H E L E B B tes N B H E L E B B M H G C test N B H E L E B B M H G C L D B G In deployments that do not support running the SSL Relay, run the NFuse Web server on your Citrix server

9. Places To Sniff • ICA protocol is not encrypted by default USE SecureICA USE SSL/TLS USE SSLRelay ICA Traffic From Client Or CSG ICA Client Device Browser ICA Client

10. ICA File Format Connection Data Between ICA Client And Server • .ini type layout • Doesn’t contain clear text credentials [ApplicationServers] Calc= [Calc] Address = 192.168.237.101:1494 BrowserProtocol = HTTPonTCP ClearPassword = 0674F0F9BD3B0D Domain = \DB247117DF8EC22A InitialProgram = #calc SSLProxyHost = CSG Address Username = Whoami

11. Ticketing Nfuse Ticket • Apparently it has an expiry time • XOR credentials and send to XML server • Get Ticket in response • Split ticket prepend \ and place into domain:password STA Ticketing • Is not server authentication • Places ticket in the address field of .ica file • 40;STA47;AFA4ABD7741BB4306079BAC6AB2BDAF4 • If I can talk to the STA server I can create STA tickets Uses pseudo-random number generation to produce a 16-byte hex string. For security reasons, Citrix does not disclose the exact steps used to produce this random sequence of characters UNIQUE TICKET STA MACHINE ONLY ALLOW CONNECTIONS FROM TRUSTED MACHINES

12. Shadowing Shadowing Allows Snooping On Other Sessions • On by default • Prompts user

13. Authentication NFuse Web Application • Controls access to the Web Application

14. Authentication Citrix Server Farm • Published application setting • Controls access to the application

15. Anonymous Accounts Anon001 – Anon014 • Created upon install • Password set on each use Anonymous Access • Easy to use • Used for ‘temporary’ application use

16. Citrix XML Service Installed By Default On Port 80 • ISAPI extension under IIS • Can be set for different port Sensitive Operations Require Auth • Unless turned off for smartcard passthru Used by Nfuse and PNAgent • Validate Credentials • STA Requests • Server Enumeration

17. Gaining Access Brute Force Web Page • Brute force the NFuse login page Brute Force ICA File • Will attempt to connect to Citrix application server • ActiveX and API makes this easy Ask The IMA Service • Sits on UDP port 1604 • Unauthenticated requests will respond with application list Ask The XML Service • By default sits on TCP port 80 • If you ask politely it tell you

18. Demonstration Gaining Access • Anonymous vs Standard Internal User Breaking The Citrix Sandbox • Weak security settings Uploading Tools • Alternative file transfer methods Privilege Escalation • Third party or windows vulnerability Token Theft • Full domain control

19. Recap No Citrix Vulnerability Exploited • Weak / default configuration Anonymous Application Access • Was only part of the issue Pretty Common Scenario • Most citrix reviews involve gaining ‘shell’ access

20. Securing Lockdown Citrix • Disable file sharing • Enabled ‘run only published applications’ • Turn on encryption and use SSL Lockdown OS • Use group policy to enforce restrictions • Disable the runas service Lockdown File System • Restrict users access to directories and commands Understand The Weaknesses • Hopefully this demonstration has helped

21. www.insomniasec.com