G CITRIX

1
G CITRIX
HACKIN
2
Citrix

• Presentation Server 4.5
• New version is called XenApp/Server
• Common Deployments
• Nfuse classic
• CSG Citrix Secure Gateway
• Citrix Components
• Server farm
• Citrix XML service
• ICA client device
• Nfuse Web server
• CSG Citrix Secure Gateway
• STA Secure Ticketing Authority

3
NFuse Classic

• Different Interfaces
• Browser accessible
• http//server/Citrix/AccessPlatform/auth/login.asp
  x
• Program neighbourhood
• http//server/Citrix/PNAgent/config.xml
• Gateway for Citrix Conferencing Manager
• http//server/Citrix/cmguest

4
NFuse Network
NFuse Displays Application List
NFuse Sends Credentials To XML Service To Validate
If Valid, XML Service Retrieves Application List
From Farm
Browser Enters Credentials Into NFuse Web Page
User Selects Application And Receives An ICA File
ICA Client Loads ICA File And Connects To Citrix
Farm
ICA Client Device
ICA Client Doesnt NEED NFuse To Connect To
Server Farm
Browser
ICA Client
5
NFuse Network
Common Basic Deployment For Remote Network
Application Exposure
XML Service Can Sit On Independent Web Server
XML Service Can Sit On One Of The App Servers
XML Service Can Sit On The Nfuse Server
Holes In Firewall Please
ICA Client Device
Browser
ICA Client
6
Citrix Secure Gateway
ICA Client Device
Browser
ICA Client
User Selects Application And NFuse Requests
Ticket From STA
If Valid, XML Service Retrieves Application List
From Farm
CSG Verifies Ticket Against STA
NFuse Sends Credentials To XML Service To Validate
Ticket Returned To Browser As Part Of ICA File
If Verified Then Access Is Provided To Server Farm
More Secure As Server Farm Not Exposed. Firewalls
In Between Segments
Browser Enters Credentials Into NFuse Web Page
ICA Client Connects To CSG (SSL) And Sends Ticket
ICA File And Ticket Format Explained Later
7
Places To Sniff

• Cleartext credentials posted to login form
• Web Cookie
• ICA file returned from NFuse

USE HTTPS
HTTP Traffic Between Browser And Nfuse
ICA Client Device
Browser
ICA Client
8
Places To Sniff
a -gt M E G B b -gt M H G C c -gt M G G D d -gt M B G
E e -gt M A G F f -gt M D G G g -gt M C G H h -gt M N
G I i -gt M M G J j -gt M P G K k -gt M O G L l -gt
M J G M m -gt M I G N n -gt M L G O o -gt M K G P
USE HTTPS USE SSLRelay
HTTP Traffic Between NFuse And XML Service

• Cleartext XML contains encoded credentials

Password t N B H E te N B H E L E B B tes
N B H E L E B B M H G C test N B H E L E B B M H
G C L D B G
In deployments that do not support running the
SSL Relay, run the NFuse Web server on your
Citrix server
9
Places To Sniff

• ICA protocol is not encrypted by default

USE SecureICA USE SSL/TLS USE SSLRelay
ICA Traffic From Client Or CSG
ICA Client Device
Browser
ICA Client
10
ICA File Format

• Connection Data Between ICA Client And Server
• .ini type layout
• Doesnt contain clear text credentials

ApplicationServers Calc Calc Address
192.168.237.1011494 BrowserProtocol
HTTPonTCP ClearPassword 0674F0F9BD3B0D Domain
\DB247117DF8EC22A InitialProgram
calc SSLProxyHost CSG Address Username Whoami
11
Ticketing

• Nfuse Ticket
• Apparently it has an expiry time
• XOR credentials and send to XML server
• Get Ticket in response
• Split ticket prepend \ and place into
  domainpassword
• STA Ticketing
• Is not server authentication
• Places ticket in the address field of .ica file
• 40STA47AFA4ABD7741BB4306079BAC6AB2BDAF4
• If I can talk to the STA server I can create STA
  tickets

Uses pseudo-random number generation to produce a
16-byte hex string. For security reasons, Citrix
does not disclose the exact steps used to produce
this random sequence of characters
UNIQUE TICKET
STA MACHINE
ONLY ALLOW CONNECTIONS FROM TRUSTED MACHINES
12
Shadowing

• Shadowing Allows Snooping On Other Sessions
• On by default
• Prompts user

13
Authentication

• NFuse Web Application
• Controls access to the Web Application

14
Authentication

• Citrix Server Farm
• Published application setting
• Controls access to the application

15
Anonymous Accounts

• Anon001 Anon014
• Created upon install
• Password set on each use
• Anonymous Access
• Easy to use
• Used for temporary application use

16
Citrix XML Service

• Installed By Default On Port 80
• ISAPI extension under IIS
• Can be set for different port
• Sensitive Operations Require Auth
• Unless turned off for smartcard passthru
• Used by Nfuse and PNAgent
• Validate Credentials
• STA Requests
• Server Enumeration

17
Gaining Access

• Brute Force Web Page
• Brute force the NFuse login page
• Brute Force ICA File
• Will attempt to connect to Citrix application
  server
• ActiveX and API makes this easy
• Ask The IMA Service
• Sits on UDP port 1604
• Unauthenticated requests will respond with
  application list
• Ask The XML Service
• By default sits on TCP port 80
• If you ask politely it tell you

18
Demonstration

• Gaining Access
• Anonymous vs Standard Internal User
• Breaking The Citrix Sandbox
• Weak security settings
• Uploading Tools
• Alternative file transfer methods
• Privilege Escalation
• Third party or windows vulnerability
• Token Theft
• Full domain control

19
Recap

• No Citrix Vulnerability Exploited
• Weak / default configuration
• Anonymous Application Access
• Was only part of the issue
• Pretty Common Scenario
• Most citrix reviews involve gaining shell
  access

20
Securing

• Lockdown Citrix
• Disable file sharing
• Enabled run only published applications
• Turn on encryption and use SSL
• Lockdown OS
• Use group policy to enforce restrictions
• Disable the runas service
• Lockdown File System
• Restrict users access to directories and commands
• Understand The Weaknesses
• Hopefully this demonstration has helped

21
www.insomniasec.com