The University of Michigan Administrative Information Services

Computer Security Bulletin Number:

1

SUBJECT:

Access Local Hard Disks via Citrix

APPLIES TO:

Citrix Clients on Windows

ISSUED BY:

Information Systems Security Officer - TIO

I.

SEVERITY: MEDIUM Date Issued: 1/21/02 Revised: Attachment(s):

SYSTEMS AFFECTED

Citrix Independent Computing Architecture (ICA) client running on all versions of the Microsoft Windows operating system. II.

OVERVIEW

An attacker, with control of a Citrix server, can use the drive mappings feature of the current Citrix ICA client to access the client’s local directories and files. III.

DESCRIPTION

The Citrix product (a client and a server) is used to access the M-Pathways systems. The client is installed onto the user’s workstation and the server is run by MAIS. Citrix has a feature that permits a server to map a client’s hard disk. A malicious person that has control of a Citrix server can cause a client to make a connection to the attacker’s Citrix server and thereby access the user’s local file system. The client does not prompt the user when downloading .ICA files. A malicious Web site operator could exploit this vulnerability by running a Citrix terminal server to download arbitrary files on the system without the user’s knowledge and obtain elevated privileges. When downloading .ICA files, a connection with a remote Citrix ICA server is made without prompting the user and then terminated after the file has been downloaded. This attack can also be carried out using HTML in an email message where the reader uses a mail reader that interprets HTML and has a Citrix client installed. Only Citrix clients running on Microsoft Windows operating systems are affected. On 12/13/01, details of this exploit were posted to the bugtraq email list. Shortly afterwards, we verified that the details of the exploit are accurate and we were able to reproduce the attack. IV.

IMPACT

If a remote attacker is able to gain access to the user’s local file system, then unauthorized access and modification of files and settings may take place. V.

SOLUTION

The University of Michigan Administrative Information Services

Page 2 of 5

COMPUTER SECURITY BULLETIN Citrix has not provided a patch as of this date. However, implementing the following work around may prevent this attack. Breaking the file type association between an .ICA file type and Citrix client program would prevent the Citrix client from automatically executing when a .ICA file is encountered. This can be done by following the appropriate instructions below: Windows 2000 (this will have to be done by someone with admin rights): Open Windows Explorer From "Tools" Menu, select "Folder Options" "File Types" tab. Find the "ICA" extension type. It may say “Citrix ICA Connection”. Press the "Delete" button. "OK" to exit.

Windows NT4/98/95 (need to have admin rights under NT4): Open Windows Explorer From "View" Menu, select "Options" or “Folder Options” "File Types" tab. Find the "ICA" extension type. It may say “Citrix ICA Connection”. Press the "Remove" button. "OK" to exit.

This work around can be applied without consequences to the M-Pathways application environment. VI.

REFERENCE A.

Below is a security advisory issued on 12/13/01 that discusses this issue.

To:

BugTraq

Subject:

Kikkert Security Advisory: Potentially serious security flaw in Citrix Client

Date:

Dec 13 2001 11:01AM

Author:

Kikkert Security

Message-ID:



Dear List, This 'Kikkert Security advisory' has been released after carefull consideration and after advising 'Citrix' first. Citrix was initially

The University of Michigan Administrative Information Services

Page 3 of 5

COMPUTER SECURITY BULLETIN willing to communicate but hasn't responded to any of my emails for the last two months. Because there are workarounds for the problem discribed in this advisory I decided to release it so people might benefit from these possible fixes. I would like to ask the list to examine the scope of products and OS's affected as I have no longer access to a Citrix server to do this myself... ----------Serious security flaw in Citrix Client ----------Risk: HIGH. Potentially allowing any possible action on the client machine, including reading any file, placing Trojan code or altering data. --------Scope: Not completely clear. for sure is that Citrix client 6.01 is affected. Citrix clients on Apple and MAc seem to be ok, only the Microsoft version is affected (according to Citrix, I did not test this). This exploit was tested on the following setup: -

Windows 2000 professional + Service pack 2 Internet explorer 5.5 + SP1 , Q290108, Q299618 (5.50.4522.1800) Outlook Express 5.50.4522.1200 office 2000 SR1 Citrix ICA client 6.01

Prerequisites: Citrix Client installed (standard install), Internet connection with port 1494 open (Citrix port, outbound), Browser or HTML email client, windows OS (according to Citrix). ---------------Background: Citrix produces Clients which can connect to a terminal server to run thin client sessions. A popular use of Citrix client / server is the use of published applications that enables thin clients to run 'heavy' applications. A implementation flaw exists in the Citrix client which allows a malicious web site owner to perform virtualy any action on the client machine without informing the user first or without explicit consent from the user. This means that anyone with the citrix client installed (and probably with IE installed, not sure what the scope is) and who surfs the internet on the same machine is in danger of exploitation. ------------------Technical Details: When a user has Citrix Client installed and has therefore an extension mapping for .ICA files, the user will NOT be warned when downloading an .ica file. The user is NOT asked to open or download the file, the ica file will just activate the Citrix client and a connection to a remote server can be made. result of this is that any malicious website owner (with access to a Citrix terminal server) can place trojan code on a client machine without consent of the client. I created a working demo in the form of a webpage which simply contains an Iframe (could also be a hidden frame):

The University of Michigan Administrative Information Services

Page 4 of 5

COMPUTER SECURITY BULLETIN

Trojan.ica will connect to a published application (hosted on a Citrix Metaframe XP server) without first asking the user and place a (fake) trojan file on the clients' hard drive. The published application is simply a VBS script that copies the trojan file from the local (terminal server's) hard drive to the (mapped) client drive. After the script ran, the connection to the remote server will be broken. The client is not in any way warned or promted that the remote server is writing anything to the clients hard drive. Strange enough, the activeX client I tested DOES ask the user for permission before the published application can write to the client drive, this is in my opinion the way it should work. Just to make it clear, the malicious website owner can not only write to the client, he can also retrieve a complete listing of any file on the machine or copy any file/document from the client's machine. ------------------Disclosure details: Citrix was contacted on the 23rd of July and did not take this very serious at first. They mentioned that this was a known issue and did not give me the idea that they were actively working on a fix. It is now almost 4 months after I first notified them and they still cannot give me a clear indication on what they are planning to do about this. They did however give me a few 'workarounds' which are mentioned below. I'm not sure how effective these workarounds are as I did not have the opportunity to test them in a live environment. ------------Possible fixes (as given by Citrix): * The Citrix ICA Clients for Apple Macintosh and for Unix have explicit drive mapping dialogs which control client drive mapping, and also allow read/write selection. Therefore, these clients will only be attacked if such drive mappings are configured. * When using the ICA Client for Java, you can set Java security to prevent file access by Java applications. This will prevent disk access. * Client Drive Mapping can be disabled in APPSRV.INI by adding the setting: CDMAllowed=Off -------[michiel] - Bit of a drastic solution, as this just disables the feature. * In Internet Explorer, the File Download permission can be disabled. This would avoid the exploit in the form described. ---- [Michiel] - But would still be exploitable via email client And a Microsoft's recommended workaround for Outlook: it's possible to configure the OESU (Outlook Security Update) to block additional file types, including .ICA.

Kind Regards, Michiel Kikkert - [email protected] Kikkert security.

The University of Michigan Administrative Information Services

COMPUTER SECURITY BULLETIN B.

X-Force Vulnerability Assessment The X-Force vulnerability database of Internet Security Systems has rated this a High vulnerability. See http://xforce.iss.net/static/7697.php

VII.

CONTACT INFORMATION

Information Systems Security Officer – Paul Howell Email: [email protected] Phone: 734-763-0609

Page 5 of 5