Presentation is loading. Please wait.

Presentation is loading. Please wait.

Got Citrix? Hack IT! Shanit Gupta February 16, 2008.

Published byEliana Cran Modified over 9 years ago

Similar presentations

Presentation on theme: "Got Citrix? Hack IT! Shanit Gupta February 16, 2008."— Presentation transcript:

1 Got Citrix? Hack IT! Shanit Gupta February 16, 2008

2 Who Am I? ► Senior Security Consultant – Foundstone Professional Services ► Code Review / Threat Modeling / Application Security ► Masters from Carnegie Mellon

3 Agenda ► Background ► Demo 1: Kiosk Mode ► Demo 2: Unauthenticated Access ► Demo 3: (Un)Hidden Hotkeys ► Demo 4: Restricted Desktop Access ► Demo 5: Attack Microsoft Office ► Remediation Measures

4 What / How do I know about Citrix?

5 False Sense of Security

6 Demo1: Kiosk Mode

7 Demo1: Kiosk Mode (Attack Vectors) ► Ctrl + h – View History ► Ctrl + n – New Browser ► Shift + Left Click – New Browser ► Ctrl + o – Internet Address (browse feature) ► Ctrl + p – Print (to file) ► Right Click (Shift + F10)  Save Image As  View Source ► F1 – Jump to URL… ► Browse to http://download.insecure.org/nmap/dist/nmap- 4.53-setup.exe http://download.insecure.org/nmap/dist/nmap- 4.53-setup.exe

8 I Hope You Are Patching *Source: http://secunia.comhttp://secunia.com

9 Demo 2: Unauthenticated Access ► 9 publicly accessible exploits 2007 – 08 ► Particularly interesting  Citrix Presentation Server IMA Service Buffer Overflow Vulnerability  Social Engineering: Malicious ICA files

10 Demo 2: Unauthenticated Access ► Good Old Brute Force  One account is all you need  I am sure you are using 2 factor authentication ;-)

11 Demo3: (Un)Hidden Hotkeys ► SHIFT+F1: Local Task List ► SHIFT+F2: Toggle Title Bar ► SHIFT+F3: Close Remote Application ► CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del ► CTRL+F2: Remote Task List ► CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC ► ALT+F2: Cycle through programs ► ALT+PLUS: Alt+TAB ► ALT+MINUS: ALT+SHIFT+TAB

12 Demo4: Restricted Desktop

13 ► Shortcut to C:\ ► Create Batch File  CMD.exe ► Host Scripting File (filename.vbs) ■ Set objApp = CreateObject("WScript.Shell") ■ objApp.Run “CMD C:\“

14 Demo5: Attack Microsoft Office ► File->Save As  Browse Files and Launch CMD.exe ► Press F1  Search Microsoft  Click Suites Home Page ► Macros  Remote Shell  Privilege Escalation

15 Remediation Strategies ► 1300 different registry settings ► It is HARD!

16 Remediation Strategies ► Lock Down Tools  Commercial  Freeware  http://updates.zdnet.com/tags/lockdown.html http://updates.zdnet.com/tags/lockdown.html

17 Questions or Concerns?

Download ppt "Got Citrix? Hack IT! Shanit Gupta February 16, 2008."

Similar presentations

The Web Wizards Guide to Freeware/Shareware Chapter Four Essential Tools for Web Page Authors.

The Web Wizards Guide to Freeware/Shareware Chapter Four Essential Tools for Web Page Authors.
Legal Meetings: Extended Instructions on Movica and Screencast.

Legal Meetings: Extended Instructions on Movica and Screencast.
Know About Function keys

Know About Function keys
Microsoft Office 2010 Basics and the Internet

Microsoft Office 2010 Basics and the Internet
WINDOWS 8. Greatest Search Tool YET! Type in your search word or words.. Searches dynamically and contextually apps, settings, and files! Windows + W.

WINDOWS 8. Greatest Search Tool YET! Type in your search word or words.. Searches dynamically and contextually apps, settings, and files! Windows + W.
Explore KDE The easy way, using a live CD By Carl Weisheit.

Explore KDE The easy way, using a live CD By Carl Weisheit.
W INDOWS XP, T IPS AND T RICKS Oswaldo Bolivar 09/29/2010.

W INDOWS XP, T IPS AND T RICKS Oswaldo Bolivar 09/29/2010.
QWERTY Keyboards.

QWERTY Keyboards.
COM: 111 Introduction to Computer Applications Department of Information & Communication Technology Panayiotis Christodoulou.

COM: 111 Introduction to Computer Applications Department of Information & Communication Technology Panayiotis Christodoulou.
Windows 7. Objectives After completing this lesson, you will be able to: oExplain the common functions of an operating system. oIdentify the basic components.

Windows 7. Objectives After completing this lesson, you will be able to: oExplain the common functions of an operating system. oIdentify the basic components.
Microsoft Expression Web-Illustrated Unit L: Using Code Tools.

Microsoft Expression Web-Illustrated Unit L: Using Code Tools.
Computer Basics. Using a computer The purpose of this class is to get comfortable with: Using Windows.

Computer Basics. Using a computer The purpose of this class is to get comfortable with: Using Windows.
Adobe Photoshop CS Design Professional ADOBE PHOTOSHOP CS GETTING STARTED WITH.

Adobe Photoshop CS Design Professional ADOBE PHOTOSHOP CS GETTING STARTED WITH.
Things Your Mother Never Taught You (that every 6-year old already knows)

Things Your Mother Never Taught You (that every 6-year old already knows)
Browser Basics Tutorial 2 Introduction to Microsoft Internet Explorer.

Browser Basics Tutorial 2 Introduction to Microsoft Internet Explorer.
1 Computing for Todays Lecture 22 Yumei Huo Fall 2006.

1 Computing for Todays Lecture 22 Yumei Huo Fall 2006.
When your mouse don’t work What to do? Presented by Naveed Farooq Naveed Farooq Admin Nidokidos Network www.Nidokidos.org Make Money Online | Join Nidokidos.

When your mouse don’t work What to do? Presented by Naveed Farooq Naveed Farooq Admin Nidokidos Network Make Money Online | Join Nidokidos.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
The Internet 8th Edition Tutorial 1 Browser Basics.

The Internet 8th Edition Tutorial 1 Browser Basics.
Browser and E-mail Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.

Browser and Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.

Similar presentations

Ads by Google