citrix.winframe.txt

`Date: Fri, 28 May 1999 12:26:59 -0700  
From: David Terrell <[email protected]>  
To: [email protected]  
Subject: Citrix Winframe client for Linux  
  
[ presumably this holds true for the other unix clients as well, but  
all I have is linux to test on ]  
  
The Citrix Winframe linux client (used for accessing Winframe and  
Windows NT Server Terminal Edition) has a simple configuration section.  
Perhaps too simple.... All configuration information is stored in a  
directory /usr/lib/ICAClient/config which is mode 777. This in and  
of itself is bad news, since any user on the system can overwrite  
configuration data.  
  
The situation is actually much worse than that.  
  
When you start up the actual session manager (wfcmgr) you get a listbox  
of configured sessions. The data for this listbox is stored in the mode  
777 file /usr/lib/ICAClient/config/appsrv.ini. So there's a single  
config file shared between all users. A sample session profile follows:  
  
[WFClient]  
Version=1  
  
[ApplicationServers]  
broken=  
  
[broken]  
WinStationDriver=ICA 3.0  
TransportDriver=TCP/IP  
DesiredColor=2  
Password=0006f6c601930785  
Domain=NTDOM  
Username=user  
Address=hostname  
  
Yep. Passwords are stored in some kind of hash. What that hash is doesn't  
really matter since you can just bring up wfcmgr and log in as that user.  
  
Terrible.  
  
I tried mailing both [email protected] and [email protected] but  
neither of these addresses exist.  
  
  
Workaround? wfcmgr supports the -icaroot parameter, but you basically  
need to copy all the files in for it to work. So duplicate the tree in  
your home directory, fix permissions, and do wfcmgr -icaroot $HOME/.ica.  
  
Alternatively, don't use it.  
  
Distressing that the company that was "bringing multiuser concurrent logons  
to Windows NT" makes such a little effort at understanding multiuser  
security.... [further editorialization left to the reader]  
  
--  
David Terrell  
[email protected], [email protected] I may or may not be speaking for Nebcorp,  
http://wwn.nebcorp.com/~dbt/ but Nebcorp has spoken for you.  
  
-------------------------------------------------------------------------------  
  
Date: Fri, 28 May 1999 16:43:31 -0400  
From: Davin Milun <[email protected]>  
To: [email protected]  
Subject: Re: Citrix Winframe client for Linux  
  
>From: David Terrell <[email protected]>  
>Date: Fri, 28 May 1999 12:26:59 -0700  
>Subject: Citrix Winframe client for Linux  
>To: [email protected]  
>  
>[ presumably this holds true for the other unix clients as well, but  
> all I have is linux to test on ]  
>  
>The Citrix Winframe linux client (used for accessing Winframe and  
>Windows NT Server Terminal Edition) has a simple configuration section.  
>Perhaps too simple.... All configuration information is stored in a  
>directory /usr/lib/ICAClient/config which is mode 777. This in and  
>of itself is bad news, since any user on the system can overwrite  
>configuration data.  
  
Are you sure that the current (3.x) version still does this.  
I know that we saw this with the older 2.x clients, with the 3.x version, it  
creates a .ICAClient directory in the user's home directory, and stores the  
configuration data there.  
  
Davin.  
--  
Davin Milun E-mail: [email protected] [email protected]  
Fax: (716) 645-3464  
WWW: http://www.cse.buffalo.edu/~milun/  
  
-------------------------------------------------------------------------------  
  
Date: Fri, 28 May 1999 13:51:20 -0700  
From: David Terrell <[email protected]>  
To: [email protected]  
Subject: Re: Citrix Winframe client for Linux  
  
On Fri, May 28, 1999 at 04:43:31PM -0400, Davin Milun wrote:  
> >The Citrix Winframe linux client (used for accessing Winframe and  
> >Windows NT Server Terminal Edition) has a simple configuration section.  
> >Perhaps too simple.... All configuration information is stored in a  
> >directory /usr/lib/ICAClient/config which is mode 777. This in and  
> >of itself is bad news, since any user on the system can overwrite  
> >configuration data.  
>  
> Are you sure that the current (3.x) version still does this.  
> I know that we saw this with the older 2.x clients, with the 3.x version, it  
> creates a .ICAClient directory in the user's home directory, and stores the  
> configuration data there.  
  
I'm not able to test that immediately here. However, v2 is the most up  
to date client for unix for international (non-english) users.  
  
--  
David Terrell  
[email protected], [email protected] I may or may not be speaking for Nebcorp,  
http://wwn.nebcorp.com/~dbt/ but Nebcorp has spoken for you.  
  
-------------------------------------------------------------------------------  
  
Date: Fri, 28 May 1999 16:28:31 -0500  
From: Vic Abell <[email protected]>  
To: [email protected]  
Subject: Re: Citrix Winframe client for Linux  
  
David Terrell writes (in part):  
>  
> [ presumably this holds true for the other unix clients as well, but  
> all I have is linux to test on ]  
  
It's true for the "newer" UNIX clients -- e.g., 3.0 for Solaris --  
but not for older ones -- e.g., 2.6 for Solaris.  
  
> The Citrix Winframe linux client (used for accessing Winframe and  
> Windows NT Server Terminal Edition) has a simple configuration section.  
> Perhaps too simple.... All configuration information is stored in a  
> directory /usr/lib/ICAClient/config which is mode 777. This in and  
> of itself is bad news, since any user on the system can overwrite  
> configuration data.  
  
We have refused to install the Solaris 3.0 client for this  
reason and have opened a case with Citrix about this and  
other objectionable aspects (non-security ones). Those who  
have Citrix support contracts, the case number is 23117500,  
and you're welcome to join your complaints to ours.  
  
> The situation is actually much worse than that.  
>  
> When you start up the actual session manager (wfcmgr) you get a listbox  
> of configured sessions. The data for this listbox is stored in the mode  
> 777 file /usr/lib/ICAClient/config/appsrv.ini. So there's a single  
> config file shared between all users. A sample session profile follows:  
>  
> ...  
>  
> Yep. Passwords are stored in some kind of hash. What that hash  
> is doesn't  
> really matter since you can just bring up wfcmgr and log in as that user.  
  
It can be made not quite that easy. The administrative  
controls on the server end allow you to disable acceptance  
of any stored passwords. That has always been true, and  
we have always done that, no matter where the clients were  
designed to store passwords.  
  
Of course, that doesn't mean people can't try to store  
passwords -- it just means they won't be usable.  
  
> Terrible.  
  
Yes, the newer Citrix clients are most unlikable.  
  
> I tried mailing both [email protected] and [email protected] but  
> neither of these addresses exist.  
  
The best you can do without a support contract is post a  
complaint to their "forum," reachable via www.citrix.com.  
  
> Workaround? wfcmgr supports the -icaroot parameter, but you basically  
> need to copy all the files in for it to work. So duplicate the tree in  
> your home directory, fix permissions, and do wfcmgr -icaroot $HOME/.ica.  
  
You may not need to duplicate all files. With older clients  
it's possible to duplicate only the files the user has to be able  
to change -- e.g., the three .ini files in .../config -- and use  
symbolic links to the rest.  
  
> Alternatively, don't use it.  
  
Also consider using the older clients and disabling the acceptance  
of the password at the server.  
  
Since the newer clients also seem to fall back to a ~/.ICAClient  
sub-directory, it might be possible to delete the world-accessible  
directories and files. I've been able to do that, but only with  
partial success.  
  
> Distressing that the company that was "bringing multiuser  
> concurrent logons  
> to Windows NT" makes such a little effort at understanding multiuser  
> security.... [further editorialization left to the reader]  
  
I believe Citrix tried to make it easier for people to generate  
their own configurations and didn't understand the security  
implications of what they were doing. It's too bad they so sadly  
compromised the secure use of their reasonably good product.  
  
-------------------------------------------------------------------------------  
  
Date: Fri, 28 May 1999 16:46:49 -0600  
From: Mark Manes <[email protected]>  
To: [email protected]  
Subject: Re: Citrix Winframe client for Linux  
  
I have tested this on the newest version (3.0.15) of the ICA Client for  
Linux and found some differences. The /usr/lib/ICAClient dir is now  
mode 755 which is good, but it keeps each users appsrv.ini in ~/.ICAClient  
now, which is mode 755 too, so still anyone can read the file.  
  
Another workaround would be to not enter a user/domain/password in the  
connection configuration screen, and enter it manually in the standard NT  
login screen each time the connection is made.  
  
-------------------------------------------------------------------------------  
  
Date: Fri, 28 May 1999 21:04:30 -0500  
From: seregon <[email protected]>  
To: [email protected]  
Subject: Re: Citrix Winframe client for Linux  
  
Rumor has it that David Terrell might have once said:  
> [ presumably this holds true for the other unix clients as well, but  
> all I have is linux to test on ]  
>  
> The Citrix Winframe linux client (used for accessing Winframe and  
> Windows NT Server Terminal Edition) has a simple configuration section.  
> Perhaps too simple.... All configuration information is stored in a  
> directory /usr/lib/ICAClient/config which is mode 777. This in and  
> of itself is bad news, since any user on the system can overwrite  
> configuration data.  
  
I installed v3.00.15 using the defaults. After running wfcmgr and creating a  
dummy connection config as a regular user, I did not find anything extra in the  
appsrv.ini file in /usr/lib/ICAClient/config. All of the session configuration  
information was stored in ~/.ICAClient/appsrv.ini. This file is created  
world-readable as is the directory : (, so if others can see into your  
home directory...  
  
I repeated the test as root, with the same results...  
  
>  
> The situation is actually much worse than that.  
>  
> When you start up the actual session manager (wfcmgr) you get a listbox  
> of configured sessions. The data for this listbox is stored in the mode  
> 777 file /usr/lib/ICAClient/config/appsrv.ini. So there's a single  
> config file shared between all users. A sample session profile follows:  
>  
> [WFClient]  
> Version=1  
>  
> [ApplicationServers]  
> broken=  
>  
> [broken]  
> WinStationDriver=ICA 3.0  
> TransportDriver=TCP/IP  
> DesiredColor=2  
> Password=0006f6c601930785  
> Domain=NTDOM  
> Username=user  
> Address=hostname  
>  
> Yep. Passwords are stored in some kind of hash. What that hash is doesn't  
> really matter since you can just bring up wfcmgr and log in as that user.  
  
I would be at least moderately concerned about having the hash exposed just  
because many (most?) users like to synchronize their passwords between all of  
the systems that they use. As for the hash, well...its weak (as are most XOR  
schemes). For the Dos/Win32 clients (at least) the fourth character is the  
length of the remainder of the line. The fifth and sixth are the principal  
key. The rest is the password. This hash appears to use the same type of  
scheme.  
  
No, the hash algorithm isn't quite that simple...they do a couple of things  
to introduce noise. But, the mplementation could be better... ; )  
  
>  
> Terrible.  
>  
> I tried mailing both [email protected] and [email protected] but  
> neither of these addresses exist.  
>  
>  
> Workaround? wfcmgr supports the -icaroot parameter, but you basically  
> need to copy all the files in for it to work. So duplicate the tree in  
> your home directory, fix permissions, and do wfcmgr -icaroot $HOME/.ica.  
>  
> Alternatively, don't use it.  
>  
> Distressing that the company that was "bringing multiuser concurrent logons  
> to Windows NT" makes such a little effort at understanding multiuser  
> security.... [further editorialization left to the reader]  
>  
> --  
> David Terrell  
> [email protected], [email protected] I may or may not be speaking for Nebcorp,  
> http://wwn.nebcorp.com/~dbt/ but Nebcorp has spoken for you.  
--  
______________________________________________________________________________  
[email protected] From wonder into wonder, existance opens  
______________________________________________________________________________  
  
-------------------------------------------------------------------------------  
  
Date: Sat, 29 May 1999 11:53:27 +0200  
From: Keresztfalvi Gabor <[email protected]>  
To: [email protected]  
Subject: Re: Citrix Winframe client for Linux  
  
On Fri, 28 May 1999, David Terrell wrote:  
> The Citrix Winframe linux client (used for accessing Winframe and  
> Windows NT Server Terminal Edition) has a simple configuration section.  
> Perhaps too simple.... All configuration information is stored in a  
> directory /usr/lib/ICAClient/config which is mode 777. This in and  
> of itself is bad news, since any user on the system can overwrite  
> configuration data.  
[snip]  
> When you start up the actual session manager (wfcmgr) you get a listbox  
> of configured sessions. The data for this listbox is stored in the mode  
> 777 file /usr/lib/ICAClient/config/appsrv.ini. So there's a single  
> config file shared between all users. A sample session profile follows:  
  
I checked it both on Citrix ICA Client for Linux version 2.8.1 and 3.0.15.  
Your report is true for 2.8.1, but all of the bugs are already fixed in  
3.0.15. So /usr/lib/ICAClient/config is 555 now, and every user has own config  
files in ~/.ICAClient.  
The version 3.0.15 appeared on 1/18/99.  
  
Greets,  
Keresztg  
  
+ Keresztfalvi Gabor  
+ Student of the Technical University of Budapest  
+ mailto: [email protected] [email protected] [email protected]  
+ http://www.piar.hu/~keresztg/ There is my pubkey on this page.  
  
-------------------------------------------------------------------------------  
  
Date: Mon, 31 May 1999 22:26:48 +1000  
From: A Mole <[email protected]>  
To: [email protected]  
Subject: Re: Citrix Winframe client for Linux  
  
This was meantioned a few times in Citrix's online forums - Citrix lamely  
claiming it was nessisary for functional reasons. This is particular  
problem has been fixed with the new Unix versions (v3.0.XX). Each user  
now gets an ~/.ICAClient directory for their personal settings.  
  
It's still has problems though. For some reason known best to themselves  
Citrix have decided to still make $ICAROOT/cache (usually  
/usr/lib/ICAClient) and /etc/icalicense/ mode 777. I suspect the licence  
files only come into play using Metaframe for Terminals but it's hard to  
reconcile the logic of a shared central location for all users. The cache  
directory is configurable within the client and isn't even turned on by  
default so why this directory needs to exist at all escapes me.  
  
Like you say - distressing that they would do this. More so that they  
would still get it wrong the second time around.  
  
M.  
  
-------------------------------------------------------------------------------  
  
Date: Tue, 1 Jun 1999 00:45:30 +0200  
From: Andy Polyakov <[email protected]>  
To: [email protected]  
Subject: Re: Citrix Winframe client for Linux  
  
> > All configuration information is stored in a  
> > directory /usr/lib/ICAClient/config which is mode 777.  
While we're on the matter...  
  
Background. ICA client lets you "mount" any UNIX directory as a drive  
within any particular WinFrame/MetaFrame session.  
  
Problem. Files created by Windows on such client-mapped drive appear to  
be world-writable. umask doesn't have no effect. Tracing system calls  
made by the client reveals that all newly created files are scrupulously  
chmoded to 777. Both 2.x and 3.x clients exhibit this behaviour. No, it  
doesn't mean a compromise. But I find it totally inappropriate when such  
important security description as access permissions on newly created  
files is taken behind my back.  
  
Workaround (for platforms supporting dynamic linking). Compile following  
"module" as a shared object and make run-time linker preload it (e.g. by  
setting LD_PRELOAD on Linux and Solaris and  
_RLD_LIST=${ICAROOT}/chmod.so:DEFAULT on IRIX)  
  
int chmod(){return 0;}  
  
Side effects. If you have version 3.x and a user runs the client for the  
very first time, initial config files are copied from ${ICAROOT}/config  
and they (files) inherit 444 access permissions. To workaround this  
chmod u+w ${ICAROOT}/config/* (files in ${ICAROOT}/config are owner by  
root anyway).  
  
Andy.  
  
`