INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORY
ADVISORY/1907 - Citrix MetaFrame Privilege Escalation
Intruders Tiger Team Security (http://www.intruders.com.br/) is a SecurityLabs (http://www.security.org.br) division.
The Intruders Tiger Team Security (ITTS) is a group of researchers with more than 10 years of experience, specialized in the development of penetration tests.
All the penetration tests realized until the moment by the Intruders Tiger Team Security had 100% of success.
Citrix Presentation Server formerly know as Citrix MetaFrame Server is a remote application publishing product that allows people to connect to applications available from central servers.
One advantage of publishing applications using Presentation Server is that lets people connect to those applications remotely, from their homes, airport Internet kiosks, smart phones, and other devices outside of their corporate networks.
From an end-user perspective, users can log in to their corporate network from, for example, an airport kiosk, see all of the applications they would see everyday at work, including Outlook email and any internal applications and access them from the kiosk in a secure environment.
Intruders Tiger Team Security identified an unknown vulnerability in Citrix Metaframe Presentation Server and Citrix Metaframe XP.
The icabar.exe file which is designed to startup the Citrix MetaFrame administration toolbar allows an attacker to escalate privilege in Windows 2000 and below in the default configuration and in Windows 2003 in some special circumstances.
The icabar.exe file does launch during an administrator logon to the desktop via RUN registry key. Unfortunately the IcaBar key value doesn't have a full binary path, which allows an attacker to escalate privilege in Windows NT, 2000 in the default configuration and in Windows 2003 in some circumstances.
This causes several instances of Windows PATH trolling, where Windows tries to locate the icabar.exe file in the directories listed in its PATH environment variable. If the attacker is able to write in any of this directories listed in its PATH before the Citrix Metaframe PATH entry, so the attacker can escalate privilege.
The standard file ACL (Access Control List) of Windows NT and 2000 Operating Systems is weak and allow any user to create files in the SystemDrive (in general c:\) and in many directorys listed in its PATH, which allow an attacker to create a fake icabar.exe and consequently escalate privilege.
However, the exploitation dependends from others softwares or administrators whom added new PATH entrys, for example the common "%SystemDrive%\Program Files\SomeDirectory", where the directory is set to Everyone/Full Control (default in Windows 2000) or directorys which allows the creation and modification of new files by local Users group (special permissions set by Windows 2003).
As described in the document CTX106052 (http://support.citrix.com/kb/entry.jspa?entryID=6032), the Citrix company created a Hotfix for MetaFrame Presentation Server 3.0 and a workaround for MetaFrame XP, because Windows 2003 SP1 doesn't allow anymore the startup via RUN registry key without full path.
However this patch from Citrix company doesn't enquote the binary full path stored in the RUN registry key, an attacker can abuse of the old 8.3 notation in the binary search and consequently can be used to escalate privilege in some circumstances.
Intruders Tiger Team Security confirmed the existence of this vulnerability in the following Citrix Metaframe versions:
Possibly new(s) version(s) can be vulnerable also.
There is no manufacture patch.
WORKAROUND: Use full path binary and enquote the IcaBar key stored in the RUN registry key.
03/07/2005 - Vulnerability discovered during a Penetration Test. 07/19/2007 - Citrix Metaframe World Wide Team Contacted. 07/22/2007 - Citrix Metaframe World Wide Team Contacted - Second notification. 07/24/2007 - Citrix security staff - Investigating the possible flaw. 08/15/2007 - Citrix security staff - Have confirmed that this issue is valid and are currently scoping the effort required to address it on all affected platforms. 08/17/2007 - Citrix security staff - Currently do not have an accurate estimate of how long it will take to roll out the public response. 09/17/2007 - Citrix security staff - Investigation into the full scope of the issue you reported with the icabar.exe is not yet complete. At this point though, we are performing due diligence to find any similar issues that might exist in this area. 10/08/2007 - Citrix security staff - Still completing our due diligence of the ICABar issue that you reported and, as before, we cannot put a definite timescale on when this will be complete. As soon as we do have a firm idea, we will inform you straight away. 11/22/2007 - Citrix security staff - Issue you reported is currently in our queue to be fixed, but we do not have a firm date for its release. 12/26/2007 - Citrix security staff contacted - No more responses #01. 01/11/2008 - Citrix security staff contacted - No more responses #02. 03/04/2008 - Citrix security staff contacted - No more responses #03. 04/26/2008 - Citrix security staff contacted - No more responses #04. 06/07/2008 - Citrix security staff contacted - No more responses #05. 06/30/2008 - Advisory published.
Wendel Guglielmetti Henrique and Intruders Tiger Team Security had discovered this vulnerability.
Gratefulness to Waldemar Nehgme (SecurityLabs), Glaudson Ocampos (Intruders Tiger Team Security), Ygor R. Parreira (Intruders Tiger Team Security), Elio Júnior (SecurityLabs), Ismael Rocha (SecurityLabs), Diego Camargo (PPP Advogados), Ewa Dudzic (Hakin9), all Hackaholic members (ByteRage, Detach, BMF, Infamous41MD, etc) and H2HC friends (Filipe Balestra, harbel, Marconha, fpm, syslogd, Willian Caprino, etc).
Visit our website: