Presentation Server Published Application Execution Weakness
Thursday, 15 November 2007 by Michel Roth
A weakness has been reported in Citrix Presentation Server, which potentially can be exploited by malicious people to compromise a vulnerable system.

The problem is that published applications and potentially other applications can be launched when invoking an ICA connection to a Citrix Presentation Server. This can be exploited to e.g. launch published applications with specially crafted parameters on a Citrix Presentation Server when a user is tricked into visiting a malicious website or opening a malicious .ICA file.

What this means in Citrix admin language is that you could edit a ICA file and alter the "InitialProgram" parameter. This could then, if the server is not properly locked down and if the default settings for published application were altered, allow you to start any program you like. A little far fetched but certainly not impossible (there's Internet-facing Citrix configurations you wouldn't believe). In fact, there's this "hacker" out there who wanted to share this with the world.

Anyway, this was worrying enough for Citrix to issue a security bulletin and implement a "fix" for this. It's in PSE450R01W2K3035 (fix for 4.5) and PSE400R04W2K3012 (for PS 4.0). What they did was make the name of published applications harder to predict. To achieve this, the fix appends a token to the Application Name when the application is published. The token is a circumflex followed by a random combination of eight characters/digits. For example, if you publish Microsoft Word with an Application Name of "MS Word" and a Display Name of "Word," users see "Word" when enumerating the application, and an .ica file lists the application as #"Word^XXXXXXXX."

No changes are made to the application's Display Name (the name of the application as it appears in client interfaces) except for Program Neighborhood custom connections, where the Display Name is equal to the Application Name as it appears in the application's Properties page in the console.

Related Items:

0-Day Microsoft Word 2000 Unspecified Code Execution Vulnerability (5 September 2006)
How To Deal With Softgrids SFTDCC.exe On Terminal Server Systems (5 March 2007)
Warning: Microsoft Windows WMF Handling Arbitrary Code Execution - Exploit In the Wild (29 December 2005)
Microsoft Windows "itss.dll" Heap Corruption Unpatched Vulnerability (10 May 2006)
The "Allow Only One instance Of Application For Each User" Option Does Not Work (16 February 2007)
Zero Day Microsoft Word Unspecified Code Execution Vulnerability (20 May 2006)
Citrix ICA Client ActiveX Control Heap Overflow Vulnerability (6 December 2006)
Filter Application For PNA And WI 4.5 (25 April 2007)
Citrix MetaFrame Web Client Access Restriction Bypass Vulnerability (11 April 2005)
VMware ESX Server Multiple Vulnerabilities (14 November 2006)
Comments (0)add feed
Show/Hide comment formtoggle
password
 

busy