INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORY
ADVISORY/1907 - Citrix MetaFrame Privilege Escalation
I - INTRUDERS:
Intruders Tiger Team Security (http://www.intruders.com.br/) is a
SecurityLabs (http://www.security.org.br) division.
The Intruders Tiger Team Security (ITTS) is a group of researchers
with more than 10 years of experience, specialized in the development
of penetration tests.
All the penetration tests realized until the moment by the Intruders
Tiger Team Security had 100% of success.
II - INTRODUCTION:
Citrix Presentation Server formerly know as Citrix MetaFrame Server is
a remote application publishing product that allows people to connect
to applications available from central servers.
One advantage of publishing applications using Presentation Server is
that lets people connect to those applications remotely, from their
homes, airport Internet kiosks, smart phones, and other devices
outside of their corporate networks.
>From an end-user perspective, users can log in to their corporate
network from, for example, an airport kiosk, see all of the
applications they would see everyday at work, including Outlook email
and any internal applications and access them from the kiosk in a
III - DESCRIPTION:
Intruders Tiger Team Security identified an unknown vulnerability in
Citrix Metaframe Presentation Server and Citrix Metaframe XP.
The icabar.exe file which is designed to startup the Citrix MetaFrame
administration toolbar allows an attacker to escalate privilege in
Windows 2000 and below in the default configuration and in Windows
2003 in some special circumstances.
IV - ANALISYS:
The icabar.exe file does launch during an administrator logon to the
desktop via RUN registry key. Unfortunately the IcaBar key value
doesn't have a full binary path, which allows an attacker to escalate
privilege in Windows NT, 2000 in the default configuration and in
Windows 2003 in some circumstances.
This causes several instances of Windows PATH trolling, where Windows
tries to locate the icabar.exe file in the directories listed in its
PATH environment variable. If the attacker is able to write in any of
this directories listed in its PATH before the Citrix Metaframe PATH
entry, so the attacker can escalate privilege.
The standard file ACL (Access Control List) of Windows NT and 2000
Operating Systems is weak and allow any user to create files in the
SystemDrive (in general c:\) and in many directorys listed in its
PATH, which allow an attacker to create a fake icabar.exe and
consequently escalate privilege.
However, the exploitation dependends from others softwares or
administrators whom added new PATH entrys, for example the common
"%SystemDrive%\Program Files\SomeDirectory", where the directory is
set to Everyone/Full Control (default in Windows 2000) or directorys
which allows the creation and modification of new files by local Users
group (special permissions set by Windows 2003).
As described in the document CTX106052
(http://support.citrix.com/kb/entry.jspa?entryID=6032), the Citrix
company created a Hotfix for MetaFrame Presentation Server 3.0 and a
workaround for MetaFrame XP, because Windows 2003 SP1 doesn't allow
anymore the startup via RUN registry key without full path.
However this patch from Citrix company doesn't enquote the binary full
path stored in the RUN registry key, an attacker can abuse of the old
8.3 notation in the binary search and consequently can be used to
escalate privilege in some circumstances.
Intruders Tiger Team Security confirmed the existence of this
vulnerability in the following Citrix Metaframe versions:
- Citrix MetaFrame Presentation Server 3.0 and below.
- Citrix MetaFrame XP 1.0 and below.
Possibly new(s) version(s) can be vulnerable also.
There is no manufacture patch.
WORKAROUND: Use full path binary and enquote the IcaBar key stored in
the RUN registry key.
VII - CHRONOLOGY:
03/07/2005 - Vulnerability discovered during a Penetration Test.
07/19/2007 - Citrix Metaframe World Wide Team Contacted.
07/22/2007 - Citrix Metaframe World Wide Team Contacted - Second notification.
07/24/2007 - Citrix security staff - Investigating the possible flaw.
08/15/2007 - Citrix security staff - Have confirmed that this issue is
valid and are currently scoping the effort required to address it on
all affected platforms.
08/17/2007 - Citrix security staff - Currently do not have an accurate
estimate of how long it will take to roll out the public response.
09/17/2007 - Citrix security staff - Investigation into the full scope
of the issue you reported with the icabar.exe is not yet complete. At
this point though, we are performing due diligence to find any similar
issues that might exist in this area.
10/08/2007 - Citrix security staff - Still completing our due
diligence of the ICABar issue that you reported and, as before, we
cannot put a definite timescale on when this will be complete. As soon
as we do have a firm idea, we will inform you straight away.
11/22/2007 - Citrix security staff - Issue you reported is currently
in our queue to be fixed, but we do not have a firm date for its
12/26/2007 - Citrix security staff contacted - No more responses #01.
01/11/2008 - Citrix security staff contacted - No more responses #02.
03/04/2008 - Citrix security staff contacted - No more responses #03.
04/26/2008 - Citrix security staff contacted - No more responses #04.
06/07/2008 - Citrix security staff contacted - No more responses #05.
06/30/2008 - Advisory published.
VIII - CREDITS:
Wendel Guglielmetti Henrique and Intruders Tiger Team Security had
discovered this vulnerability.
Gratefulness to Waldemar Nehgme (SecurityLabs), Glaudson Ocampos
(Intruders Tiger Team Security), Ygor R. Parreira (Intruders Tiger
Team Security), Elio J=FAnior (SecurityLabs), Ismael Rocha
(SecurityLabs), Diego Camargo (PPP Advogados), Ewa Dudzic (Hakin9),
all Hackaholic members (ByteRage, Detach, BMF, Infamous41MD, etc) and
H2HC friends (Filipe Balestra, harbel, Marconha, fpm, syslogd, Willian
Visit our website: