[10671] in bugtraq
Citrix Winframe client for Linux
daemon@ATHENA.MIT.EDU (David Terrell)
Fri May 28 16:48:05 1999
Mail-Followup-To: bugtraq@netspace.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990528122659.A2279@pianosa.catch22.org>
Date: Fri, 28 May 1999 12:26:59 -0700
Reply-To: David Terrell <dbt@meat.net>
From: David Terrell <dbt@MEAT.NET>
To: BUGTRAQ@NETSPACE.ORG
[ presumably this holds true for the other unix clients as well, but
all I have is linux to test on ]
The Citrix Winframe linux client (used for accessing Winframe and
Windows NT Server Terminal Edition) has a simple configuration section.
Perhaps too simple.... All configuration information is stored in a
directory /usr/lib/ICAClient/config which is mode 777. This in and
of itself is bad news, since any user on the system can overwrite
configuration data.
The situation is actually much worse than that.
When you start up the actual session manager (wfcmgr) you get a listbox
of configured sessions. The data for this listbox is stored in the mode
777 file /usr/lib/ICAClient/config/appsrv.ini. So there's a single
config file shared between all users. A sample session profile follows:
[WFClient]
Version=1
[ApplicationServers]
broken=
[broken]
WinStationDriver=ICA 3.0
TransportDriver=TCP/IP
DesiredColor=2
Password=0006f6c601930785
Domain=NTDOM
Username=user
Address=hostname
Yep. Passwords are stored in some kind of hash. What that hash is doesn't
really matter since you can just bring up wfcmgr and log in as that user.
Terrible.
I tried mailing both support@citrix.com and security@citrix.com but
neither of these addresses exist.
Workaround? wfcmgr supports the -icaroot parameter, but you basically
need to copy all the files in for it to work. So duplicate the tree in
your home directory, fix permissions, and do wfcmgr -icaroot $HOME/.ica.
Alternatively, don't use it.
Distressing that the company that was "bringing multiuser concurrent logons
to Windows NT" makes such a little effort at understanding multiuser
security.... [further editorialization left to the reader]
--
David Terrell
dbt@meat.net, dbt@nebcorp.com I may or may not be speaking for Nebcorp,
http://wwn.nebcorp.com/~dbt/ but Nebcorp has spoken for you.
