[10679] in bugtraq
Re: Citrix Winframe client for Linux
daemon@ATHENA.MIT.EDU (seregon)
Mon May 31 17:27:09 1999
Content-Type: text/plain; charset=US-ASCII
Mime-Version: 1.0
Content-Transfer-Encoding: 7BIT
Message-Id: <99052821394500.05716@sirion.mahanaxar.dom>
Date: Fri, 28 May 1999 21:04:30 -0500
Reply-To: seregon@midsouth.rr.com
From: seregon <seregon@MIDSOUTH.RR.COM>
X-To: David Terrell <dbt@meat.net>
To: BUGTRAQ@NETSPACE.ORG
Rumor has it that David Terrell might have once said:
> [ presumably this holds true for the other unix clients as well, but
> all I have is linux to test on ]
>
> The Citrix Winframe linux client (used for accessing Winframe and
> Windows NT Server Terminal Edition) has a simple configuration section.
> Perhaps too simple.... All configuration information is stored in a
> directory /usr/lib/ICAClient/config which is mode 777. This in and
> of itself is bad news, since any user on the system can overwrite
> configuration data.
I installed v3.00.15 using the defaults. After running wfcmgr and creating a
dummy connection config as a regular user, I did not find anything extra in the
appsrv.ini file in /usr/lib/ICAClient/config. All of the session configuration
information was stored in ~/.ICAClient/appsrv.ini. This file is created
world-readable as is the directory : (, so if others can see into your
home directory...
I repeated the test as root, with the same results...
>
> The situation is actually much worse than that.
>
> When you start up the actual session manager (wfcmgr) you get a listbox
> of configured sessions. The data for this listbox is stored in the mode
> 777 file /usr/lib/ICAClient/config/appsrv.ini. So there's a single
> config file shared between all users. A sample session profile follows:
>
> [WFClient]
> Version=1
>
> [ApplicationServers]
> broken=
>
> [broken]
> WinStationDriver=ICA 3.0
> TransportDriver=TCP/IP
> DesiredColor=2
> Password=0006f6c601930785
> Domain=NTDOM
> Username=user
> Address=hostname
>
> Yep. Passwords are stored in some kind of hash. What that hash is doesn't
> really matter since you can just bring up wfcmgr and log in as that user.
I would be at least moderately concerned about having the hash exposed just
because many (most?) users like to synchronize their passwords between all of
the systems that they use. As for the hash, well...its weak (as are most XOR
schemes). For the Dos/Win32 clients (at least) the fourth character is the
length of the remainder of the line. The fifth and sixth are the principal
key. The rest is the password. This hash appears to use the same type of
scheme.
No, the hash algorithm isn't quite that simple...they do a couple of things
to introduce noise. But, the mplementation could be better... ; )
>
> Terrible.
>
> I tried mailing both support@citrix.com and security@citrix.com but
> neither of these addresses exist.
>
>
> Workaround? wfcmgr supports the -icaroot parameter, but you basically
> need to copy all the files in for it to work. So duplicate the tree in
> your home directory, fix permissions, and do wfcmgr -icaroot $HOME/.ica.
>
> Alternatively, don't use it.
>
> Distressing that the company that was "bringing multiuser concurrent logons
> to Windows NT" makes such a little effort at understanding multiuser
> security.... [further editorialization left to the reader]
>
> --
> David Terrell
> dbt@meat.net, dbt@nebcorp.com I may or may not be speaking for Nebcorp,
> http://wwn.nebcorp.com/~dbt/ but Nebcorp has spoken for you.
--
______________________________________________________________________________
seregon@midsouth.rr.com From wonder into wonder, existance opens
______________________________________________________________________________
