|
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Citrix Presentation/MetaFrame Server Privilege Escalation
------------------------------------------------------------------------
SUMMARY
<http://www.citrix.com> Citrix Presentation Server (formerly Citrix
MetaFrame) is a remote access/application publishing product built on the
Independent Computing Architecture (ICA), Citrix Systems' thin client
protocol.
A vulnerability in Citrix Presentation/MetaFrame Server allows for a
privilege escalation.
DETAILS
Vulnerable Systems:
* Citrix Metaframe version 1.8
* Citrix Metaframe Presentation server version 3.0
* Citrix Presentation server version 4.0
While performing some security tests against several Citrix Metaframe
servers, a potential security issue was found, due to permissive ACLS. By
default, access rigthts over the following registry key
HKLM\system\Currentcontrolset\Services\Eventlog\Application\
MetaframeEvents grants write access to authenticated users.
Over that key there are two registry entries, CategoryMessageFile and
EventMessageFile that points to the citrix event handling library, which
is by default stored at %systemroot%\System32\MFEvent.dll
This library is used by eventlog service.
Its possible for an authenticated user to modify the path of the library
in the registry, pointing to an special crafted library that when loaded
will execute arbitrary code with System privileges. This flaw allows
authenticated users to elevate privileges over a metaframe server.
Workaround:
Use regedt32.exe to restrict permissions by granting read only permissions
to all not administrator accounts.
Hive:
HKLM\system\Currentcontrolset\Services\Eventlog\Application\
MetaframeEvents
Patch:
Citrix has released a security bulletin that address this vulnerability:
<http://support.citrix.com/article/CTX110492>
http://support.citrix.com/article/CTX110492
Related patches can also be downloaded from
<http://support.citrix.com/hotfixes.jsp>
http://support.citrix.com/hotfixes.jsp
Proof of concept:
c:\>reg ADD
HKLM\system\Currentcontrolset\Services\Eventlog\Application\
MetaframeEvents /v EventMessageFile /t REG_EXPAND_SZ /d c:\winnt\tasks\poc.dll
Disclosure Timeline:
* June 09, 2006 - Vulnerability discovered
* June 11, 2006 - Vendor notified
* June 12, 2006 - First Vendor response
* July 18, 2006 - Fix released by Citrix
* July 18, 2006 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:atarasco@sia.es> Andres
Tarasco acu.
The original article can be found at: <http://www.514.es>
http://www.514.es
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
|
