The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
SUMMARY
<http://www.citrix.com> Citrix Presentation Server (formerly Citrix
MetaFrame) is a remote access/application publishing product built on the
Independent Computing Architecture (ICA), Citrix Systems' thin client
protocol.
A vulnerability in Citrix Presentation/MetaFrame Server allows for a
privilege escalation.
DETAILS
Vulnerable Systems:
While performing some security tests against several Citrix Metaframe
servers, a potential security issue was found, due to permissive ACLS. By
default, access rigthts over the following registry key
HKLM\system\Currentcontrolset\Services\Eventlog\Application\MetaframeEvents grants write access to authenticated users.
Over that key there are two registry entries, CategoryMessageFile and
EventMessageFile that points to the citrix event handling library, which
is by default stored at %systemroot%\System32\MFEvent.dll
This library is used by eventlog service.
Its possible for an authenticated user to modify the path of the library
in the registry, pointing to an special crafted library that when loaded
will execute arbitrary code with System privileges. This flaw allows
authenticated users to elevate privileges over a metaframe server.
Workaround:
Use regedt32.exe to restrict permissions by granting read only permissions
to all not administrator accounts.
Hive:
HKLM\system\Currentcontrolset\Services\Eventlog\Application\MetaframeEvents
Patch:
Citrix has released a security bulletin that address this vulnerability:
<http://support.citrix.com/article/CTX110492>
http://support.citrix.com/article/CTX110492
Related patches can also be downloaded from
<http://support.citrix.com/hotfixes.jsp>
http://support.citrix.com/hotfixes.jsp
Proof of concept:
c:\>reg ADD
HKLM\system\Currentcontrolset\Services\Eventlog\Application\MetaframeEvents /v EventMessageFile /t REG_EXPAND_SZ /d c:\winnt\tasks\poc.dll
Disclosure Timeline:
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]> Andres
Tarasco acu.
The original article can be found at: <http://www.514.es>
http://www.514.es
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.