Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14062
HistoryAug 28, 2006 - 12:00 a.m.

[NT] Citrix Presentation/MetaFrame Server Privilege Escalation

2006-08-2800:00:00
vulners.com
13

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com

    • promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


Citrix Presentation/MetaFrame Server Privilege Escalation

SUMMARY

<http://www.citrix.com> Citrix Presentation Server (formerly Citrix
MetaFrame) is a remote access/application publishing product built on the
Independent Computing Architecture (ICA), Citrix Systems' thin client
protocol.

A vulnerability in Citrix Presentation/MetaFrame Server allows for a
privilege escalation.

DETAILS

Vulnerable Systems:

  • Citrix Metaframe version 1.8
  • Citrix Metaframe Presentation server version 3.0
  • Citrix Presentation server version 4.0

While performing some security tests against several Citrix Metaframe
servers, a potential security issue was found, due to permissive ACLS. By
default, access rigthts over the following registry key
HKLM\system\Currentcontrolset\Services\Eventlog\Application\MetaframeEvents grants write access to authenticated users.

Over that key there are two registry entries, CategoryMessageFile and
EventMessageFile that points to the citrix event handling library, which
is by default stored at %systemroot%\System32\MFEvent.dll
This library is used by eventlog service.

Its possible for an authenticated user to modify the path of the library
in the registry, pointing to an special crafted library that when loaded
will execute arbitrary code with System privileges. This flaw allows
authenticated users to elevate privileges over a metaframe server.

Workaround:
Use regedt32.exe to restrict permissions by granting read only permissions
to all not administrator accounts.
Hive:
HKLM\system\Currentcontrolset\Services\Eventlog\Application\MetaframeEvents

Patch:
Citrix has released a security bulletin that address this vulnerability:
<http://support.citrix.com/article/CTX110492&gt;
http://support.citrix.com/article/CTX110492
Related patches can also be downloaded from
<http://support.citrix.com/hotfixes.jsp&gt;
http://support.citrix.com/hotfixes.jsp

Proof of concept:
c:\>reg ADD
HKLM\system\Currentcontrolset\Services\Eventlog\Application\MetaframeEvents /v EventMessageFile /t REG_EXPAND_SZ /d c:\winnt\tasks\poc.dll

Disclosure Timeline:

  • June 09, 2006 - Vulnerability discovered
  • June 11, 2006 - Vendor notified
  • June 12, 2006 - First Vendor response
  • July 18, 2006 - Fix released by Citrix
  • July 18, 2006 - Public disclosure

ADDITIONAL INFORMATION

The information has been provided by <mailto:[email protected]> Andres
Tarasco acu.
The original article can be found at: <http://www.514.es>
http://www.514.es

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]

====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.