Citrix Opens Security Holes in Military, Federal Web Sites

A researcher says the Citrix technology running military and government Web site GUI's is full of security holes.

The Citrix technology that chugs away underneath Web applications is being used to put up military and government GUIs with security holes you could drive a bus through.

Security researcher Petko D. Petkov—aka "pdp"—said in an Oct. 4 posting that his recent testing of Citrix gateways led him to "tons" of "wide-open" Citrix instances, including 10 on government domains and four on military domains.

"The Internet is full of wide open CITRIX gateways. This is madness," he wrote. "I mean, it is 2007 people, it shouldnt be that simple."

What Petkov means by "wide open" is that when searching on Google or Yahoo for files with Citrixs proprietary ICA (Independent Computing Architecture) extension, the returned files blithely hand over hints about which server is running, the underlying transport mechanism and the remote application that Citrix will open.

Petkov said he found several "critical" applications that looked too interesting to even dare to look at among the services he managed to discover.

"Shall we start with the Global Logistics systems or the US Government Federal Funding Citrix portals—all of them wide open and susceptible to attacks?" he wrote. "With a similar success, attackers can perform just simple port scans for service port 1494 [a TCP port used by Citrix Presentation Servers ICA Client]."

Petkov compares Citrix hacking to "the old days with NetBIOS" in that its simple, its malicious, and its "highly effective."


Click here to read more about a security breach of the U.S. Consulate General in St. Petersburg, Russia.

Citrix technology is also ubiquitous, with Windows desktops and applications relying on MetaFrame—now called Citrix Presentation Server. The ICA protocol in question specifies a method of passing data between server and clients.

Its not bound to any particular platform, but products that use the protocol—including Citrixs WinFrame and Citrix Presentation Server—are used to allow Windows applications to be run on a Windows server and for supported clients to access the applications. ICA is also supported on multiple Unix server platforms and can be used for access to applications running on those platforms.

"And the problem is that CITRIX is pretty useful," Petkov wrote in the posting. "Here is a dilemma for you: Lets say that you have a pretty stable desktop [application that] you would like to [make] available on the Web. What you gonna do? Port it to XHTML, JavaScript and CSS? No way! You are most likely going to put it over CITRIX."

Petkov posted a video that demonstrates a Citrix attack with simple enumeration exercises along with a script he says can be used to brute-force the Windows/Netware logon and which can be modified to work against Citrix SSL authorization as well. Petkov also posted on Oct. 5 a script to fine-tune connections when security researchers want to try out various Citrix communication mechanisms and connection options, and a script to use ICAClient ActiveX controller to enumerate remote applications, servers and farms.

Citrix had not responded to queries by the time this article posted.

Participants on the Full Disclosure security mailing list noted, however, that its not that Citrix cant be secured—given a competent administrator, that is.

"Id recommend using terminal services over Citrix any day of the week for hosting mature apps on a big box, but thats just my bias," wrote a poster with the moniker "Geoff." "Citrix is able to be secured, but thats like everything else in computing: the admin needs a brain."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.