Not sure if this has been posted here already.. but just incase it hasn't. Dave Boatman -----Original Message----- From: morejunkmail@xxxxxxx [mailto:morejunkmail@xxxxxxx] Sent: 08 August 2002 12:47 To: NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx Subject: Crashing any Windows NT TSE running MetaFrame 1.8 PreScriptum: I posted this at thin-world.community.everyone.net first. ---------------------------------------------------------------------------- ---- I tried to contact Citrix about this bug i found, but they warn't interested. (Haven't heared from them.) So i'm posting it on a public forum for everyone to read. Any WinNT4 TSE (Terminal Server Edition) running Citrix MetaFrame 1.8 can be brought to its knees using the Java ICA web terminal interface without even logging on the server. All the required runtime files that are needed to do this are copied to the caching folder of the browser used (eg: IE uses the TemporaryInternetFilesFolder) when accessing a web terminal. To put it simple: all a hacker/criminal has to do is to create a mirror site (or copy the files from IE cash) of the JAVA ICA environment and make little changes. The changes are made in the html file that is used to load the "setting" and makes then the ICA session availible. eg: -------------- applet code="com.citrix.JICA.class" archive="jicaengn.jar" width="800" height="600" -------------- must be changed to: -------------- applet code="com.citrix.JICA.class" archive="jicaengn.jar" width=100% height=100% -------------- All a hacker has to do now is to load the HTML file in Internet Explorer then set the browser to fullscreen( "F11" key is used in internet Explorer to "FullScreen" the window) and refresh. At first it may seem that nothing has happened but in fact all connected users are bumpt off the server and in most cases the server will "blue screen" and reboot or freeze. I don't think anyone else has noticed this bug/exploit yet, or citrix would have posted a patch by now. I have confirmed this bug by testing it on 5 different MetaFrame Servers and they all crashed(!). Maybe this is a known problem (then I'm an idiot), but I'm pretty sure it's not. Use this info in peace. Tanin Ehrami PS: This mail may be edited for editorial reasons. -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net *********************************************************** This message is confidential and intended for the exclusive use of the addressee(s) only and remains the property of Exchange FS Group plc. You should not disclose its contents to any other person. If you are not the intended recipient please notify the sender named above immediately. Registered Office: Munro House, Portsmouth Road, Cobham, Surrey, KT11 1TE. Registered in England No. 2596452 *********************************************************** =================================== This weeks Sponsor: triCerat, Inc ScrewDrivers fxp: Self Configuring Printer Driver with Bandwidth Control Learn more at: http://www.tricerat.com/?page=products&product=sdfxp =================================== For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm