[THIN] FW: Crashing any Windows NT TSE running MetaFrame 1.8
- From: "Boatman, Dave" <Dave.Boatman@xxxxxxxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Fri, 9 Aug 2002 12:31:33 +0100
Not sure if this has been posted here already.. but just incase it hasn't.
Dave Boatman
-----Original Message-----
From: morejunkmail@xxxxxxx [mailto:morejunkmail@xxxxxxx]
Sent: 08 August 2002 12:47
To: NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx
Subject: Crashing any Windows NT TSE running MetaFrame 1.8
PreScriptum: I posted this at thin-world.community.everyone.net
first.
----------------------------------------------------------------------------
----
I tried to contact Citrix about this bug i found, but they warn't
interested. (Haven't heared from them.)
So i'm posting it on a public forum for everyone to read.
Any WinNT4 TSE (Terminal Server Edition) running Citrix MetaFrame 1.8 can be
brought to its knees using the Java ICA web terminal interface without even
logging on the server.
All the required runtime files that are needed to do this are copied to the
caching folder of the browser used (eg: IE uses the
TemporaryInternetFilesFolder) when accessing a web terminal.
To put it simple: all a hacker/criminal has to do is to create a mirror site
(or copy
the files from IE cash) of the JAVA ICA environment and make little changes.
The changes are made in the html file that is used to
load the "setting" and makes then the ICA session availible.
eg:
--------------
applet code="com.citrix.JICA.class" archive="jicaengn.jar" width="800"
height="600"
--------------
must be changed to:
--------------
applet code="com.citrix.JICA.class" archive="jicaengn.jar" width=100%
height=100%
--------------
All a hacker has to do now is to load the HTML file in
Internet Explorer then
set the browser to fullscreen( "F11" key is used in
internet Explorer to "FullScreen" the window) and refresh.
At first it may seem that nothing has happened but in
fact all connected users are bumpt off the server and
in most cases the server will "blue screen" and reboot
or freeze.
I don't think anyone else has noticed this
bug/exploit yet, or citrix would have posted a patch by now.
I have confirmed this bug by testing it on 5 different
MetaFrame Servers and they all crashed(!).
Maybe this is a known problem (then I'm an idiot), but I'm pretty sure it's
not.
Use this info in peace.
Tanin Ehrami
PS: This mail may be edited for editorial reasons.
--
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net
***********************************************************
This message is confidential and intended for the exclusive
use of the addressee(s) only and remains the property of
Exchange FS Group plc. You should not disclose its contents
to any other person. If you are not the intended recipient
please notify the sender named above immediately.
Registered Office: Munro House, Portsmouth Road, Cobham,
Surrey, KT11 1TE. Registered in England No. 2596452
***********************************************************
===================================
This weeks Sponsor:
triCerat, Inc
ScrewDrivers fxp: Self Configuring Printer Driver with Bandwidth Control
Learn more at:
http://www.tricerat.com/?page=products&product=sdfxp
===================================
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link.
http://thethin.net/citrixlist.cfm
Other related posts:
