[Dailydave] Owning Citrix & Terminal Services Clients

Hamid . K elite_netbios at yahoo.com
Tue Mar 4 11:42:02 EST 2008 

 I`ve posted some notes about this case ,following previous works on
 my blog few days ago . Though it may be interesting for some of list members.
,feel free to replay on  list ,or drop some comments , specially about 'attack-1'  . 

 Here`s the link
 http://hkashfi.blogspot.com/2008/03/citrix-terminal-service-and-some-dirty.html


regards
Hamid

----- Original Message ----
From: DSquare Security <info at d2sec.com>
To: dailydave at lists.immunitysec.com
Sent: Wednesday, February 27, 2008 9:47:32 PM
Subject: [Dailydave] Owning Citrix & Terminal Services Clients

Several vulnerabilities can help you to compromise a Citrix server or
a Terminal Services server. So the question is: what can you do when
you have a privileged access on these Citrix and Terminal Services
servers? The answer is simple: try to compromise Citrix and TS clients.

There are at least two interesting ways to access client data
1) Spying his session to get passwords from a published application
2) Accessing his local drives if they are mapped in the session

D2CiTerm is designed to help you in this kind of work. Here are two
demonstrations of this tool:

1) From a remote SYSTEM access after the exploitation of Citrix MPS 4.0
   IMA Service Heap overflow: http://www.d2sec.com/d2citerm_1.htm

2) From a privileged Citrix session: http://www.d2sec.com/d2citerm_2.htm


This tool will be released in the next update of D2 Exploitation Pack.


-- 
DSquare Security, LLC
http://www.d2sec.com

_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave






      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080304/62799f14/attachment.htm

More information about the Dailydave mailing list