Date: Fri, 28 May 1999 12:26:59 -0700 From: David Terrell To: BUGTRAQ@netspace.org Subject: Citrix Winframe client for Linux [ presumably this holds true for the other unix clients as well, but all I have is linux to test on ] The Citrix Winframe linux client (used for accessing Winframe and Windows NT Server Terminal Edition) has a simple configuration section. Perhaps too simple.... All configuration information is stored in a directory /usr/lib/ICAClient/config which is mode 777. This in and of itself is bad news, since any user on the system can overwrite configuration data. The situation is actually much worse than that. When you start up the actual session manager (wfcmgr) you get a listbox of configured sessions. The data for this listbox is stored in the mode 777 file /usr/lib/ICAClient/config/appsrv.ini. So there's a single config file shared between all users. A sample session profile follows: [WFClient] Version=1 [ApplicationServers] broken= [broken] WinStationDriver=ICA 3.0 TransportDriver=TCP/IP DesiredColor=2 Password=0006f6c601930785 Domain=NTDOM Username=user Address=hostname Yep. Passwords are stored in some kind of hash. What that hash is doesn't really matter since you can just bring up wfcmgr and log in as that user. Terrible. I tried mailing both support@citrix.com and security@citrix.com but neither of these addresses exist. Workaround? wfcmgr supports the -icaroot parameter, but you basically need to copy all the files in for it to work. So duplicate the tree in your home directory, fix permissions, and do wfcmgr -icaroot $HOME/.ica. Alternatively, don't use it. Distressing that the company that was "bringing multiuser concurrent logons to Windows NT" makes such a little effort at understanding multiuser security.... [further editorialization left to the reader] -- David Terrell dbt@meat.net, dbt@nebcorp.com I may or may not be speaking for Nebcorp, http://wwn.nebcorp.com/~dbt/ but Nebcorp has spoken for you. ------------------------------------------------------------------------------- Date: Fri, 28 May 1999 16:43:31 -0400 From: Davin Milun To: BUGTRAQ@netspace.org Subject: Re: Citrix Winframe client for Linux >From: David Terrell >Date: Fri, 28 May 1999 12:26:59 -0700 >Subject: Citrix Winframe client for Linux >To: BUGTRAQ@NETSPACE.ORG > >[ presumably this holds true for the other unix clients as well, but > all I have is linux to test on ] > >The Citrix Winframe linux client (used for accessing Winframe and >Windows NT Server Terminal Edition) has a simple configuration section. >Perhaps too simple.... All configuration information is stored in a >directory /usr/lib/ICAClient/config which is mode 777. This in and >of itself is bad news, since any user on the system can overwrite >configuration data. Are you sure that the current (3.x) version still does this. I know that we saw this with the older 2.x clients, with the 3.x version, it creates a .ICAClient directory in the user's home directory, and stores the configuration data there. Davin. -- Davin Milun E-mail: milun@cse.Buffalo.EDU milun@acm.org Fax: (716) 645-3464 WWW: http://www.cse.buffalo.edu/~milun/ ------------------------------------------------------------------------------- Date: Fri, 28 May 1999 13:51:20 -0700 From: David Terrell To: BUGTRAQ@netspace.org Subject: Re: Citrix Winframe client for Linux On Fri, May 28, 1999 at 04:43:31PM -0400, Davin Milun wrote: > >The Citrix Winframe linux client (used for accessing Winframe and > >Windows NT Server Terminal Edition) has a simple configuration section. > >Perhaps too simple.... All configuration information is stored in a > >directory /usr/lib/ICAClient/config which is mode 777. This in and > >of itself is bad news, since any user on the system can overwrite > >configuration data. > > Are you sure that the current (3.x) version still does this. > I know that we saw this with the older 2.x clients, with the 3.x version, it > creates a .ICAClient directory in the user's home directory, and stores the > configuration data there. I'm not able to test that immediately here. However, v2 is the most up to date client for unix for international (non-english) users. -- David Terrell dbt@meat.net, dbt@nebcorp.com I may or may not be speaking for Nebcorp, http://wwn.nebcorp.com/~dbt/ but Nebcorp has spoken for you. ------------------------------------------------------------------------------- Date: Fri, 28 May 1999 16:28:31 -0500 From: Vic Abell To: BUGTRAQ@netspace.org Subject: Re: Citrix Winframe client for Linux David Terrell writes (in part): > > [ presumably this holds true for the other unix clients as well, but > all I have is linux to test on ] It's true for the "newer" UNIX clients -- e.g., 3.0 for Solaris -- but not for older ones -- e.g., 2.6 for Solaris. > The Citrix Winframe linux client (used for accessing Winframe and > Windows NT Server Terminal Edition) has a simple configuration section. > Perhaps too simple.... All configuration information is stored in a > directory /usr/lib/ICAClient/config which is mode 777. This in and > of itself is bad news, since any user on the system can overwrite > configuration data. We have refused to install the Solaris 3.0 client for this reason and have opened a case with Citrix about this and other objectionable aspects (non-security ones). Those who have Citrix support contracts, the case number is 23117500, and you're welcome to join your complaints to ours. > The situation is actually much worse than that. > > When you start up the actual session manager (wfcmgr) you get a listbox > of configured sessions. The data for this listbox is stored in the mode > 777 file /usr/lib/ICAClient/config/appsrv.ini. So there's a single > config file shared between all users. A sample session profile follows: > > ... > > Yep. Passwords are stored in some kind of hash. What that hash > is doesn't > really matter since you can just bring up wfcmgr and log in as that user. It can be made not quite that easy. The administrative controls on the server end allow you to disable acceptance of any stored passwords. That has always been true, and we have always done that, no matter where the clients were designed to store passwords. Of course, that doesn't mean people can't try to store passwords -- it just means they won't be usable. > Terrible. Yes, the newer Citrix clients are most unlikable. > I tried mailing both support@citrix.com and security@citrix.com but > neither of these addresses exist. The best you can do without a support contract is post a complaint to their "forum," reachable via www.citrix.com. > Workaround? wfcmgr supports the -icaroot parameter, but you basically > need to copy all the files in for it to work. So duplicate the tree in > your home directory, fix permissions, and do wfcmgr -icaroot $HOME/.ica. You may not need to duplicate all files. With older clients it's possible to duplicate only the files the user has to be able to change -- e.g., the three .ini files in .../config -- and use symbolic links to the rest. > Alternatively, don't use it. Also consider using the older clients and disabling the acceptance of the password at the server. Since the newer clients also seem to fall back to a ~/.ICAClient sub-directory, it might be possible to delete the world-accessible directories and files. I've been able to do that, but only with partial success. > Distressing that the company that was "bringing multiuser > concurrent logons > to Windows NT" makes such a little effort at understanding multiuser > security.... [further editorialization left to the reader] I believe Citrix tried to make it easier for people to generate their own configurations and didn't understand the security implications of what they were doing. It's too bad they so sadly compromised the secure use of their reasonably good product. ------------------------------------------------------------------------------- Date: Fri, 28 May 1999 16:46:49 -0600 From: Mark Manes To: BUGTRAQ@netspace.org Subject: Re: Citrix Winframe client for Linux I have tested this on the newest version (3.0.15) of the ICA Client for Linux and found some differences. The /usr/lib/ICAClient dir is now mode 755 which is good, but it keeps each users appsrv.ini in ~/.ICAClient now, which is mode 755 too, so still anyone can read the file. Another workaround would be to not enter a user/domain/password in the connection configuration screen, and enter it manually in the standard NT login screen each time the connection is made. ------------------------------------------------------------------------------- Date: Fri, 28 May 1999 21:04:30 -0500 From: seregon To: BUGTRAQ@netspace.org Subject: Re: Citrix Winframe client for Linux Rumor has it that David Terrell might have once said: > [ presumably this holds true for the other unix clients as well, but > all I have is linux to test on ] > > The Citrix Winframe linux client (used for accessing Winframe and > Windows NT Server Terminal Edition) has a simple configuration section. > Perhaps too simple.... All configuration information is stored in a > directory /usr/lib/ICAClient/config which is mode 777. This in and > of itself is bad news, since any user on the system can overwrite > configuration data. I installed v3.00.15 using the defaults. After running wfcmgr and creating a dummy connection config as a regular user, I did not find anything extra in the appsrv.ini file in /usr/lib/ICAClient/config. All of the session configuration information was stored in ~/.ICAClient/appsrv.ini. This file is created world-readable as is the directory : (, so if others can see into your home directory... I repeated the test as root, with the same results... > > The situation is actually much worse than that. > > When you start up the actual session manager (wfcmgr) you get a listbox > of configured sessions. The data for this listbox is stored in the mode > 777 file /usr/lib/ICAClient/config/appsrv.ini. So there's a single > config file shared between all users. A sample session profile follows: > > [WFClient] > Version=1 > > [ApplicationServers] > broken= > > [broken] > WinStationDriver=ICA 3.0 > TransportDriver=TCP/IP > DesiredColor=2 > Password=0006f6c601930785 > Domain=NTDOM > Username=user > Address=hostname > > Yep. Passwords are stored in some kind of hash. What that hash is doesn't > really matter since you can just bring up wfcmgr and log in as that user. I would be at least moderately concerned about having the hash exposed just because many (most?) users like to synchronize their passwords between all of the systems that they use. As for the hash, well...its weak (as are most XOR schemes). For the Dos/Win32 clients (at least) the fourth character is the length of the remainder of the line. The fifth and sixth are the principal key. The rest is the password. This hash appears to use the same type of scheme. No, the hash algorithm isn't quite that simple...they do a couple of things to introduce noise. But, the mplementation could be better... ; ) > > Terrible. > > I tried mailing both support@citrix.com and security@citrix.com but > neither of these addresses exist. > > > Workaround? wfcmgr supports the -icaroot parameter, but you basically > need to copy all the files in for it to work. So duplicate the tree in > your home directory, fix permissions, and do wfcmgr -icaroot $HOME/.ica. > > Alternatively, don't use it. > > Distressing that the company that was "bringing multiuser concurrent logons > to Windows NT" makes such a little effort at understanding multiuser > security.... [further editorialization left to the reader] > > -- > David Terrell > dbt@meat.net, dbt@nebcorp.com I may or may not be speaking for Nebcorp, > http://wwn.nebcorp.com/~dbt/ but Nebcorp has spoken for you. -- ______________________________________________________________________________ seregon@midsouth.rr.com From wonder into wonder, existance opens ______________________________________________________________________________ ------------------------------------------------------------------------------- Date: Sat, 29 May 1999 11:53:27 +0200 From: Keresztfalvi Gabor To: BUGTRAQ@netspace.org Subject: Re: Citrix Winframe client for Linux On Fri, 28 May 1999, David Terrell wrote: > The Citrix Winframe linux client (used for accessing Winframe and > Windows NT Server Terminal Edition) has a simple configuration section. > Perhaps too simple.... All configuration information is stored in a > directory /usr/lib/ICAClient/config which is mode 777. This in and > of itself is bad news, since any user on the system can overwrite > configuration data. [snip] > When you start up the actual session manager (wfcmgr) you get a listbox > of configured sessions. The data for this listbox is stored in the mode > 777 file /usr/lib/ICAClient/config/appsrv.ini. So there's a single > config file shared between all users. A sample session profile follows: I checked it both on Citrix ICA Client for Linux version 2.8.1 and 3.0.15. Your report is true for 2.8.1, but all of the bugs are already fixed in 3.0.15. So /usr/lib/ICAClient/config is 555 now, and every user has own config files in ~/.ICAClient. The version 3.0.15 appeared on 1/18/99. Greets, Keresztg + Keresztfalvi Gabor + Student of the Technical University of Budapest + mailto: keresztg@podolin.piar.hu keresztg@mail.com kg230@hszk.bme.hu + http://www.piar.hu/~keresztg/ There is my pubkey on this page. ------------------------------------------------------------------------------- Date: Mon, 31 May 1999 22:26:48 +1000 From: A Mole To: BUGTRAQ@netspace.org Subject: Re: Citrix Winframe client for Linux This was meantioned a few times in Citrix's online forums - Citrix lamely claiming it was nessisary for functional reasons. This is particular problem has been fixed with the new Unix versions (v3.0.XX). Each user now gets an ~/.ICAClient directory for their personal settings. It's still has problems though. For some reason known best to themselves Citrix have decided to still make $ICAROOT/cache (usually /usr/lib/ICAClient) and /etc/icalicense/ mode 777. I suspect the licence files only come into play using Metaframe for Terminals but it's hard to reconcile the logic of a shared central location for all users. The cache directory is configurable within the client and isn't even turned on by default so why this directory needs to exist at all escapes me. Like you say - distressing that they would do this. More so that they would still get it wrong the second time around. M. ------------------------------------------------------------------------------- Date: Tue, 1 Jun 1999 00:45:30 +0200 From: Andy Polyakov To: BUGTRAQ@netspace.org Subject: Re: Citrix Winframe client for Linux > > All configuration information is stored in a > > directory /usr/lib/ICAClient/config which is mode 777. While we're on the matter... Background. ICA client lets you "mount" any UNIX directory as a drive within any particular WinFrame/MetaFrame session. Problem. Files created by Windows on such client-mapped drive appear to be world-writable. umask doesn't have no effect. Tracing system calls made by the client reveals that all newly created files are scrupulously chmoded to 777. Both 2.x and 3.x clients exhibit this behaviour. No, it doesn't mean a compromise. But I find it totally inappropriate when such important security description as access permissions on newly created files is taken behind my back. Workaround (for platforms supporting dynamic linking). Compile following "module" as a shared object and make run-time linker preload it (e.g. by setting LD_PRELOAD on Linux and Solaris and _RLD_LIST=${ICAROOT}/chmod.so:DEFAULT on IRIX) int chmod(){return 0;} Side effects. If you have version 3.x and a user runs the client for the very first time, initial config files are copied from ${ICAROOT}/config and they (files) inherit 444 access permissions. To workaround this chmod u+w ${ICAROOT}/config/* (files in ${ICAROOT}/config are owner by root anyway). Andy.