Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Citrix ICA Client for Windows Allows Remote Malicious Code to Execute on a User's PC Without Warning
SecurityTracker Alert ID: 1002968|
SecurityTracker URL: http://securitytracker.com/id/1002968
(Links to External Site)
Date: Dec 13 2001
Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network|
Exploit Included: Yes |
Version(s): 6.01, possibly others; only affects client for Microsoft operating systems|
A code execution vulnerability was reported in the Citrix ICA client for Microsoft operating systems. A malicious web page or HTML-based e-mail could cause the ICA client to automatically and silently execute arbitrary code on the user's host.|
An implementation flaw has been reported in the Citrix ICA client. A remote user can create a web page or HTML-based e-mail that will perform virtualy any action on the client machine without informing the user or without requiring explicit consent from the user.
It is reported that the user will not be notified when downloading an .ica file. The .ica file will reportedly activate the Citrix client and can then make a connection to a remote server.
The vulnerability can reportedly be triggered with the following type of HTML code:
In this example, the file 'trojan.ica' connects to a published application (hosted on a Citrix Metaframe XP server) without notifying the user or requesting approval. The trojan.ica file may also place a malicious program on the user's host. It is reported that a malicious ica file can also access files on the user's drive.
The report notes that the Citrix ICA ActiveX client requests permission from the user before the published application can write to the client's host. However, the Windows client does not do this.
The vendor has reportedly been notified.
A remote user can create a malicious web page or HTML-based e-mail that could cause the ICA client to automatically and silently execute arbitrary code on the user's host.|
No solution was available at the time of this entry.|
Vendor URL: www.citrix.com/products/clients/ica/technology.asp (Links to External Site)
Source Message Contents
Date: Thu, 13 Dec 2001 12:01:01 -0800|
Subject: Kikkert Security Advisory: Potentially serious security flaw in Citrix Client
This 'Kikkert Security advisory' has been released after carefull
consideration and after advising 'Citrix' first. Citrix was initially
willing to communicate but hasn't responded to any of my emails for the last
two months. Because there are workarounds for the problem discribed in this
advisory I decided to release it so people might benefit from these possible
I would like to ask the list to examine the scope of products and OS's
affected as I have no longer access to a Citrix server to do this myself...
Serious security flaw in Citrix Client
Potentially allowing any possible action on the client machine, including
reading any file, placing Trojan code or altering data.
Not completely clear. for sure is that Citrix client 6.01 is affected.
Citrix clients on Apple and MAc seem to be ok, only the Microsoft version is
affected (according to Citrix, I did not test this). This exploit was tested
on the following setup:
- Windows 2000 professional + Service pack 2
- Internet explorer 5.5 + SP1 , Q290108, Q299618 (5.50.4522.1800)
- Outlook Express 5.50.4522.1200
- office 2000 SR1
- Citrix ICA client 6.01
Prerequisites: Citrix Client installed (standard install), Internet
connection with port 1494 open (Citrix port, outbound), Browser or HTML
email client, windows OS (according to Citrix).
Citrix produces Clients which can connect to a terminal server to run thin
client sessions. A popular use of Citrix client / server is the use of
published applications that enables thin clients to run 'heavy'
A implementation flaw exists in the Citrix client which allows a malicious
web site owner to perform virtualy any action on the client machine without
informing the user first or without explicit consent from the user.
This means that anyone with the citrix client installed (and probably with
IE installed, not sure what the scope is) and who surfs the internet on the
same machine is in danger of exploitation.
When a user has Citrix Client installed and has therefore an extension
mapping for .ICA files, the user will NOT be warned when downloading an .ica
file. The user is NOT asked to open or download the file, the ica file will
just activate the Citrix client and a connection to a remote server can be
result of this is that any malicious website owner (with access to a Citrix
terminal server) can place trojan code on a client machine without consent
of the client.
I created a working demo in the form of a webpage which simply contains an
Iframe (could also be a hidden frame):
Trojan.ica will connect to a published application (hosted on a Citrix
Metaframe XP server) without first asking the user and place a (fake) trojan
file on the clients' hard drive.
The published application is simply a VBS script that copies the trojan file
from the local (terminal server's) hard drive to the (mapped) client drive.
After the script ran, the connection to the remote server will be broken.
The client is not in any way warned or promted that the remote server is
writing anything to the clients hard drive.
Strange enough, the activeX client I tested DOES ask the user for permission
before the published application can write to the client drive, this is in
my opinion the way it should work.
Just to make it clear, the malicious website owner can not only write to the
client, he can also retrieve a complete listing of any file on the machine
or copy any file/document from the client's machine.
Citrix was contacted on the 23rd of July and did not take this very serious
at first. They mentioned that this was a known issue and did not give me the
idea that they were actively working on a fix.
It is now almost 4 months after I first notified them and they still cannot
give me a clear indication on what they are planning to do about this. They
did however give me a few 'workarounds' which are mentioned below. I'm not
sure how effective these workarounds are as I did not have the opportunity
to test them in a live environment.
Possible fixes (as given by Citrix):
* The Citrix ICA Clients for Apple Macintosh and for Unix have
explicit drive mapping dialogs which control client drive mapping, and also
allow read/write selection. Therefore, these clients will only be attacked
if such drive mappings are configured.
* When using the ICA Client for Java, you can set Java security to
prevent file access by Java applications. This will prevent disk access.
* Client Drive Mapping can be disabled in APPSRV.INI by adding the
setting: CDMAllowed=Off -------[michiel] - Bit of a drastic solution, as
this just disables the feature.
* In Internet Explorer, the File Download permission can be disabled.
This would avoid the exploit in the form described. ---- [Michiel] - But
would still be exploitable via email client
And a Microsoft's recommended workaround for Outlook:
it's possible to configure the OESU (Outlook Security Update) to block
additional file types, including .ICA.
Michiel Kikkert - email@example.com
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
Go to the Top of This SecurityTracker Archive Page