Breaking Out of Citrix Environment

Breaking Out of Citrix Environment

Citrix is a software which allows enterprise or individuals to work and collaborate remotely, technically we can say it is a jump server for enterprises out there. During our penetration testing engagements we usually encounter this technology to be part of the client’s environment. Following post describes a few common techniques which we have executed during our pen testing engagements to break out of Citrix environments.

#1 Abusing Firefox

In one of our engagements, we found Firefox version 55.0 which is prone to a command execution vulnerability in web console. By abusing NSILocalFile and creating a ContractID a local attacker can leverage this to escape out of Citrix environment.

  • Firefox provides a component known as nsILocalFile
  • With nsILocalFile you can navigate to different path separators used on different platforms, query the state of any file or directory.
  • This component can be refer using the string @mozilla.org/file/local;1 to create an instance which can also be known as Contract ID.
  • Using JavaScript and CID (Contract ID) we can refer any other components in the system.

Example: var File = Components.classes[“@mozilla.org/file/local;1”].createInstance();

Proof of concept: f=Components.classes['@mozilla.org/file/local;1'].createInstance(Components.interfaces.nsILo calFile);f.initWithPath('c:\Windows\System32\calc.exe');f.launch()

Additional information: about:newtab is considered as privileged tab if devtools.chrome.enabled is set to false.

#2 HTML Injection

Creating a contact card under Explorer which was prone to HTML injection. This can be one of the technique to escape Citrix.

Open explorer, right click and create a contact card. Put first name, last name in email put the below payload.

Payload: <a href="powershell.exe">fastrack.r@gmail.com</a>

Once done add this to email address, an exception will be generated saying invalid email format, click on “YES”.

Further clicking the generated href link will pop the powershell.

#3 Creating Shortcut

This is one of the known technique in which we can create shortcut files and point them to specific binaries which needs to be invoked.

NOTE: If in case the browse option does not help you to navigate via explorer.exe try entering the full path.

Conclusion

This post provided some insight about common break out techniques, there are certain additional methods such as LOLbins, misconfigured environment variables etc. The below mentioned reference could help you harden your terminal services.

References:
1. https://twitter.com/xxbyte/status/1089214985438457865/
2. https://docs.microsoft.com/en-us/previous-versions//cc264467(v=technet.10)?redirectedfrom=MSDN

Read other blog posts

1. Bypassing Symantec Endpoint for Fun & Profit
2. Hacking Smart TV’s
3. Pwning Wireless Peripherals

Leave a Reply