Bill Heck is a principal consultant in Optiv’s application security team. Bill specializes in web and mobile application assessments, architecture reviews, and threat models. Bill also plays a lead role in mentoring other appsec team members.
Thank You for the Help!
One of the more influential things in my life that directed me towards a career in information security was the 1983 movie, WarGames. I was already a bit of a computer nerd in the early 80’s, but WarGames opened my eyes to the broad scale of what could be done from the comfort of your home. It wasn’t just about what I could do locally, but those ridiculously slow dial-up modems opened up a whole new world of possibilities! The problem is that after reaching the age of reason I realized I had to be the defender for legal reasons, but at least I could be working in the field. Obviously, being on the defense side of the business doesn’t quite have the Hollywood glamour and appeal like it would for an attacker, but it’s still being in the game. One of the lines from the movie that always confused me was when David Lightman, the ‘attacker,’ says, “The more complex a system is, the more they have to help you out.” Now I can’t say I’ve ever found this to be true, but it always made me wonder if systems developers thought the same thing when hearing this line. What kind of help are we talking about anyway?
I found myself thinking about this WarGames quote (read on for more context) during a recent test I was performing on a Citrix-delivered application that was built for a very specific purpose: one single input field used for searching for files stored in a single location, and really nothing more than that. The only other item within the application was a print menu…that was it. So, after fuzzing the single input field with everything I could think of and looking for some sort of erroneous response that I could pivot off of, I came up with nothing. This app was doing everything right, no errors, no specific application response to lead me towards some other exploit, no information disclosure, nothing. The only thing left was that print menu.
Like many Citrix-delivered applications or thick client applications that require a print function, the standard Windows print was used. We’ve all seen this a million times:
Of course my first thought was that there’s nothing here to exploit. I mean it’s not like I’m looking at some obscure unpatched out-of-date Windows plug-in that was included with XP. But wait, what about the Find Printer feature? This Citrix application was hosted on some other server, so was it possible to use the Find Printer feature to browse for printers or maybe Active Directory objects? Perhaps I was on to something! Nope. The feature was disabled, as it probably should have been. The only thing left was the Printing Preferences, so I checked that out:
Looking at the preferences for the XPS Document Writer there was a layout tab that didn’t really lead to anything, and two hyperlinks on the XPS Documents tab. The bottom URL was for going online to learn more about XPS Documents. This could lead to Internet browsing sourced from the same server that the Citrix-delivered application was hosted on...nope. Disabled. The only thing left was the Print to the Microsoft XPS Document Writer hyperlink. This actually opened a typical Windows Help pop-up window.
The links to the XPS documents frequently asked questions and the Microsoft XML Paper Specifications website were disabled, nothing happening there. What about that Search Help window at the top? Remember, the more complex a system is, the more it has to help you out, right? Well, even though this is never really the case and that WarGames quote was really just there to help the plot of the story, there it was right in front of me – Search Help. Knowing that the Windows Task Manager can be used to branch off into just about anything, I started there, searching for Task Manager:
I had results from this search, including Open Task Manager. That link led to the Open Task Manager help file including a description of what Task Manager does, and bingo – a link to open Task Manager! I had to laugh a little on this one, true I had no way to enter Task Manager by typing a command, but Windows ‘helped’ me by offering up the link to run it.
Initially I assumed that this was disabled, but sure enough, it wasn’t, and Task Manager launched.
However, this was not my local Task Manager, but instead was the Task Manager running on the same host that contains the Citrix-delivered application that I was testing. I could now see what was running, and what users were currently logged in to the same host. (Note: The screenshot above only shows the Windows Help and Support, as to not provide details on the application or the client, but it was all there.)
New Task was the next thing to try. I tried running Windows Explorer to see if I could gain access to the local file system, but that was disabled. I also tried directly browsing by opening “c:\”, “d:\” and every other drive letter, but that was disabled as well. I then tried running CMD (command.com) to no avail. I always admired the way you could achieve the same result by using different methods within Windows, such as using a virtual keyboard when keys are disabled, that sort of thing. CMD was disabled, but what about PowerShell?
Interestingly, trying to run PowerShell did open a new window but stated that it was disabled. But I found that pressing any key opened PowerShell anyway – jackpot!
Not only did PowerShell run, but it ran as the system administrator. From there I was able to run pretty much anything I wanted including MSINFO32.exe to gather some basic host information like drives, environment variables, shares, running tasks that may not have shown up in the Task Manager, etc.
Net share also worked:
I also tried writing a simple text file to the local “C:\” drive and that worked. At this point I owned this box, and also owned the numerous other Citrix-delivered applications that, as I found out, were hosted on the same box. Unlike in the movies, the ‘attack’ had to stop there as I already was at the point where I could do just about anything, so I had to write up the results and notify the client.
Looking back and thinking of that never-true David Lightman quote from WarGames about having to offer more help if a system was complex, I suppose you can say that still wasn’t true here as this app wasn’t complex at all. When I thought I had hit a roadblock, Windows Help ‘helped’ me right into owning the host server by offering nothing more than a printer help feature, buried in the properties of the XPS Documents properties. As a security tester, never assume you’ve got nothing when something staring directly at you is leading to an exploit, even if the intentions are just to help the user.
There are numerous other methods that can be used to break out of a Citrix application that are commonly seen. My next blog post will focus on some of those other methods, as well as defense strategies.