Citrix holes endanger Government and Military systems

Military and governmental systems use the Citrix technology to put up GUIs. Seemingly not a problematic fact, apart from the recently acknowledged conviction that the Citrix Technology has, as the man behind nailing the problems, Petko D. Petkov, said, “holes you could drive a bus through.”

Petko D. Petkov, more commonly known as “pdp” was on a rampage recently with hacking into Citrix GUIs and playing with .ica files. He kindly posted the results of this rampage on his blog. What he did was he tried searching for public .ICAs in google and yahoo and found “tons” of wide open sevices, some of them, quite unnervingly, on government and military sites. These ICA files provide information about the server, the underlaying transport mechanism and the remote application that will be opened. This pretty much allows hacking like in the good ol' days with netBIOS. Petkov was furious and with good reason: it's the year 2007 and a step backwards like this should not be tolerated.

The Citrix technology nowadays is omnipresent with Windows desktops and applications relying on Citrix Presentation Server (previously, MetaFrame). The ICA protocol is used for interaction between the server and its clients. ICA is also used for multiple Unix server and can be used for access of applications on those platforms as well.

The wide use of Citrix is what the problem lies in: most people would prefer Citrix over XHTML, JavaScript and CSS to make applications available on the net. Citrix had not addressed these questions at the time Petkov posted his observations. Perhaps the bigger side of the problem is not with Citrix technologies themselves, but with administrators who fail to secure their systems.

Like us on Facebook