Public info kiosk running Citrix hacked in demo

Public information kiosks are supposed to allow users to find out more about a company or government agency, and that's all. But on Saturday afternoon, Shanit Gupta, a senior consultant at McAfee Foundstone, demonstrated several ways that he and others have been able to map the internal network on a system running XenApp, formerly Citrix Presentation Server.

On the demonstration screen at ShmooCon, an US computer hacking conference, Gupta showed how the familiar toolbars and browser frame are missing on a system running XenApp. The idea is that on a kiosk the public can click on links only within the single page. But if there's a keyboard or a mouse present, which there often are, Gupta was able to open additional sites, exposing the internal network.

Starting with Ctrl-H, he was able to pull up the browser's history. If the history revealed no outside search engines like Google, one could also type Ctrl-O and then type in Google there. If all else fails, one could also hit Ctrl-N and open a new tab, which will show the usual address bar and toolbar for navigation.

Opening a Web site not on the public tour could allow an attacker to download and install NMAP and run a port scan of the internal network. If the browser supports Javascript, one could also run a Javascript port scanner.

Typing Ctrl-P calls up the printer; however, Gupta pointed out it is also possible to save to file there and, while doing so, see the internal network.

No keyboard, no problem: Gupta says simply right click on any image and chose "Save As".

Citrix says on its site that when running XenApp, "built-in endpoint scans and policy controls take into account each user's role, device characteristics and network conditions to determine which applications and data they are authorised to access". However, Gupta said that the flaws were first called to his attention at a government agency. Using the standard Internet Explorer keyboard hotkeys, Gupta and partner were able to see inside the agency's network.

• Related stories

• Alerts

Add your opinion

This not a "HACK" Matt -- 19/02/08

This is just an example of poor setup, poor security.

It uses the standard features of the product which have been hidden but not disabled.

Nothing in the software was "hacked".

A basic system admin with basic knowledge could have done this.

• Reply to comment
• Reply to story
• Report offensive content

Another Shining example of ZDNET's "Journalism" Anonymous -- 19/02/08

Wow, what a poorly written article. Nothing state here was a real hack, it was just a serious of poorly configured windows policies.

• Reply to comment
• Reply to story
• Report offensive content

at least be accurate Anonymous -- 28/02/08 (in reply to #320095804)

it was another shining example of news.com's journalism.

ROFL!

• Reply to comment
• Report offensive content

Invitation to Stupidity Jeff Davis -- 21/02/08

This is another example of marketing stupidity as expertise. The kiosk was obviously setup by a primary school student.

Although a number of agencies and commercial offerings would have this as a vulnerability the problem is to do with sub standard deployments and solutions and has nothing to do with vulnerabilities.
The minute the shortcut keys are noticed as accessible the next step of investigation is to go back to the responsible designers and implementation teams and have them replaced with competent staff.
These sort of problems are usually related to the financial management concerns which compromise the intended solutions leaving them unfinished or shortcut in their own delivery.
Demonstrating this as a vulnerability is like standing on a land mine and expressing surprise at the loss of limbs.

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials