iplosion security

Lately I came across several Citrix and Terminal Server projects which provide a restricted set of applications to their users. This is achieved using Windows Software Restriction Policies or AppSense Application Manager to white or black list executables.

One of these permitted binaries is often java.exe. Now the problem arises that once Java is enabled any Java application can be executed on the system. This allows a malicious user to execute arbitrary Java code, like replacement shells (JSH), RDP clients (Propero Java RDP) and network port scanners. I could block java.exe but business requires that the company’s Java application must still work. This lead me into this research on how to white list Java applications in a restricted Windows environment.

(more…)

Citrix MetaFrame and Terminal Server technology is often used as a component in protecting critical applications. The main feature is its capability for protocol conversion which allows access to an application by means of keyboard and screen output only.

One application of these technologies is their use in graphical firewalls for safely surfing the internet without the risk of infecting the user’s computer with malware. Another is to implement extranet access for employees and business partners. In all these scenarios the users are not granted full desktop access and can use particular applications only. But the restrictions are often implemented poorly and allow a malicious user to easily escape the context of the application and gain desktop access or in the end Intranet access.

At the Compass Security Event in 2005 I demonstrated how a malicious user can escape the context of the application using standard Windows short-cuts and using Office macro and copy-paste functionality to transfer arbitrary malicious software onto and binary data out of the terminal server. As a bonus I demonstrated the QRCode FTP utility I have written for my diploma thesis which allows transferring files out of the terminal server by animated 2D matrix codes. For more details see the slides which are available in German or English. A demonstration video of QRCode FTP is available for download as well (15 MB).