what we are going to talk about
play

What we are going to talk about? New tool released at Blackhat - PowerPoint PPT Presentation

Nov 28, 2022 •421 likes •802 views

What we are going to talk about? New tool released at Blackhat Canape What is Citrix ICA? In Canape: MitM ICA Fuzz ICA Exploit ICA 0 Day What is Canape? Binary Network Application Testing Tool Existing

  2. What we are going to talk about? • New tool released at Blackhat – Canape • What is Citrix ICA? • In Canape: – MitM ICA – Fuzz ICA – Exploit ICA • 0 Day

  3. What is Canape? • Binary Network Application Testing Tool • Existing tools: – HTTP proxies (e.g. CAT) – Echo Mirage – Python libraries – Custom code – Wireshark • Why a new tool? – Has these features and more – All driven through a GUI • And it’s free!

  4. How does it MitM? • MitM support: – SOCKS – Port forwarding – TCP, UDP, HTTP, Broadcast – SSL • Pipelines

  5. What is ICA? • Protocol used for Citrix XenApp and XenDesktop products • Remote desktop and applications • Uses a bespoke client • Needs a suitable configuration file to connect

  6. Citrix Web Interface

  7. The ICA File [WFClient] Version=2 TcpBrowserAddress=10.0.131.190 ICASOCKSProtocolVersion=0 ICASOCKSProxyHost=127.0.0.1 ICASOCKSProxyPortNumber=1080 [ApplicationServers] 10.0.131.190= [10.0.131.190] Address=10.0.131.190 InitialProgram=

  8. Demo 1 • MitM ICA traffic

  9. ICA Protocol • Stream based protocol • Single TCP stream • Phases – Hello – Negotiation – Main stream • Encrypted • Compressed • Multiplexed

  10. Demo 2 • Handling state transitions

  11. ICA Main Protocol • Main protocol is wrapped in a simple frame • 12 bit byte length • 4 bit flags

  12. Demo 3 • Parsing the framing

  13. Basic ‘Encryption’

  14. The ‘Encryption’

  15. Encryption Diagram KEY | X0 X1 X2 X3 0x43 Key P0 P1 P2 P3

  16. Demo 4 • MitM the encrypted XOR stream

  17. Compression • Registry key – HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\Configuration\Advanced\Modules \TCP/IP\Compress = Off

  18. Demo 5 • Downgrade to no compression • Replace: – 0x00 0x10 0x12 => 0x00 0x00 0x00

  19. Key Press 0x0a 0x1e 0x04 0xfe A Type Scan Code ? End Marker 0x0a 0x9e 0x04 0xfe

  20. Mouse Movement 0x0d 0x2acd 0x1fa7 0x01 0x0C 0xfe Type X Coordinate Y Coordinate Button State ? End Marker Button State 01 – No Buttons 02 – Press Left 04 – Release left 08 – Press Right 10 – Release Right

  21. Fuzzing • Standard fuzzing – But we are in the encrypted and compressed stream • Byte fuzzing

  22. Demo 6 • Fuzz the contents of the encrypted stream

  24. Example Citrix ICA Client Bug • Old, reported February 2008 • Fixed August 2010 • Affected clients on: – Windows – Mac – Linux – Solaris – Windows Mobile • Demo on Windows XP SP2 http://support.citrix.com/article/CTX125975

  26. We Control

  27. Offset Value Control Offset: AAAA 0: Offset1 0: Offset1 0: Func1 1: Offset2 1: Offset2 1: Func2 2: Offset3 2: Offset3 2: Func3 XXXX YYYY AAAA CALL EAX Value: XXXX Value: YYYY Value: EAX

  28. Demo 7 • Brute force the value to find a heap offset

  29. Heap Spray Heap Used Memory 000000000 NOP Shell Code Header Heap Spray 000000000 NOP Shell Code Header call eax 000000000 Header NOP Shell Code 000000000

  30. Easy Heap Spray Packet Buffer LONG LEN DATA DATA LEN LEN TYPE DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA Packet Copied DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA

  31. Heap Header Valid Pointer 0000 => ADD BYTE PTR [EAX],AL Segment Size Prev Size Cookie Flags Unused Index 0 2 4 5 6 7 8 Control Heap Spray Size Random 81 00 => ADD DWORD PTR DS:[EAX], PrevSize_Cookie_Flags

  32. Exec Heap Header EAX pointer to valid memory Our NOP Sled and Shellcode

  33. Demo 8 "Root" • HTTP send ICA file • Replay negotiation • Prime the heap – large packet • Spray the heap x 5000 – small packet big Len • Send payload trigger packet

  34. Demo 9 "Other Examples" • The Power of Canape!

  35. Demo 10 "0Day" • Demo only, sorry 

  36. Questions • Please fill in your feedback forms

  37. References • http://canape.contextis.com • Twitter: @ctxis • Email: canape@contextis.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Harnessing the Power of Self-Talk Mary Fran Bontempo Self-Talk Self-Talk is your most

Harnessing the Power of Self-Talk Mary Fran Bontempo Self-Talk Self-Talk is your most

Leadership and Your Inner Monologue: Harnessing the Power of Self-Talk Mary Fran Bontempo Self-Talk Self-Talk is your most powerful influence. When did you wake up thinking like this? Change is a Dirty Word for women. 1. Think

673 views • 21 slides
Athenians talk like this, but Thessalians talk like this: What the Attic plays tell us about

Athenians talk like this, but Thessalians talk like this: What the Attic plays tell us about

Athenians talk like this, but Thessalians talk like this: What the Attic plays tell us about sociolinguistics in Ancient Greek discourse Phillip Barnett & Taha Husain University of Kentucky Introduction As drama is intended to represent

440 views • 7 slides
minimize use of terminology Structuring Your Talk use pictures/examples/props if possible

minimize use of terminology Structuring Your Talk use pictures/examples/props if possible

Why Are We Here? For your work to have significant impact, it is How to Give a Good Research Talk essential that you can convey results to your community Your technical reputation depends on colleagues reaction to your talk

905 views • 6 slides
My presentation AB123C Outline Talk about giving a talk A tool to plan and hold

My presentation AB123C Outline Talk about giving a talk A tool to plan and hold

My presentation AB123C Outline Talk about giving a talk A tool to plan and hold presentations: AB123C The blackboard vs. slides The talk A mathematical talk is a presentation of your results in oral form Very different from

320 views • 21 slides
Le Lets t talk a abou out ho how w we e talk abo bout ut men ental hea health.

Le Lets t talk a abou out ho how w we e talk abo bout ut men ental hea health.

Le Lets t talk a abou out ho how w we e talk abo bout ut men ental hea health. h. ROADMAP FOR TODAY - How Illinois Outpatient Laws Can (and Should) Break Our Inpatient Cycles - Incorporating Advance Directives Into

608 views • 35 slides
Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the

Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the

Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the standard of holiness established by God and evidenced by Jesus. We can never live deeply until we Walk the talk. deal with our sin. The ethical test

662 views • 26 slides
A Talk about How to Give a Talk Part II Bertram Fronhfer International Center for

A Talk about How to Give a Talk Part II Bertram Fronhfer International Center for

A Talk about How to Give a Talk Part II Bertram Fronhfer International Center for Computational Logic Technische Universitt Dresden Germany Bertram Fronhfer A Talk about How to Give a Talk Part II 1 Overview Part I How to

549 views • 21 slides
Outline: SUZero MML Talk Interspeech talk (for Ewald) Explain one technique in a bit more

Outline: SUZero MML Talk Interspeech talk (for Ewald) Explain one technique in a bit more

Outline: SUZero MML Talk Interspeech talk (for Ewald) Explain one technique in a bit more detail The experience of a coding sprint Unsupervised acoustic unit discovery for speech synthesis using discrete latent-variable neural

1.74k views • 110 slides
Repair and Lining in the 21 st Century What we talk about when we talk about lining CUPA

Repair and Lining in the 21 st Century What we talk about when we talk about lining CUPA

Repair and Lining in the 21 st Century What we talk about when we talk about lining CUPA Conference 2018 Tom Henderson Engineering Geologist State Water Resources Control Board UST Leak Prevention Unit February 2018 Why Should You Care?

1.2k views • 52 slides
Why Talk to Customers? Nick Kolobutin Why Talk to Customers? What is a Startup? A temporary

Why Talk to Customers? Nick Kolobutin Why Talk to Customers? What is a Startup? A temporary

Why Talk to Customers? Nick Kolobutin Why Talk to Customers? What is a Startup? A temporary organization in search of a scalable, repeatable, profitable business model Startups are Risky Greater than 90% of products fail today

979 views • 54 slides
Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me Drupal; Using Drupal to power a Voice App You should be able to follow along by visiting the link below. If you have an Echo device, please mute the

1.67k views • 87 slides
Plan of the talk Plan of the talk The geometry of the hot X-ray corona Strong gravity and

Plan of the talk Plan of the talk The geometry of the hot X-ray corona Strong gravity and

The X-ray polarimetric view of the AGN central engine Giorgio Matt (Universit Roma Tre, Italy) Plan of the talk Plan of the talk The geometry of the hot X-ray corona Strong gravity and the BH spin The orientation of the torus

462 views • 17 slides
Aleksander Mdry What will this talk be about? At a

Aleksander Mdry What will this talk be about? At a

Interior-point Methods and the Maximum Flow Problem Aleksander Mdry What will this talk be about? At a first glance: It is just a talk

708 views • 45 slides
More advanced application techniques, using Swift about this talk Talk about project that I

More advanced application techniques, using Swift about this talk Talk about project that I

More advanced application techniques, using Swift about this talk Talk about project that I spend most of my time working on: Swift Use that to introduce some more general concepts in describing applications and in executing

1.61k views • 64 slides
Standardization Kate Mueller, Director of Product Development What we talk about when we talk

Standardization Kate Mueller, Director of Product Development What we talk about when we talk

Standardization Kate Mueller, Director of Product Development What we talk about when we talk about standard- ization Dont try to 8ix a people/ process problem with a technical solution. Treat it like any other project.

559 views • 4 slides
talk lk listen take part Communication is is at the heart of all ll we do The Talking

talk lk listen take part Communication is is at the heart of all ll we do The Talking

talk lk listen take part Communication is is at the heart of all ll we do The Talking Journey But learning to talk doesnt happen by accident it needs you to make this happen. Talk Together Comments not questions Give them

708 views • 22 slides
GWSA IAC Meeting March 7, 2019 Agenda Review draft meeting minutes of December 6, 2018

GWSA IAC Meeting March 7, 2019 Agenda Review draft meeting minutes of December 6, 2018

GWSA IAC Meeting March 7, 2019 Agenda Review draft meeting minutes of December 6, 2018 Brief updates from state agencies and IAC working groups Presentation and Q&A of the Commission on the Future of Transportations reports

260 views • 9 slides
ICA Mountain Cartography Workshop Ban f, 2 -24 April 2014 MAP ING NEW ZEALAND's GREAT WALKS

ICA Mountain Cartography Workshop Ban f, 2 -24 April 2014 MAP ING NEW ZEALAND's GREAT WALKS

ICA Mountain Cartography Workshop Ban f, 2 -24 April 2014 MAP ING NEW ZEALAND's GREAT WALKS Roger Smith Geographx ICA Mountain Cartography Workshop Ban f, 2 -24 April 2014 On the Routeburn Track ICA Mountain Cartography Workshop Ban f, 2

687 views • 21 slides
Disclosures Your Patient Has Carotid Bulb Stenosis and a Chief Medical Officer: ChemoFilter

Disclosures Your Patient Has Carotid Bulb Stenosis and a Chief Medical Officer: ChemoFilter

4/16/2015 Disclosures Your Patient Has Carotid Bulb Stenosis and a Chief Medical Officer: ChemoFilter Scientific advisory: Medina Medical Tandem Intracranial Stenosis: Consulting: Stryker Neurovascular, Silk Road Medical How Do

399 views • 10 slides
WindMine: Fast and Effective Mining of Web-click Sequences Yasushi Sakurai (NTT) Lei Li

WindMine: Fast and Effective Mining of Web-click Sequences Yasushi Sakurai (NTT) Lei Li

WindMine: Fast and Effective Mining of Web-click Sequences Yasushi Sakurai (NTT) Lei Li (Carnegie Mellon Univ.) Yasuko Matsubara (Kyoto Univ.) Christos Faloutsos (Carnegie Mellon Univ.) SDM 2011 Y . Sakurai et al. 1 Introduction Web-click

472 views • 23 slides
Principle ERP reduction and analysis Estimating and using principle ERP waveforms underlying ERPs

Principle ERP reduction and analysis Estimating and using principle ERP waveforms underlying ERPs

Principle ERP reduction and analysis Estimating and using principle ERP waveforms underlying ERPs across tasks, subjects, and electrodes Emilie Campos Department of Biostatistics University of California, Los Angeles Joint work with: Chad

743 views • 62 slides
Deep Learning Y LeCun & Convolutional Networks In Vision (part 2) VRML, Paris 2013 -07-23

Deep Learning Y LeCun & Convolutional Networks In Vision (part 2) VRML, Paris 2013 -07-23

Deep Learning Y LeCun & Convolutional Networks In Vision (part 2) VRML, Paris 2013 -07-23 Yann LeCun Center for Data Science & Courant Institute, NYU yann@cs.nyu.edu http://yann.lecun.com Y LeCun Energy-Based Unsupervised Learning

1.15k views • 72 slides
New Opportunities in Industrial Cooperation in Israel Th The indus e industrial cooperat trial

New Opportunities in Industrial Cooperation in Israel Th The indus e industrial cooperat trial

New Opportunities in Industrial Cooperation in Israel Th The indus e industrial cooperat trial cooperation ion re regu gulations lations Thre hreshold shold Valu alue 35%-50% of transaction value Initial transaction: $5m (20%

180 views • 13 slides
Improvement of instruments and capacity-building activities under the CHAIN-project S. UeNo , K.

Improvement of instruments and capacity-building activities under the CHAIN-project S. UeNo , K.

Improvement of instruments and capacity-building activities under the CHAIN-project S. UeNo , K. Shibata, K. Ichimoto, A. Asai, S. Nagata, G. Kimura, Y. Nakatani, K. Otsuji, T. T. Ishii, D. Seki , D.P. Cabezas H. (Kyoto Univ., Japan), J.K.

591 views • 25 slides

More recommend