Citrix Receiver Local Drive Access



Citrix for remote access

During a recent engagement I was asked to perform a penetration test of a Citrix environment. One particular requirement of this test was to see whether I could transfer files back and forth between my local computer and the remote environment.

You must connect to an application on your Citrix server and then go into the Connection Center through the Citrix client and change a permission setting. To get there, open the tool tray and find the black Citrix icon, right click and click “About” on the pop-up menu. However, when using WS(1911) connecting to a 715CU4 site and then to a desktop or server vda running VDA 1912 the user can transfer files between the local client and Citrix session! If you connect to the same desktop or server vda from a local client running Citrix Receiver, then the policy prohibits file transfer as expected! Choose, ‘Change Citrix Receiver’ c. Next you will need to ‘Detect Receiver’, click that button d. If you already have the Citrix Receiver installed, it will take you back to your EZClaim application where you can launch the program and your printer will be accessible again. 6) At this stage it is now possible to access the local USB drive within the Citrix environment. 7) Using copy and paste functionality, I copied the TEST.txt file to the Desktop of the Citrix environment. 8) The TEST.txt file is therefore available on the Desktop of the Citrix environment.

The easiest way to transfer data was through their web proxy. Although it implemented some sort of web filtering, Internet access was allowed. I encrypted a document in a zip file and then uploaded it to a web server controlled by Dionach. This allowed me to bypass the filters and accomplish the goal.

Access

However, the client requested if it was possible to achieve the same result but not using Internet Explorer. I explained them that another way was via Outlook. By attaching the encrypted document in an email it was possible to transfer the file to an attacker’s email address.

Not entirely convinced, the client asked me if there was another method in case within Citrix environment Internet access was completely denied.

Citrix Receiver Local Drive Access Speed

I started messing around with Citrix preferences and settings. When you connect to the remote machine via Citrix on top of the Desktop Viewer there some configurations settings, but unfortunately it didn’t let me get very far.

Copy and Paste was disabled and I could not drag and drop files. However, eventually I came up with this solution which allowed me to transfer files quite easily via USB redirection. The steps are:

Citrix Receiver Local Drive AccessDisable

1) Connect a USB drive to the local machine.

2) Open “Connection Center” by right-clinking the Citrix icon in the Notification Area on bottom right of the Windows taskbar.

3) Click “Connection Center” under Advanced tab.

4) Inside “Connection Center” expands all the options. In my case I had the option to launch an instance of Microsoft OneNote 2010 by double clicking on the icon.

Citrix Receiver Local Drive Access

5) Inside Microsoft OneNote, go to “open” and then “browse”.

Citrix Receiver Allow Local Drive Access

6) At this stage it is now possible to access the local USB drive within the Citrix environment.

7) Using copy and paste functionality, I copied the TEST.txt file to the Desktop of the Citrix environment.

Citrix Local Drive Mapping

8) The TEST.txt file is therefore available on the Desktop of the Citrix environment.

9) The same process can be used to copy files from the Citrix environment to the local computer.

Citrix Receiver Local Drive Access

In this particular case Citrix allowed me to map local USB drives, highlighting a poor configuration of Citrix. The following articles provide further information on how to enable and disable USB redirection.

https://support.citrix.com/article/CTX137939
https://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-hdx-usb-cdm.html

Citrix Receiver Access Local Drive

Dionach recommend that Citrix environments are regularly tested in order to find vulnerabilities which can be used by attackers such as a rogue employee. As it happened in this case, by breaking out of the Citrix environment, it allowed the Dionach consultant to have a foothold in the internal network and eventually to compromise the entire domain.