what we are going to talk about
play

What we are going to talk about? New tool released at Blackhat - PowerPoint PPT Presentation

Nov 28, 2022 •421 likes •802 views

What we are going to talk about? New tool released at Blackhat Canape What is Citrix ICA? In Canape: MitM ICA Fuzz ICA Exploit ICA 0 Day What is Canape? Binary Network Application Testing Tool Existing

  2. What we are going to talk about? • New tool released at Blackhat – Canape • What is Citrix ICA? • In Canape: – MitM ICA – Fuzz ICA – Exploit ICA • 0 Day

  3. What is Canape? • Binary Network Application Testing Tool • Existing tools: – HTTP proxies (e.g. CAT) – Echo Mirage – Python libraries – Custom code – Wireshark • Why a new tool? – Has these features and more – All driven through a GUI • And it’s free!

  4. How does it MitM? • MitM support: – SOCKS – Port forwarding – TCP, UDP, HTTP, Broadcast – SSL • Pipelines

  5. What is ICA? • Protocol used for Citrix XenApp and XenDesktop products • Remote desktop and applications • Uses a bespoke client • Needs a suitable configuration file to connect

  6. Citrix Web Interface

  7. The ICA File [WFClient] Version=2 TcpBrowserAddress=10.0.131.190 ICASOCKSProtocolVersion=0 ICASOCKSProxyHost=127.0.0.1 ICASOCKSProxyPortNumber=1080 [ApplicationServers] 10.0.131.190= [10.0.131.190] Address=10.0.131.190 InitialProgram=

  8. Demo 1 • MitM ICA traffic

  9. ICA Protocol • Stream based protocol • Single TCP stream • Phases – Hello – Negotiation – Main stream • Encrypted • Compressed • Multiplexed

  10. Demo 2 • Handling state transitions

  11. ICA Main Protocol • Main protocol is wrapped in a simple frame • 12 bit byte length • 4 bit flags

  12. Demo 3 • Parsing the framing

  13. Basic ‘Encryption’

  14. The ‘Encryption’

  15. Encryption Diagram KEY | X0 X1 X2 X3 0x43 Key P0 P1 P2 P3

  16. Demo 4 • MitM the encrypted XOR stream

  17. Compression • Registry key – HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\Configuration\Advanced\Modules \TCP/IP\Compress = Off

  18. Demo 5 • Downgrade to no compression • Replace: – 0x00 0x10 0x12 => 0x00 0x00 0x00

  19. Key Press 0x0a 0x1e 0x04 0xfe A Type Scan Code ? End Marker 0x0a 0x9e 0x04 0xfe

  20. Mouse Movement 0x0d 0x2acd 0x1fa7 0x01 0x0C 0xfe Type X Coordinate Y Coordinate Button State ? End Marker Button State 01 – No Buttons 02 – Press Left 04 – Release left 08 – Press Right 10 – Release Right

  21. Fuzzing • Standard fuzzing – But we are in the encrypted and compressed stream • Byte fuzzing

  22. Demo 6 • Fuzz the contents of the encrypted stream

  24. Example Citrix ICA Client Bug • Old, reported February 2008 • Fixed August 2010 • Affected clients on: – Windows – Mac – Linux – Solaris – Windows Mobile • Demo on Windows XP SP2 http://support.citrix.com/article/CTX125975

  26. We Control

  27. Offset Value Control Offset: AAAA 0: Offset1 0: Offset1 0: Func1 1: Offset2 1: Offset2 1: Func2 2: Offset3 2: Offset3 2: Func3 XXXX YYYY AAAA CALL EAX Value: XXXX Value: YYYY Value: EAX

  28. Demo 7 • Brute force the value to find a heap offset

  29. Heap Spray Heap Used Memory 000000000 NOP Shell Code Header Heap Spray 000000000 NOP Shell Code Header call eax 000000000 Header NOP Shell Code 000000000

  30. Easy Heap Spray Packet Buffer LONG LEN DATA DATA LEN LEN TYPE DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA Packet Copied DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA

  31. Heap Header Valid Pointer 0000 => ADD BYTE PTR [EAX],AL Segment Size Prev Size Cookie Flags Unused Index 0 2 4 5 6 7 8 Control Heap Spray Size Random 81 00 => ADD DWORD PTR DS:[EAX], PrevSize_Cookie_Flags

  32. Exec Heap Header EAX pointer to valid memory Our NOP Sled and Shellcode

  33. Demo 8 "Root" • HTTP send ICA file • Replay negotiation • Prime the heap – large packet • Spray the heap x 5000 – small packet big Len • Send payload trigger packet

  34. Demo 9 "Other Examples" • The Power of Canape!

  35. Demo 10 "0Day" • Demo only, sorry 

  36. Questions • Please fill in your feedback forms

  37. References • http://canape.contextis.com • Twitter: @ctxis • Email: canape@contextis.com

Recommend

Harnessing the Power of Self-Talk Mary Fran Bontempo Self-Talk Self-Talk is your most

Harnessing the Power of Self-Talk Mary Fran Bontempo Self-Talk Self-Talk is your most

Leadership and Your Inner Monologue: Harnessing the Power of Self-Talk Mary Fran Bontempo Self-Talk Self-Talk is your most powerful influence. When did you wake up thinking like this? Change is a Dirty Word for women. 1. Think

673 views • 21 slides
Athenians talk like this, but Thessalians talk like this: What the Attic plays tell us about

Athenians talk like this, but Thessalians talk like this: What the Attic plays tell us about

Athenians talk like this, but Thessalians talk like this: What the Attic plays tell us about sociolinguistics in Ancient Greek discourse Phillip Barnett & Taha Husain University of Kentucky Introduction As drama is intended to represent

440 views • 7 slides
minimize use of terminology Structuring Your Talk use pictures/examples/props if possible

minimize use of terminology Structuring Your Talk use pictures/examples/props if possible

Why Are We Here? For your work to have significant impact, it is How to Give a Good Research Talk essential that you can convey results to your community Your technical reputation depends on colleagues reaction to your talk

905 views • 6 slides
My presentation AB123C Outline Talk about giving a talk A tool to plan and hold

My presentation AB123C Outline Talk about giving a talk A tool to plan and hold

My presentation AB123C Outline Talk about giving a talk A tool to plan and hold presentations: AB123C The blackboard vs. slides The talk A mathematical talk is a presentation of your results in oral form Very different from

320 views • 21 slides
Le Lets t talk a abou out ho how w we e talk abo bout ut men ental hea health.

Le Lets t talk a abou out ho how w we e talk abo bout ut men ental hea health.

Le Lets t talk a abou out ho how w we e talk abo bout ut men ental hea health. h. ROADMAP FOR TODAY - How Illinois Outpatient Laws Can (and Should) Break Our Inpatient Cycles - Incorporating Advance Directives Into

608 views • 35 slides
Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the

Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the

Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the standard of holiness established by God and evidenced by Jesus. We can never live deeply until we Walk the talk. deal with our sin. The ethical test

662 views • 26 slides
A Talk about How to Give a Talk Part II Bertram Fronhfer International Center for

A Talk about How to Give a Talk Part II Bertram Fronhfer International Center for

A Talk about How to Give a Talk Part II Bertram Fronhfer International Center for Computational Logic Technische Universitt Dresden Germany Bertram Fronhfer A Talk about How to Give a Talk Part II 1 Overview Part I How to

549 views • 21 slides
Outline: SUZero MML Talk Interspeech talk (for Ewald) Explain one technique in a bit more

Outline: SUZero MML Talk Interspeech talk (for Ewald) Explain one technique in a bit more

Outline: SUZero MML Talk Interspeech talk (for Ewald) Explain one technique in a bit more detail The experience of a coding sprint Unsupervised acoustic unit discovery for speech synthesis using discrete latent-variable neural

1.74k views • 110 slides
Repair and Lining in the 21 st Century What we talk about when we talk about lining CUPA

Repair and Lining in the 21 st Century What we talk about when we talk about lining CUPA

Repair and Lining in the 21 st Century What we talk about when we talk about lining CUPA Conference 2018 Tom Henderson Engineering Geologist State Water Resources Control Board UST Leak Prevention Unit February 2018 Why Should You Care?

1.2k views • 52 slides
Why Talk to Customers? Nick Kolobutin Why Talk to Customers? What is a Startup? A temporary

Why Talk to Customers? Nick Kolobutin Why Talk to Customers? What is a Startup? A temporary

Why Talk to Customers? Nick Kolobutin Why Talk to Customers? What is a Startup? A temporary organization in search of a scalable, repeatable, profitable business model Startups are Risky Greater than 90% of products fail today

979 views • 54 slides
Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me Drupal; Using Drupal to power a Voice App You should be able to follow along by visiting the link below. If you have an Echo device, please mute the

1.67k views • 87 slides
Plan of the talk Plan of the talk The geometry of the hot X-ray corona Strong gravity and

Plan of the talk Plan of the talk The geometry of the hot X-ray corona Strong gravity and

The X-ray polarimetric view of the AGN central engine Giorgio Matt (Universit Roma Tre, Italy) Plan of the talk Plan of the talk The geometry of the hot X-ray corona Strong gravity and the BH spin The orientation of the torus

462 views • 17 slides
Aleksander Mdry What will this talk be about? At a

Aleksander Mdry What will this talk be about? At a

Interior-point Methods and the Maximum Flow Problem Aleksander Mdry What will this talk be about? At a first glance: It is just a talk

708 views • 45 slides
More advanced application techniques, using Swift about this talk Talk about project that I

More advanced application techniques, using Swift about this talk Talk about project that I

More advanced application techniques, using Swift about this talk Talk about project that I spend most of my time working on: Swift Use that to introduce some more general concepts in describing applications and in executing

1.61k views • 64 slides
Standardization Kate Mueller, Director of Product Development What we talk about when we talk

Standardization Kate Mueller, Director of Product Development What we talk about when we talk

Standardization Kate Mueller, Director of Product Development What we talk about when we talk about standard- ization Dont try to 8ix a people/ process problem with a technical solution. Treat it like any other project.

559 views • 4 slides
talk lk listen take part Communication is is at the heart of all ll we do The Talking

talk lk listen take part Communication is is at the heart of all ll we do The Talking

talk lk listen take part Communication is is at the heart of all ll we do The Talking Journey But learning to talk doesnt happen by accident it needs you to make this happen. Talk Together Comments not questions Give them

708 views • 22 slides
What we talk about when we talk about Learning in many-body physics Stories Zi Yang Meng

What we talk about when we talk about Learning in many-body physics Stories Zi Yang Meng

What we talk about when we talk about Learning in many-body physics Stories Zi Yang Meng Raymond Carver Anton Chekhov of American literature I was going to tell you about something. I mean, I was going to prove a point. You

784 views • 54 slides
Why to give an academic talk? You have a good work, and want others to know about it

Why to give an academic talk? You have a good work, and want others to know about it

Why to give an academic talk? You have a good work, and want others to know about it Leveraging academic talks to increase the impact of your research, e.g., conference presentations You have to give a talk A talk is necessary in a

674 views • 40 slides
How to Give a Bad Talk How to Give a Bad Talk Professor David A. Patterson Computer Science 152

How to Give a Bad Talk How to Give a Bad Talk Professor David A. Patterson Computer Science 152

Lecture 20: How to Give a Bad Talk How to Give a Bad Talk Professor David A. Patterson Computer Science 152 Fall 1997 Cs252.1 CS 152: Remaining Schedule Whats Left: Thursday 12/4: Oral Presentations, Noon to 7PM, 6thfloor

242 views • 5 slides
Jan Mller Co-founder, CTO Chainalysis How Does Bitcoin Actually Work? This talk is not

Jan Mller Co-founder, CTO Chainalysis How Does Bitcoin Actually Work? This talk is not

Jan Mller Co-founder, CTO Chainalysis How Does Bitcoin Actually Work? This talk is not about the poli:cal or economical impact of Bitcoin. This talk is not about how to buy, sell, spend, or secure your bitcoins. This talk is about

1.14k views • 41 slides
Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Hello My Name Is Frank

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Hello My Name Is Frank

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Hello My Name Is Frank Hello My Name Is Frank I am a Christian, Father, and Technology Enthusiast. Online my name is frob (IRC, d.o, github) On Twitter I am @frobdfas My Blog

616 views • 44 slides
Learn self-care Express your feelings Tell Someone Someone loves you Talk Ask Listen Keep

Learn self-care Express your feelings Tell Someone Someone loves you Talk Ask Listen Keep

Overview of LETS TALK presentations Learn self-care Express your feelings Tell Someone Someone loves you Talk Ask Listen Keep Talking Background LETS TALK is a community driven initiative that arose in response to the rising death

311 views • 4 slides
University Of Bristol 1 What to talk about? 2 What to talk about? Theory vs Practice vs

University Of Bristol 1 What to talk about? 2 What to talk about? Theory vs Practice vs

(Or Living Between a Rock and a Hard Place) Nigel Smart University Of Bristol 1 What to talk about? 2 What to talk about? Theory vs Practice vs Theory and Practice A key problem is someones theory is someone elses practice,

1.66k views • 68 slides
Topic of this talk Topic of this talk From E- -Relevance Relevance From E to W- -Relevance

Topic of this talk Topic of this talk From E- -Relevance Relevance From E to W- -Relevance

Topic of this talk Topic of this talk From E- -Relevance Relevance From E to W- -Relevance Relevance to W What is relevance in Mobile Personal Information Retrieval? P. Coppola, V. Della Mea, L. Di Gaspero, S. Mizzaro What is

65 views • 6 slides

More recommend