This was a session on September 23, 2017 at DerbyCon 7.
VDI Deployments are in over 90% of all the Fortune 1000 companies and are used in almost all industry verticals, but are they secure? The goal of most VDI deployments is to centrally deliver applications and/or desktops to users internally and externally, but in many cases their basic security recommendations haven’t fully deployed, allowing an attacker to gain access. This talk will review the basic design of the top two solution providers, Citrix and VMware. We will go over these solutions strengths and weaknesses and learn how to quickly identify server roles and pivot. We will also examine all the major attack points and their defensive counters. If you or if you have a client that has a VDI Deployment you don’t want to miss this talk.
Patrick Coble is an independent EUC and Security Consultant working around Nashville, TN. Patrick has worked in IT for 18 years and as a consultant for over 9 years. He is a recognized expert in Virtualization, EUC solutions and Security. He has deployed hundreds of VDI deployments using both Citrix and VMware solutions all over the southeast. Patrick is working to expose and close the gaps in VDI solutions when it comes to security. He helps with Red and Blue teams to gain access and secure VDI deployments.
2. Agenda
WhoAmI?
Overview of VDI
Overview of Citrix and VMware
Common and Advanced VDI Attack Methods
VDI Recon
How to Pivot in VDI
Securing VDI Basics
Questions
3. My Motivation
Back in DerbyCon 2015, there was a presentation call “High Stake Target Lo Tech Attack”
with Bill Gardner and Kevin Cordle that went over the power grid from a lineman’s point
of view with background information that very practical and eye opening for someone
who just knew a little bit about the grid.
I knew that I have been doing Citrix and VMware VDI consulting for over 9 years and
over 10 years as a customer and I wanted to do what I could to shed some light on my
expertise just like Bill and Kevin back then.
When you work with large companies 90% of them will have Citrix or VMware VDI
solutions and knowing some of the components can help you on your PenTest.
4. WhoAmI?
Noob, Patrick Coble, 2x Father, Nerd, Hacker, Trainer, Speaker, Meme User,
PowerPoint Clicker and Citrix CTA (69 in the World)
I have been working with computers since 1988 and started hacking in the
early AOL days. I started working in the IT industry in 1997 and joined the
Marine Corps where he worked within the Intelligence field on computers.
Upon finishing his time in the Marine Corps, I have worked in the security
industry, specifically within Healthcare, and later joined a reseller before
starting his own company in 2016.
Patrick Founded a Security Consulting Company in 2016 to close the gap in
local and personal security and IT consulting for Small Businesses and
Individuals. I still do EUCVDI Consulting for large companies.
VDISecurity.org
5. Who cares about VDI?
90% of Fortune 1000 Companies
have a VDI Deployment.
A HACKERS SUMMARY
6. VDI Simple Formula
VDI is a crazy IT Jargon just like Cloud, Big Data, Virtualized, Software Defined
and many others. But most people agree it stands for Virtual Desktop
Infrastructure.
VDI was very clear product offering back in 2007 , but now over the years the
two big vendors have included application virtualization and mobile device
management also.
It provides a centralized application delivery method.
Run Desktop or Server OS’s are Desktops or just Published Applications
Access Applications or Desktop from Anywhere.
NVIDIA GRID, Intel Iris Pro-Graphics, AMD MxGPU for Graphics Virtualization for
high end graphics.
7. Company Info & Major Versions
Horizon
VMware Founded, 1998
VMware 2016, 5.62 Billion
First Version 2.0, January 2008
Major Release Family
3.0, 4.0, 5.0
6.0
7.0-7.2
XenDesktop
Citrix Founded, 1989
Citrix 2016, 3.42 Billion
First Version 2.0, October 2007
Major Release Family
2.0, 3.0, 4.0
5.0, 5.6
7.0-7.15
24. Citrix XenDesktop and XenApp Overview
NetScaler Load Balancer Load Balances, SSL Offload and in some cases is also a
Application Firewall and SAML IDP or SP.
NetScaler Unified Gateway This proxies connections from SSL to ICA
Citrix StoreFront This is the Web front end that users use
Citrix Delivery Controller This is the broker and the where the main Management
Console is ”Citrix Studio”
Citrix Provisioning Services This server is responsible for Image management if it is
used, it streams the OS in a UDP stream to a target device
(MAC Address)
Citrix Virtual Desktop Agent This Agent runs on each Desktop or Server OS and talks to
the Delivery Controller
Citrix License Server It’s a License Server
25. VMware Horizon Overview
Access Point This is used to Proxy PCoIP, RDP, Blast, Blast Extreme
Protocols over SSL. Appliance
Security Server This is used to Proxy PCoIP, RDP, Blast, Blast Extreme
Protocols over SSL. Windows Box
Connection Server This is the broker and the where the main Management
Console over Port 443
vCenterComposer This is used if the older image management version
Linked Clones is used. It is normally installed on a
vCenter Server.
Horizon Agent This Agent runs on each Desktop or Server OS and talks to
the Connection Server
26. VDI – Common Attack Methods
Phish, Phish and Phish ( There are lot of deployments that use these technologies to
publish Outlook or a Web Browser)
The most common published application in “Internet Explorer” which in many cases is because
App X won’t run on IE 6, 7, 8, 10. Some of the biggest deployments in DOD were for IE6
virtualization to bridge the gap in compatibility.
Getting in from the outside is tough but it is possible. You have to find someone on
unpatched systems of a couple years old to get through that front door. There are some
Unicorns out there where 1494, 3389 are punched open then just like any windows box
if you ain’t patching it someone's gettin in.
There are lot of CVEs that become VDI related from Microsoft for the Server and VDI OS
along with some from Citrix and VMware that come up but no one rights exploits (There
is a one I would love to help write but I’m a noob)
27. VDI Default Policy's
Citrix and VMware both have default
policies that can allow data
exfiltration and most admins do not
change them.
CopyPaste (Most Common)
Drive Mapping (Local, Network)
USB Mapping (Disabled by Default on
both)
Applying Policies to the right groups is
another common mistake.
28. VDI - Recon
External Scans, When your doing DNS and HTTPHTTPS Sweeps you can look for some of
following screenshots when your scanning through their domain.
Knowing they have VDI is also a good way to adjust some of your Phishing Tactics for
Citrix Receiver, Horizon Client upgrades are needed for security. (Repackage the MSIs
with your Payload and live the dream, You can use SET to clone their Portal Page for
credential harvesting.)
If you spot some of these wild ports between these two systems in a scan you know
what your dealing with.
If someone has Citrix or VMware in most cases there most important application is
installed in it.
29. VDI – Recon – 80443 StoreFront
Web Interface 5.4
Usually Internal Only, But sometimes they are out in the real world.
StoreFront 3.x
30. VDI – Recon – 80443 StoreFront
StoreFront 2.0
Usually Internal Only, But sometimes they are out in the real world.
31. VDI – Recon – 80443 Web Interface
Web Interface 5.4
Usually Internal Only, But sometimes they are out in the real world.
32. VDI – Recon – 80443 Web Interface
Web Interface 4.6
Usually Internal Only, But sometimes they are out in the real world.
36. VDI – Recon – 80443 NetScaler Admin
NetScaler 11.1-12.x
When you see
this you have
found the NSIP
which is the
management IP
of the NetScaler.
Note: Most are
default and are
HTTP.
Default UNPW
nsroot
nsroot
37. VDI – Recon – 80443 NetScaler Admin
NetScaler 10.5-11.0
When you see
this you have
found the NSIP
which is the
management IP
of the NetScaler.
Note: Most are
default and are
HTTP.
Default UNPW
nsroot
nsroot
38. VDI – Recon – 80443 NetScaler Admin
NetScaler 10.0
When you see
this you have
found the NSIP
which is the
management IP
of the NetScaler.
Note: Most are
default and are
HTTP.
Default UNPW
nsroot
nsroot
39. VDI – Recon – VMware Connection Server
View 7.x
40. VDI – Recon – VMware Connection Server
View 6.x
41. VDI – Recon – VMware Connection Server
View 5.x
50. VDI – Pivoting
Once your in you need to find the Citrix or VMware Admin Groups, if you get a Domain
Admin in most deployments they are setup as admins on the system for ease of
administration depending on how the company operationally supports the deployment
and how big and mature their IT department is.
As you will see in the next 4 quick slides there are not a lot of Exploits written for Citrix
or VMware based on the number of CVEs they have. You always have Windows.
Windows and its Vulns is your pivot along with Social Engineering is the way to Pivot in
and out of the Citrix deployment.
Brute Forcing on the Login Pages in most cases is totally possible and in many cases may
not raise any flags because they are seldom monitored in many deployments (3-10 Per
15 minutes). Citrix with it’s NetScaler as a possible front door do have Rate Limiting and
WAF features that are able to be turned on but seldom deployed and on the VMware
side I haven’t seen a deployment yet that has alerts setup for either of their front door
solutions.
51. Citrix CVEs -174
Name Description
CVE-2017-
9231
XML external entity (XXE) vulnerability in Citrix XenMobile Server 9.x and 10.x before 10.5 RP3 allows attackers to obtain
sensitive information via unspecified vectors.
CVE-2017-
7219
A heap overflow vulnerability in Citrix NetScaler Gateway versions 10.1 before 135.8/135.12, 10.5 before 65.11, 11.0 before
70.12, and 11.1 before 52.13 allows a remote authenticated attacker to run arbitrary commands via unspecified vectors.
CVE-2017-
6316
Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as
root via a CGISESSID cookie. On CloudBridge (the former name of NetScaler SD-WAN) devices, the cookie name was
CAKEPHP rather than CGISESSID.
CVE-2017-
5933
Citrix NetScaler ADC and NetScaler Gateway 10.5 before Build 65.11, 11.0 before Build 69.12/69.123, and 11.1 before Build
51.21 randomly generates GCM nonces, which makes it marginally easier for remote attackers to obtain the GCM
authentication key and spoof data by leveraging a reused nonce in a session and a "forbidden attack," a similar issue to CVE-
2016-0270.
CVE-2017-
5573
An issue was discovered in Linux Foundation xapi in Citrix XenServer through 7.0. An authenticated read-only administrator
can cancel tasks of other administrators.
CVE-2017-
5572
An issue was discovered in Linux Foundation xapi in Citrix XenServer through 7.0. An authenticated read-only administrator
can corrupt the host database.
CVE-2017-
5571
Open redirect vulnerability in the lmadmin component in Flexera FlexNet Publisher (aka Flex License Manager) 11.14.1 and
earlier, as used in Citrix License Server for Windows and the Citrix License Server VPX, allows remote attackers to redirect
users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
CVE-2016-
9680
Citrix Provisioning Services before 7.12 allows attackers to obtain sensitive information from kernel memory via unspecified
vectors.
CVE-2016-
9679 Citrix Provisioning Services before 7.12 allows attackers to execute arbitrary code by overwriting a function pointer.
52. VMware Horizon CVEs -16
CVE-2017-4918
VMware Horizon View Client (2.x, 3.x and 4.x prior to 4.5.0) contains a command injection vulnerability in the service startup script. Successful exploitation of this
issue may allow unprivileged users to escalate their privileges to root on the Mac OSX system where the client is installed.
CVE-2017-4913
VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x prior to 4.4.0) contain an integer-overflow vulnerability in the True Type Font parser in the
TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a
Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client.
Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View.
CVE-2017-4912
VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x prior to 4.4.0) contain multiple out-of-bounds read vulnerabilities in TrueType Font (TTF)
parser in the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the
case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client.
Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View.
CVE-2017-4911
VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x prior to 4.4.0) contain multiple out-of-bounds write vulnerabilities in JPEG2000 parser in
the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a
Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client.
Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View.
CVE-2017-4909
VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x prior to 4.4.0) contain a heap buffer-overflow vulnerability in TrueType Font (TTF) parser in
the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a
Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client.
Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View.
CVE-2017-4908
VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x prior to 4.4.0) contain multiple heap buffer-overflow vulnerabilities in JPEG2000 parser in
the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a
Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client.
Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View.
CVE-2017-4907
VMware Unified Access Gateway (2.5.x, 2.7.x, 2.8.x prior to 2.8.1) and Horizon View (7.x prior to 7.1.0, 6.x prior to 6.2.4) contain a heap buffer-overflow
vulnerability which may allow a remote attacker to execute code on the security gateway.
CVE-2017-4897
VMware Horizon DaaS before 7.0.0 contains a vulnerability that exists due to insufficient validation of data. An attacker may exploit this issue by tricking DaaS
client users into connecting to a malicious server and sharing all their drives and devices. Successful exploitation of this vulnerability requires a victim to download
a specially crafted RDP file through DaaS client by clicking on a malicious link.
CVE-2016-7087
Directory traversal vulnerability in the Connection Server in VMware Horizon View 5.x before 5.3.7, 6.x before 6.2.3, and 7.x before 7.0.1 allows remote attackers
to obtain sensitive information via unspecified vectors.
54. VMware Exploits
Date Title Platform Author
2017-07-
18
Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Root Privilege Escalation macOS Mark Wadham
2017-06-
10
VMware vSphere Data Protection 5.x/6.x - Java Deserialization Multiple Kelly Correll
2017-06-
08
VMware Workstation 12 Pro - Denial of Service Windows Borja Merino
2017-05-
22
VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Config Host Root Privilege... Linux Google Secu...
2016-09-
19
VMware Workstation - 'vprintproxy.exe' JPEG2000 Images Multiple Memory Corruptions Windows Google Secu...
2016-09-
19
VMware Workstation - 'vprintproxy.exe' TrueType NAME Tables Heap Buffer Overflow Windows Google Secu...
2016-08-
06
VMware Host Guest Client Redirector - DLL Side Loading (Metasploit) Windows Metasploit
2015-06-
12
Escaping VMware Workstation through COM1 Papers Google Secu...
2014-11-
06
VMware Workstations 10.0.0.40273 - 'vmx86.sys' Arbitrary Kernel Read Win_x86 KoreLogic
2013-10-14VMware Hyperic HQ Groovy Script-Console - Java Execution (Metasploit) Multiple Metasploit
2013-08-
29
VMware - Setuid VMware-mount Unsafe popen(3) (Metasploit) Linux Metasploit
55. VDI – Securing It
Keeping it Patched is the biggest battle, it only takes one box.
Optimize the image to turn off unused features.
Run some form of AV (For years when the devices were provisioned
and or Non-Persistent it was recommended not to install it, due to
overhead). Most common finding
Securing the Policies to make sure data cannot leave the session in a
way you don’t want it to. DLP for VDI
Use AppLocker or other AV Systems to Whitelist applications to
ensure other applications cannot be launched.
Windows Firewall, IPsec, Microsegmentation
Replace Default SSL Certificates and use SSL Certificates Everywhere.
60. Why do breaches still occur?
Data Center
Perimeter
Today’s data centers are protected by
strong perimeter defense…
But threats and exploits still infect servers. Low-
priority systems are often the target.
Threats can lie dormant, waiting for the
right moment to strike.
Server-server traffic growth has outpaced
client-server traffic. The attack spreads and
goes unnoticed.
Possibly after months of reconnaissance, the
infiltration relays secret data to the attacker.
Attacks spread inside the data center, where
internal controls are often weak. Critical
systems are targeted.
10110100110
101001010000010
1001110010100
61. Problem: Data Center Network Security
Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible
Little or no
lateral controls
inside perimeter
Internet Internet
Insufficient Operationally
Infeasible
62. Micro-segmentation simplifies network
security
Each VM can now be its own perimeter
Policies align with logical groups
Prevents threats from spreading
App
DMZ
Services
DB
Perimeter
firewall
AD NTP DHCP DNS CERT
Inside
firewall
Finance EngineeringHR
63. VDISecurity.Org
At this Site you will see things from two perspectives
VDI Admin, How to Secure It
Security Nerds, How to do Recon, Get In and Pivot
I have a couple blog posts ready to roll out but just have to
wrap up a couple things. I have been slacking.
Let’s take a look at the screen of the Citrix Analytics Service delivered in the cloud. This is showcasing the end user behavior.
An IT or security professional can easily spot that one of the users, Mary Smith, has exceeded her risk factor and threshold, and she's been quarantined.
IT can drill down and look at what's been going on in her environment, the time frame, the events that have been happening and how the risk profile has been coming up through unsanctioned access, coming into the network from different places, from downloading too much data, which is unusual.
All of that led the system to the conclusion that this particular user needs to be quarantined.
However all of this is flexible and completely customizable because we know that, in the land of security analytics, having full visibility into what's going on in your environment is critical for provisioning the right level of access and control.
It’s important to understand the challenge micro-segmentation solves, because it’s one that has been know but not solvable in reality until now.
If we look at all the well publicized attacks over the last couple of years, Target, Home Depot, Sony and more they all were different from a hacker code perspective, but they all had one thing in common…once the threat got through the perimeter defense, whether through the firewall or from the inside…there was little of no lateral controls to keep the threat from moving from server to server until it found what it was looking for and started pumping out credit card numbers or other private information
Nirvana to most security teams is “micro-segmentation” or a “zero-trust” approach. However, even if your company can afford the capital expense for enough firewalls to deliver the throughput capacity required to achieve high availability micro-segmentation for East-West traffic in your data center, the operational complexity of managing changes, VM movement, policy granularity, unsustainable policy table changes across all of these firewalls quickly becomes operationally infeasible.