Wednesday, September 24, 2014

Worse than HeartBleed? CVE-2014-6271



GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

CVSS Severity (version 2.0):
CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)
Impact Subscore: 10.0Exploitability Subscore: 10.0
CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Information taken from:

Tuesday, June 3, 2014

Citrix XenApp - Automate Discovery

I am in the process of building out a new XenApp environment for a customer, and was thinking... "It would be so nice to automate the 'Configure and run discovery' settings". So how do you accomplish this? I know my service desk would appreciate it!

The answer is a custom "MMC". Below are the steps to accomplish this.

Part 1: Create the custom MMC

  • Open up a 32bit MMC console (universally will work better and create less stress)
    • On 32 bit OS run "mmc"
    • On 64 bit OS run "mmc /32"

  •  Click File > Add/Remove Snap-in...

  •  Select the console you are going to push out to your users and add it to the "Selected snap-ins"
    • (In my case it is going to be AppCenter)

  •  Right Click on "XenApp"
    • Select "Configure and run discovery"

  •  Select the "Skip this screen in the future" box
    • Click Next

  •  Click on Add
    • For the server, I am going to pick my two XenApp Controllers
      • Depending on your setup, and where you are publishing this, you will need to pick the correct server(s)... (setting up a load balanced VIP on your NetScaler....  hmmm....)

  •  Click Next

  •  Check the box next to "Close this wizard when discovery is successful"

  •  Change the options of your new custom MMC console
    • Click on File > Options...

  •  In my case, I want to restrict access to areas of the tree
    • I am going to select "User mode - limited access, single window"

Below is an explanation of each option:

  • Author mode
    • Enables full customization of the snap-in console, including the ability to add or remove snap-ins, create new windows, create Favorites and taskpads, and access all the options of the Customize View and Options dialog boxes. Users creating a custom console file for themselves or others typically use this mode. The resulting snap-in console is usually saved in one of the user modes in this table.
  • User mode - full access
    • The same as author mode, except that users cannot add or remove snap-ins, change snap-in console options, create Favorites, or create taskpads.
  • User mode—limited access, multiple window
    • Provides access only to those parts of the tree that were visible when the console file was saved. Users can create new windows, but cannot close any existing windows.
  • User mode - limited access, single window
    • Provides access only to those parts of the tree that were visible when the console file was saved. Users cannot create new windows.

  •  Now we want to save our custom MMC
    • Click File > Save As...

  •  Save it where ever you would like. I am going to save mine to c:\custom mmc\AppCenter.mmc on each of my terminal servers.

Part 2: Publish the custom MMC

This section could be done a dozen different ways. I will show you how to publish out the mmc we just created as it being accessed directly from each server.

  • Select "Skip this screen in the future"
    • Click Next

  •  Enter in a Display name for your application
    • In my case I am using "Citrix AppCenter"

  •  Use the defaults
    • Application
      • Accessed from a server
        • Installed application

  •  Location to mmc.exe and the location of the custom mmc
    • Command Line:
      • c:\windows\system32\mmc.exe "c:\windows\system32\AppCenter.mmc"
    • Working directory:
      • c:\windows\system32
    • Click Next

  •  Click Add
    • Select the Servers or Worker Group that contains the servers you would like to publish out the mmc too.
      • Click Next

  •  Click Add
    • Add the users that need access to the mmc
      • Click Next

  •  Go to where your Citrix management console is installed (where the console is installed), and right click > properties
    • Then click on "Change Icon..."

  •  Copy out the location of the .ico

    • Go back to your application you are publishing and click "Chang icon..."
    • Click Browse
      • Input the location of the .ico file you just copied
        • Click OK

    •  Click Next

    •  Click Finish

    You now have a management console that your admins will not have to configure for discovery.

    Thursday, May 15, 2014

    The group policy service failed the logon. Access is denied.

    This morning, I had a brand new user log into a Citrix XenApp 6.0 environment. When launching applications, they received the following error message.

    "The group policy service failed the logon. Access is denied."

    Quick and easy fix for this one is to delete the users profile. User can now log in and launch applications. Issue resolved!

    Monday, May 12, 2014

    NetScaler - Gateway vServer- Dropping packets from a specific Source

    NetScaler - Gateway vServer- Dropping packets from a specific Source

    While talking with a citrixirc colleague, the question was brought up... "Is there a way to block 1 client from a vserver at the NetScaler level?"

    The answer is "Yes". I am sure there are multiple ways to do this. I personally would use a "Responder Policy".

    If you want to learn more about Citrix Responder Policies you can check out

    Setting up a Responder Policy to drop a client

    • Open up the GUI and go to "NetScaler Gateway > Virtual Servers"
      • Open the vServer you would like to add the Responder Policy too.
      • Click on the "Policies" tab
        • Then click on the Responder button
          • Click on Insert Policy at the bottom
            • Then click on "New Policy..."

    • Create the following Responder Policy
      • Name: rpol-%youpickaname%
        • You can use which ever naming convention you would like. I use "rpol" for my Responder Policies.
      • Action: DROP
      • Expression: CLIENT.IP.SRC.EQ(
        • Replace with the IP you want to block.
      • Click on "Create" and you should now see you Responder Policy under the Responder Section.

    If you want to verify from the NetScaler it is being blocked, you could do something like 
    • Enable logging
    • SSH to you NetScaler and from shell do a " dst" to see what is happening with the packets.
    • From CLI do
      • Show Connectiontable "DESTIP eq"

    If you wanted to do this all from the CLI, you could just do...

    add responder policy rpol-block-ip "CLIENT.IP.SRC.EQ("
    bind vpn vserver My-vServer -policy rpol-block-ip -priority 100 -gotoPriorityExpression END -type REQUEST

    Note: This only blocks new connections. Any existing connections will remain connected until they are forced to reconnect. 

    Where’s my enabled Users?

    Where’s my enabled Users? I’m going through and fine tuning our Proodpoint Spam solution and noticed one of the filters needs to be updated....