Reverse Shell Using DLL Hijacking Vulnerability on Citrix Application

Hello Guys, how are you all ? Hope you are safe and fine. As it’s a pandemic situation many IT professionals are working from home using vpn or any other remote tools. In which one of them is Citrix which is well known and widely used in many organizations and also I am one of the citrix user. As per daily activity I was testing an thick client application after finishing my work , thought of looking after citrix receiver application as It is new to me never worked on it before, I thought of finding vulnerabilities in it and guess what I found Dll Hijacking. So Let’s get started how I discovered this flaw which can harm the user and put organization under risk.

So, what is DLL Hijacking?

DLL Hijacking is a way for attackers to execute unexpected code on your machine. This means that if an attacker can get a file on your machine (by social engineering, remote control, etc.) that file could be executed when the user runs an application that is vulnerable to DLL Hijacking.

Tools & OS used: Windows 10, Kali Linux, process monitor (Microsoft Sysinternal tool).

Vulnerable Application: Citrix Receiver 4.12 & Citrix Workspace 2009

Exploitation

Step1: Capture the traffic using Microsoft sysinternals tool “process monitor” and use proper filter while capturing the traffic as shown below.

Step2: Open the Citrix application and look for name not found dll’s which belongs to application.

Step3: Now we need to craft a malicious dll to get reverse shell of a victim machine am using Msfvenom in kali Linux.

Step4: After replacing with few missing dll. It gave me an error.

Step5: After so many failure attempts, I saw an Dll with name “WindowsAppRHelper.dll”. After google search I got to know it is used to fix missing or corrupted dll and same time it is executing with application.

Step6: As it is executing with application, I thought of replacing “WindowsAppRHelper.dll” with Malicious DLL file with same name.

Step7: Again I closed and restarted the application and when application calls and executes this malicious dll (WindowsAppRHelper.dll), I got reverse shell of victim machine without any error of dll and application was running successfully and we can find the victim’s session at tcp listener. As it is user level shell, but post exploitation can be done in order to gain admin privilege.

Step8: I verified that exploit was successful by killing the Receiver.exe task.

The impact on Citrix

  1. Attacker can use as an Application as rootkit, Application rootkits replace standard files in your computer with rootkit files. They might also change the way standard applications work. These rootkits might infect programs such as Word, Paint, or Notepad etc. Once you run these programs; you will give hackers access to your computer. The challenge here is that the infected programs will still run normally, making it difficult for users to detect the rootkit or any.
  2. An attacker can Implant a Malware in victim system which could be difficult to locate and to remove from the system and Every time Citrix is executed, the Malware is executed and Even if you try to uninstall the application malicious dll is executed.
  3. An attacker can use victim system as a zombie or cyber intrusion (DDOS).
  4. Even use application for binary planting, binary planting is a general term for an attack where the attacker places (i.e., plants) a binary file containing malicious code to a local or remote file system for a vulnerable application to load and execute it.
  5. Even if an attacker gets a same privilege, attacker can try to do post exploitation looking after System Misconfiguration and get Admin privilege.

Remediation

Wherever possible, specify a fully qualified path when using the LoadLibrary, LoadLibraryEx, CreateProcess, or ShellExecute functions.

Test your application with Microsoft’s CWDIllegalInDllSearch hotfix set to “max”

Conclusion

As it falls under Social engineering but flaw is flaw which must be Fixed. Dll hijacking is still an issue in the modern day and can be used by malware authors to maintain access to computers. Many attackers have targeted this type of vulnerability. More must be done to protect user’s computers by program authors by implementing secure dll loading programming practices. Windows is also at fault for having such an insecure dll loading practice in the first place.

Disclosure…