I logged remotely to a server with RDP and I noticed that  I had options to restart or shutdown that server. This means we can shutdown or restart a server without physical access and without authentication:

Read the rest of this entry »

Environment
Windows 2003 Enterprise (32 bit), Citrix XenApp 5, RES Workspace Manager 2011, McAfee VirusScan Enterprise 8.7.0i.

Problem
When a opening an Excel workbook from Sharepoint the whole session freezes.

I asked the user to open an Excel workbook from Sharepoint and I noticed the following popup:

So my first thought was that the user somehow clicked this message to the background and IE was waiting for a response.

Read the rest of this entry »

I needed to change the drive letter assigned to the cd/dvd station from an Automation Manager project.

Although most systems only have one cd/dvd drive, some machines might be equipped with multiple drives.

A couple of years ago I wrote a tool called ChDrvLetter that can assign a specific drive letter to a partition given it’s volumename. In that tool I also included an option for CD/DVD drives.

Using the CDROM [Letters] parameter you can assign specific letters to the CD/DVD drives.

Read the rest of this entry »

Just some quick code to get the OU Name of the computer we run the script on.

VBS:

PowerShell:

The Citrix Online Plugin has a number of settings that can be changed. This includes things as Window Size and Color Depth:

In my case I wanted to preset the Window size to Full Screen so using Process Monitor I checked where the Online Plugin writes this setting. I Used a Filter that includes only the Online Plugin (PNAMain.exe) and the RegSetValue Operation:

Read the rest of this entry »

Recently I published a Proof of Concept that showed it was possible to launch unauthorized processes with both AppSense Application Manager and RES Workspace Manager.

Although I didn’t test Microsoft Applocker I have no doubt at all that we couldn’t bypass it.

I have named my Proof of Concept the XLSploit because I am using Excel as a trampoline. I choose Excel because this is generally a trusted process and VBA offers access to the Windows API that is needed.

After publishing the XLSploit I have talked to both RES and AppSense and not that they both have a response to my Proof of Concept, I consider it safe to tell a little more about how it works.

If you are merely interested in stopping the XLSploit, please scroll down to the end of the article.

Read the rest of this entry »

A while ago my Windows 7 laptop suddenly refused to go into Hibernation. The strange thing was that the whole process of saving memory to the hibernate file seemed to work correctly. The screen would go black and there was lots of disk activity. Then after the disk activity finished the system would return to the logon screen.

A Google on this issue learned that the most likely cause was a driver preventing the system from going into hibernation. Using the cmdline “powercfg -DEVICEQUERY wake_armed” we can check if there are any devices that can wake the system. Another useful parameter is -ENERGY which generates an html report file.

But in my case this lead to nothing.

Read the rest of this entry »

UPDATE: See this new article by Helge Klein.

Recently Helge Klein wrote a blog titled How to Speed Up Your Windows 7 Boot Time by 20%. He does this by disabling the graphical animation that Windows 7 displays while booting.

After applying this tweak I noticed that a resume from hibernation (which I do far more often than a full boot) still showed the graphical animation (and wasn’t speed up).

So how to disable the animation while resuming?

Read the rest of this entry »

Today I was troubleshooting the application “Harmony Client” which crashed upon exiting:

The application had been thinapped and the error only appeared when starting the thinapped version.

Read the rest of this entry »

The video below shows a Proof of Concept of bypassing Application Security in RES Workspace Manager .

Please note that at this time the code is not publicly available so please don’t ask for it.

EDIT 2: I added a video that I received from someone who tried my Excel Sheet with AppSense Application Manager.

EDIT: I wanted to clarify a couple of things regarding this post.

First of all I would like to explain why I wrote this code and why I choose to test it with RES WM.

I had the idea about this approach a long time ago but I never got around to actually do it. The main reason was that I needed to convert Delphi code to VBA and especially converting some Windows headers was a lot of work. Then suddenly I noticed that someone had already converted the headers, so I all I had to do was rewrite the code that used it to VBA.

The choice for RES was made because of two reasons:

1. If you want to beat something, you want to beat the best and I most certainly consider RES WM to be one of the top products.
2. At the time I wrote the POC code I had access to an enviroment with RES in it.

I would like to emphasize that RES contacted me very quickly after publishing this blog. I’ve had contact with RES and they showed a very constructive approach with their primary goal being a fix or guidance for their customers. Hats of to RES taking a constructive approach and I will be working together with RES on this issue.

Finally I would like to state that I didn’t expect this post to draw this much attention, if I did I would have probably taken another approach.

Read the rest of this entry »