|
|
|
|
| |
Credit:
The information has been provided by iDefense.
The original article can be found at:
www.idefense.com/application/poi/display?id=357&type=vulnerabilities
|
| |
Vulnerable Systems:
* Citrix Presentation Server Client versions 9.0 (All prior versions are suspected vulnerable)
The vulnerability specifically exists due to insufficient handling of corrupt Application Set responses. A heap-based buffer overflow will occur when the Citrix Program Neighborhood client receives an Application Set response containing a name value over 286 bytes. The overflow will trigger an access violation in RtlFreeHeap() with register control sufficient to write 4 bytes to an arbitrary location as shown below:
77F52A7B 8B4E 0C MOV ECX,DWORD PTR DS:[ESI+C]
77F52A7E 898D 60FFFFFF MOV DWORD PTR SS:[EBP-A0],ECX
77F52A84 8901 MOV DWORD PTR DS:[ECX],EAX
Registers:
EAX 41414141
ECX 00004141
ESI 008D5E30 ASCII "AAAAAAAAAAAAAA"
EIP 77F52A84 ntdll.77F52A84
Crash:
77F52A84 8901 MOV DWORD PTR DS:[ECX],EAX
Remote attackers can send an specially crafted name value to overflow the buffer and execute arbitrary code.
Successful exploitation of the vulnerability allows remote attackers to execute arbitrary code with user privileges. The overflow is a trivial heap-based buffer overflow due to insufficient bounds checking on the 'name' value in Application Set responses. A typical exploitation scenario would require an attacker to setup a fake Citrix Server and wait for a Citrix Program Neighborhood client to connect. Upon receiving the first connecting packets from the client, the server would send a corrupt UDP packet to the client.
Vendor Response:
The vendor has released the following advisory to address this issue:
http://support.citrix.com/kb/entry.jspa?externalID=CTX108354
CVE Information:
CVE-2005-3652
Disclosure Timeline:
* 15.11.05 - Initial vendor notification
* 15.11.05 - Initial vendor response
* 16.12.05 - Coordinated public disclosure
|
|
|
|
|
