Citrix Program Neighborhood Name Heap Corruption Vulnerability
iDefense Security Advisory 12.16.05
www.idefense.com/application/poi/display?id=357&type=vulnerabilities
December 16, 2005
I. BACKGROUND
Citrix Program Neighborhood is the client used to connect to
applications published on Citrix Metaframe servers.
More information is available from the vendor website:
http://www.citrix.com
II. DESCRIPTION
Remote exploitation of a heap overflow vulnerability in Citrix, Inc.'s
Program Neighborhood allows attackers to execute arbitrary code.
The vulnerability specifically exists due to insufficient handling of
corrupt Application Set responses. A heap-based buffer overflow will
occur when the Citrix Program Neighborhood client receives an
Application Set response containing a name value over 286 bytes. The
overflow will trigger an access violation in RtlFreeHeap() with
register control sufficient to write 4 bytes to an arbitrary location
as shown below:
77F52A7B 8B4E 0C MOV ECX,DWORD PTR DS:[ESI+C]
77F52A7E 898D 60FFFFFF MOV DWORD PTR SS:[EBP-A0],ECX
77F52A84 8901 MOV DWORD PTR DS:[ECX],EAX
Registers:
EAX 41414141
ECX 00004141
ESI 008D5E30 ASCII "AAAAAAAAAAAAAA"
EIP 77F52A84 ntdll.77F52A84
Crash:
77F52A84 8901 MOV DWORD PTR DS:[ECX],EAX
Remote attackers can send an specially crafted name value to overflow
the buffer and execute arbitrary code.
III. ANALYSIS
Successful exploitation of the vulnerability allows remote attackers to
execute arbitrary code with user privileges. The overflow is a
trivial heap-based buffer overflow due to insufficient bounds checking
on the 'name' value in Application Set responses. A typical
exploitation scenario would require an attacker to setup a fake Citrix
Server and wait for a Citrix Program Neighborhood client to connect.
Upon receiving the first connecting packets from the client, the server
would send a corrupt UDP packet to the client.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in Citrix
Presentation Server Client 9.0. All prior versions are suspected
vulnerable.
V. WORKAROUND
iDefense is unaware of any effective workarounds at this time.
VI. VENDOR RESPONSE
The vendor has released the following advisory to address this issue:
http://support.citrix.com/kb/entry.jspa?externalID=CTX108354
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-3652 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
11/15/2005 Initial vendor notification
11/15/2005 Initial vendor response
12/16/2005 Coordinated public disclosure
IX. CREDIT
iDefense credits Patrik Karlsson (patrik (at) cqure (dot) net [email concealed]) with the discovery
of this vulnerability.
Get paid for vulnerability research
http://www.iDefense.com/poi/teams/vcp.jsp
Free tools, research and upcoming events
http://labs.iDefense.com
X. LEGAL NOTICES
Copyright © 2005 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice (at) iDefense (dot) com [email concealed] for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.