Citrix Program Neighborhood Name Heap Corruption Vulnerability

iDefense Security Advisory 12.16.05
www.idefense.com/application/poi/display?id=357&type=vulnerabilities
December 16, 2005

I. BACKGROUND

Citrix Program Neighborhood is the client used to connect to
applications published on Citrix Metaframe servers.

More information is available from the vendor website:

   http://www.citrix.com

II. DESCRIPTION

Remote exploitation of a heap overflow vulnerability in Citrix, Inc.'s
Program Neighborhood allows attackers to execute arbitrary code.

The vulnerability specifically exists due to insufficient handling of
corrupt Application Set responses. A heap-based buffer overflow will
occur when the Citrix Program Neighborhood client receives an
Application Set response containing a name value over 286 bytes. The
overflow will trigger an access violation in RtlFreeHeap() with
register control sufficient to write 4 bytes to an arbitrary location
as shown below:

77F52A7B  8B4E 0C     MOV ECX,DWORD PTR DS:[ESI+C]
77F52A7E  898D 60FFFFFF  MOV DWORD PTR SS:[EBP-A0],ECX
77F52A84  8901       MOV DWORD PTR DS:[ECX],EAX

Registers:
EAX 41414141
ECX 00004141
ESI 008D5E30 ASCII "AAAAAAAAAAAAAA"
EIP 77F52A84 ntdll.77F52A84

Crash:
77F52A84  8901       MOV DWORD PTR DS:[ECX],EAX

Remote attackers can send an specially crafted name value to overflow
the buffer and execute arbitrary code.

III. ANALYSIS

Successful exploitation of the vulnerability allows remote attackers to
execute arbitrary code with user privileges. The overflow is a
trivial heap-based buffer overflow due to insufficient bounds checking
on the 'name' value in Application Set responses. A typical
exploitation scenario would require an attacker to setup a fake Citrix
Server and wait for a Citrix Program Neighborhood client to connect.
Upon receiving the first connecting packets from the client, the server
would send a corrupt UDP packet to the client.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Citrix
Presentation Server Client 9.0. All prior versions are suspected
vulnerable.

V. WORKAROUND

iDefense is unaware of any effective workarounds at this time.

VI. VENDOR RESPONSE

The vendor has released the following advisory to address this issue:

 http://support.citrix.com/kb/entry.jspa?externalID=CTX108354

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-3652 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/15/2005 Initial vendor notification
11/15/2005 Initial vendor response
12/16/2005 Coordinated public disclosure

IX. CREDIT

iDefense credits Patrik Karlsson (patrik@cqure.net) with the discovery
of this vulnerability.

Get paid for vulnerability research
http://www.iDefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.iDefense.com

X. LEGAL NOTICES

Copyright © 2005 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@iDefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.