what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

iDefense Security Advisory 07.14.11 - Citrix Code Execution

iDefense Security Advisory 07.14.11 - Citrix Code Execution
Posted Jul 16, 2011
Authored by Michal Trojnara, iDefense Labs | Site idefense.com

iDefense Security Advisory 07.14.11 - Remote exploitation of a buffer overflow in Citrix Systems, Inc.'s Access Gateway Client ActiveX control allows remote attackers to execute arbitrary code. To exploit this vulnerability, a targeted user must load a malicious Web page created by an attacker. An attacker typically accomplishes this via social engineering or injecting content into compromised, trusted sites. Versions affected are 8.1 prior to 8.1-67.7, 9.0 prior to 9.0-70.5, and 9.1 prior to 9.1-96.4.

tags | advisory, remote, web, overflow, arbitrary, activex
SHA-256 | 7da340d19926e061e5ff91def8e4cab80314786c667bc814ad98db464a3d4ca0

iDefense Security Advisory 07.14.11 - Citrix Code Execution

Change Mirror Download
iDefense Security Advisory 07.14.11
http://labs.idefense.com/intelligence/vulnerabilities/
Jul 14, 2011

I. BACKGROUND

Citrix's Access Gateway solution provides remote access to customers via
the Web browser. This is accomplished through the use of an ActiveX
control that enables an SSL based VPN. The control itself is provided by
the server upon connecting. Access Gateway functionality is provided by
several models of Access Gateway Appliances. For more information, visit
the URL referenced below.

II. DESCRIPTION

Remote exploitation of a buffer overflow in Citrix Systems, Inc.'s
Access Gateway Client ActiveX control allows remote attackers to execute
arbitrary code.

The vulnerability exists within the ActiveX control with the following
identifiers:

CLSID: 181BCAB2-C89B-4E4B-9E6B-59FA67A426B5
ProgId: NSEPA.NsepaCtrl.1
File: %WINDIR%\Downloaded Program Files\nsepa.ocx

When processing HTTP header data provided by the Access Gateway server,
the client ActiveX control copies a variable length string into a
fixed-size stack buffer. Due to insufficient input validation, a
trivially exploitable stack-based buffer overflow can occur.

III. ANALYSIS

Exploitation allows attackers to execute arbitrary code in the context
of the currently logged-on user. To exploit this vulnerability, a
targeted user must load a malicious Web page created by an attacker. An
attacker typically accomplishes this via social engineering or injecting
content into compromised, trusted sites.

Additionally, a targeted user must have this control already installed
or must accept several warning prompts at the time that the attack is
taking place. This control is not on the white list included with
Internet Explorer 7.0. More information can be found at the following
URL.

http://msdn.microsoft.com/en-us/library/bb250471.aspx

This particular control also has an additional prompt inquiring whether
or not the user wishes to allow an "Endpoint Analysis" scan. The options
presented are "Yes", "No", and "Always Allow". Clicking "Yes" or "Always
Allow" can lead to exploitation. Clicking "No" can not result in
exploitation. Also, clicking "Always Allow" will create a registry key
enabling automatic scanning for all future uses of the control.

IV. DETECTION

The following versions of Citrix Access Gateway Enterprise Edition are
vulnerable:

<ul> <li>Version 8.1 prior to 8.1-67.7 </li> <li>Version 9.0 prior to
9.0-70.5 </li> <li>Version 9.1 prior to 9.1-96.4 </li> </ul>

V. WORKAROUND

Setting the kill-bit for this control will prevent it from being loaded
within Internet Explorer. However, doing so will prevent legitimate use
of the control.

VI. VENDOR RESPONSE

Citrix has released a patch which addresses this issue. Information
about downloadable vendor updates can be found by clicking on the URLs
shown.

https://www.citrix.com/English/ss/downloads/results.asp?productID=1500 5

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

07/01/2009 Initial Vendor Notification
07/02/2009 Initial Vendor Reply
07/14/2011 Coordinated Public Disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Michal Trojnara.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2011 Verisign

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    20 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close