iDefense Security Advisory 07.14.11
http://labs.idefense.com/intelligence/vulnerabilities/
Jul 14, 2011

I. BACKGROUND

Citrix's Access Gateway solution provides remote access to customers via
the Web browser. This is accomplished through the use of an ActiveX
control that enables an SSL based VPN. The control itself is provided by
the server upon connecting. Access Gateway functionality is provided by
several models of Access Gateway Appliances. For more information, visit
the URL referenced below.

II. DESCRIPTION

Remote exploitation of a buffer overflow in Citrix Systems, Inc.'s
Access Gateway Client ActiveX control allows remote attackers to execute
arbitrary code.

The vulnerability exists within the ActiveX control with the following
identifiers:

  CLSID: 181BCAB2-C89B-4E4B-9E6B-59FA67A426B5
  ProgId: NSEPA.NsepaCtrl.1
  File: %WINDIR%\Downloaded Program Files\nsepa.ocx

When processing HTTP header data provided by the Access Gateway server,
the client ActiveX control copies a variable length string into a
fixed-size stack buffer. Due to insufficient input validation, a
trivially exploitable stack-based buffer overflow can occur.

III. ANALYSIS

Exploitation allows attackers to execute arbitrary code in the context
of the currently logged-on user. To exploit this vulnerability, a
targeted user must load a malicious Web page created by an attacker. An
attacker typically accomplishes this via social engineering or injecting
content into compromised, trusted sites.

Additionally, a targeted user must have this control already installed
or must accept several warning prompts at the time that the attack is
taking place. This control is not on the white list included with
Internet Explorer 7.0. More information can be found at the following
URL.

http://msdn.microsoft.com/en-us/library/bb250471.aspx

This particular control also has an additional prompt inquiring whether
or not the user wishes to allow an "Endpoint Analysis" scan. The options
presented are "Yes", "No", and "Always Allow". Clicking "Yes" or "Always
Allow" can lead to exploitation. Clicking "No" can not result in
exploitation. Also, clicking "Always Allow" will create a registry key
enabling automatic scanning for all future uses of the control.

IV. DETECTION

The following versions of Citrix Access Gateway Enterprise Edition are
vulnerable:

<ul>    <li>Version 8.1 prior to 8.1-67.7 </li> <li>Version 9.0 prior to
9.0-70.5 </li> <li>Version 9.1 prior to 9.1-96.4 </li> </ul>

V. WORKAROUND

Setting the kill-bit for this control will prevent it from being loaded
within Internet Explorer. However, doing so will prevent legitimate use
of the control.

VI. VENDOR RESPONSE

Citrix has released a patch which addresses this issue. Information
about downloadable vendor updates can be found by clicking on the URLs
shown.

https://www.citrix.com/English/ss/downloads/results.asp?productID=1500 5

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

07/01/2009  Initial Vendor Notification
07/02/2009  Initial Vendor Reply
07/14/2011  Coordinated Public Disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Michal Trojnara.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2011 Verisign

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.