[NT] Citrix Program Neighborhood Name Heap Corruption

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Citrix Program Neighborhood Name Heap Corruption
------------------------------------------------------------------------


SUMMARY

<http://www.citrix.com> Citrix Program Neighborhood is the client used to
connect to applications published on Citrix Metaframe servers.

Exploitation of a heap overflow vulnerability in Citrix, Inc.'s Program
Neighborhood allows attackers to execute arbitrary code.

DETAILS

Vulnerable Systems:
* Citrix Presentation Server Client versions 9.0 (All prior versions are
suspected vulnerable)

The vulnerability specifically exists due to insufficient handling of
corrupt Application Set responses. A heap-based buffer overflow will occur
when the Citrix Program Neighborhood client receives an Application Set
response containing a name value over 286 bytes. The overflow will trigger
an access violation in RtlFreeHeap() with register control sufficient to
write 4 bytes to an arbitrary location as shown below:

77F52A7B 8B4E 0C MOV ECX,DWORD PTR DS:[ESI+C]
77F52A7E 898D 60FFFFFF MOV DWORD PTR SS:[EBP-A0],ECX
77F52A84 8901 MOV DWORD PTR DS:[ECX],EAX

Registers:
EAX 41414141
ECX 00004141
ESI 008D5E30 ASCII "AAAAAAAAAAAAAA"
EIP 77F52A84 ntdll.77F52A84

Crash:
77F52A84 8901 MOV DWORD PTR DS:[ECX],EAX

Remote attackers can send an specially crafted name value to overflow the
buffer and execute arbitrary code.

Successful exploitation of the vulnerability allows remote attackers to
execute arbitrary code with user privileges. The overflow is a trivial
heap-based buffer overflow due to insufficient bounds checking on the
'name' value in Application Set responses. A typical exploitation scenario
would require an attacker to setup a fake Citrix Server and wait for a
Citrix Program Neighborhood client to connect. Upon receiving the first
connecting packets from the client, the server would send a corrupt UDP
packet to the client.

Vendor Response:
The vendor has released the following advisory to address this issue:
<http://support.citrix.com/kb/entry.jspa?externalID=CTX108354>
http://support.citrix.com/kb/entry.jspa?externalID=CTX108354

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3652>
CVE-2005-3652

Disclosure Timeline:
* 15.11.05 - Initial vendor notification
* 15.11.05 - Initial vendor response
* 16.12.05 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:
<www.idefense.com/application/poi/display?id=357&type=vulnerabilities>
www.idefense.com/application/poi/display?id=357&type=vulnerabilities



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages