CVE-2005-3652
CVSS7.5
发布时间 :2005-12-16 18:03:00
修订时间 :2011-03-07 21:26:55
NMCOPS    

[原文]Heap-based buffer overflow in Citrix Program Neighborhood client 9.0 and earlier allows remote attackers to execute arbitrary code via a long name value in an Application Set response.


[CNNVD]Citrix Program Neighborhood应用程序枚举缓冲区溢出漏洞(CNNVD-200512-353)

        Citrix Program Neighborhood客户端9.0及更早版本中存在堆缓冲区溢出,远程攻击者可以通过应用程序集响应中的长文件名值执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3652
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3652
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-353
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/15907
(PATCH)  BID  15907
http://support.citrix.com/kb/entry.jspa?externalID=CTX108354
(VENDOR_ADVISORY)  CONFIRM  http://support.citrix.com/kb/entry.jspa?externalID=CTX108354
http://secunia.com/advisories/18068
(VENDOR_ADVISORY)  SECUNIA  18068
http://www.vupen.com/english/advisories/2005/2944
(UNKNOWN)  VUPEN  ADV-2005-2944
http://www.idefense.com/application/poi/display?id=357&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20051216 Citrix Program Neighborhood Name Heap Corruption Vulnerability
http://www.osvdb.org/21816
(UNKNOWN)  OSVDB  21816
http://securitytracker.com/id?1015373
(UNKNOWN)  SECTRACK  1015373
http://securityreason.com/securityalert/266
(UNKNOWN)  SREASON  266

- 漏洞信息

Citrix Program Neighborhood应用程序枚举缓冲区溢出漏洞
高危 缓冲区溢出
2005-12-16 00:00:00 2005-12-19 00:00:00
远程  
        Citrix Program Neighborhood客户端9.0及更早版本中存在堆缓冲区溢出,远程攻击者可以通过应用程序集响应中的长文件名值执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.citrix.com/English/SS/downloads/downloads.asp?dID=2755

- 漏洞信息 (F42523)

iDEFENSE Security Advisory 2005-12-16.t (PacketStormID:F42523)
2005-12-23 00:00:00
Patrik Karlsson,iDefense Labs  idefense.com
advisory,remote,overflow,arbitrary
CVE-2005-3652
[点击下载]

iDEFENSE Security Advisory 12.16.05 - Remote exploitation of a heap overflow vulnerability in Citrix, Inc.'s Program Neighborhood allows attackers to execute arbitrary code. The vulnerability specifically exists due to insufficient handling of corrupt Application Set responses. A heap-based buffer overflow will occur when the Citrix Program Neighborhood client receives an Application Set response containing a name value over 286 bytes. iDefense has confirmed the existence of this vulnerability in Citrix Presentation Server Client 9.0. All prior versions are suspected vulnerable.

Citrix Program Neighborhood Name Heap Corruption Vulnerability

iDefense Security Advisory 12.16.05
www.idefense.com/application/poi/display?id=357&type=vulnerabilities
December 16, 2005

I. BACKGROUND

Citrix Program Neighborhood is the client used to connect to
applications published on Citrix Metaframe servers.

More information is available from the vendor website:

   http://www.citrix.com

II. DESCRIPTION

Remote exploitation of a heap overflow vulnerability in Citrix, Inc.'s
Program Neighborhood allows attackers to execute arbitrary code.

The vulnerability specifically exists due to insufficient handling of
corrupt Application Set responses. A heap-based buffer overflow will
occur when the Citrix Program Neighborhood client receives an
Application Set response containing a name value over 286 bytes. The
overflow will trigger an access violation in RtlFreeHeap() with
register control sufficient to write 4 bytes to an arbitrary location
as shown below:

77F52A7B  8B4E 0C     MOV ECX,DWORD PTR DS:[ESI+C]
77F52A7E  898D 60FFFFFF  MOV DWORD PTR SS:[EBP-A0],ECX
77F52A84  8901       MOV DWORD PTR DS:[ECX],EAX

Registers:
EAX 41414141
ECX 00004141
ESI 008D5E30 ASCII "AAAAAAAAAAAAAA"
EIP 77F52A84 ntdll.77F52A84

Crash:
77F52A84  8901       MOV DWORD PTR DS:[ECX],EAX

Remote attackers can send an specially crafted name value to overflow
the buffer and execute arbitrary code.

III. ANALYSIS

Successful exploitation of the vulnerability allows remote attackers to
execute arbitrary code with user privileges. The overflow is a
trivial heap-based buffer overflow due to insufficient bounds checking
on the 'name' value in Application Set responses. A typical
exploitation scenario would require an attacker to setup a fake Citrix
Server and wait for a Citrix Program Neighborhood client to connect.
Upon receiving the first connecting packets from the client, the server
would send a corrupt UDP packet to the client.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Citrix
Presentation Server Client 9.0. All prior versions are suspected
vulnerable.

V. WORKAROUND

iDefense is unaware of any effective workarounds at this time.

VI. VENDOR RESPONSE

The vendor has released the following advisory to address this issue:

 http://support.citrix.com/kb/entry.jspa?externalID=CTX108354

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-3652 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/15/2005 Initial vendor notification
11/15/2005 Initial vendor response
12/16/2005 Coordinated public disclosure

IX. CREDIT

iDefense credits Patrik Karlsson (patrik@cqure.net) with the discovery
of this vulnerability.

Get paid for vulnerability research
http://www.iDefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.iDefense.com

X. LEGAL NOTICES

Copyright     

- 漏洞信息

21816
Citrix Program Neighborhood Application Set Name Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Commercial

- 漏洞描述

A remote overflow exists in Citrix Program Neighborhood for Windows. The Program Neighborhood fails to correctly handle long 'Application Set' responses, resulting in a heap overflow. With a specially crafted UDP packet, an attacker can execute arbitray code, resulting in a loss of integrity.

- 时间线

2005-12-16 2005-11-15
2001-02-01 Unknow

- 解决方案

Upgrade to version 9.150 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Citrix Program Neighborhood Application Enumeration Buffer Overflow Vulnerability
Boundary Condition Error 15907
Yes No
2005-12-16 12:00:00 2005-12-16 12:00:00
Patrik Karlsson <patrik@cqure.net> is credited with the discovery of this issue.

- 受影响的程序版本

Citrix ICA Program Neighborhood Client 9.1
Citrix ICA Program Neighborhood Client 9.0
Citrix ICA Program Neighborhood Client 9.150

- 不受影响的程序版本

Citrix ICA Program Neighborhood Client 9.150

- 漏洞讨论

The Citrix Program Neighborhood is prone to a stack-based overflow. This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer.

This issue allows remote attackers to execute arbitrary machine code in the context of vulnerable client applications.

In order to exploit this issue, affected clients must connect to a malicious server. Attacks against the DNS infrastructure used by clients, social engineering, or other methods may be employed to achieve this. Alternatively, attackers must have access to a computer in the same LAN as targeted clients.

Versions 9.1 and prior of the Citrix Program Neighborhood client are vulnerable to this issue.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

The vendor has released an advisory along with a fix for this issue. Please see the referenced advisory for further information.

Version 9.150 or later of Citrix Program Neighborhood may be downloaded from:
http://www.citrix.com/English/SS/downloads/downloads.asp?dID=2755

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站