exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Citrix ICA Client Heap Offset Overflow

Citrix ICA Client Heap Offset Overflow
Posted Aug 6, 2010
Authored by Michael Jordon | Site contextis.co.uk

The Citrix ICA client suffers from a heap offset overflow vulnerability.

tags | advisory, overflow
SHA-256 | 50179bb09cedbe0cad1f0371df93941a8c4c790d8cc35bbe08cc6fa23168c75c

Citrix ICA Client Heap Offset Overflow

Change Mirror Download
===============================ADVISORY===============================
Systems Affected: Citrix ICA Client
Severity: High
Category: Heap Offset Overflow
Author: Context Information Security Ltd
Reported to vendor: 20th February 2008
Advisory Issued: 4th August 2010
===============================ADVISORY===============================

Description
-----------
The Citrix Presentation Server Client (test on v10.150) does not perform bounds checking on the type field in an ICA "graphics" packet. This lack of checking allows for a remote exploitation of a user that has the client installed.

The exploit can be triggered by sending a user to a malicious webpage that causes an ICA file to be downloaded. This automatically connects to a simulated ICA server, which can trigger the remote code execution and take control over the client.


Analysis
--------
The ICA client software is vulnerable to an offset overflow heap exploit. The ICA client does not correctly validate input from network data in the graphics packets. This allows arbitrary code execution on a victim's computer that connects to a malicious ICA server. A user with the ICA client installed will automatically connect to an ICA server that is provided via a URL.

Therefore if a user clicks on a malicious link, opens an ".ICA" file via email or is redirected to a malicious server the exploit will be launched against the user.

The exploit works by providing an ".ICA" file to the web browser which instructs the browser to load the ICA client and connect to the malicious server. The server is not a real ICA server but software which simulates the initially negotiation of an ICA connection and then launches the exploit.


Technologies Affected
---------------------
Citrix Client 10 for Windows, Mac, Linux, Solaris and Windows Mobile


Vendor Response
---------------
Citrix advise users to upgrade to the latest version of the Citrix client. See the following Citrix support article for more details:
http://support.citrix.com/article/CTX125975


Disclosure Timeline
-------------------
20th February 2008 - Vendor Notification
26th February 2008 - Vendor Response for more Details
3rd March 2008 - Vendor Confirm Vulnerability
3rd August 2010 - Vendor Patch Released


Credits
--------
Michael Jordon of Context Information Security Ltd


About Context Information Security
----------------------------------

Context Information Security is an independent security consultancy specialising in both technical security and information assurance services The company was founded in 1998. Its client base has grown steadily over the years, thanks in large part to personal recommendations from existing clients who value us as business partners. We believe our success is based on the value our clients place on our product-agnostic, holistic approach; the way we work closely with them to develop a tailored service; and to the independence, integrity and technical skills of our consultants.
The company's client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations.

The best security experts need to bring a broad portfolio of skills to the job, so Context has always sought to recruit staff with extensive business experience as well as technical expertise. Our aim is to provide effective and practical solutions, advice and support: when we report back to clients we always communicate our findings and recommendations in plain terms at a business level as well as in the
form of an in-depth technical report.

Web: www.contextis.co.uk
Email: disclosure@contextis.co.uk


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close