iDefense Security Advisory 07.14.11 http://labs.idefense.com/intelligence/vulnerabilities/ Jul 14, 2011 I. BACKGROUND Citrix's Access Gateway solution provides remote access to customers via the Web browser. This is accomplished through the use of an ActiveX control that enables an SSL based VPN. The control itself is provided by the server upon connecting. Access Gateway functionality is provided by several models of Access Gateway Appliances. For more information, visit the URL referenced below. II. DESCRIPTION Remote exploitation of a buffer overflow in Citrix Systems, Inc.'s Access Gateway Client ActiveX control allows remote attackers to execute arbitrary code. The vulnerability exists within the ActiveX control with the following identifiers: CLSID: 181BCAB2-C89B-4E4B-9E6B-59FA67A426B5 ProgId: NSEPA.NsepaCtrl.1 File: %WINDIR%\Downloaded Program Files\nsepa.ocx When processing HTTP header data provided by the Access Gateway server, the client ActiveX control copies a variable length string into a fixed-size stack buffer. Due to insufficient input validation, a trivially exploitable stack-based buffer overflow can occur. III. ANALYSIS Exploitation allows attackers to execute arbitrary code in the context of the currently logged-on user. To exploit this vulnerability, a targeted user must load a malicious Web page created by an attacker. An attacker typically accomplishes this via social engineering or injecting content into compromised, trusted sites. Additionally, a targeted user must have this control already installed or must accept several warning prompts at the time that the attack is taking place. This control is not on the white list included with Internet Explorer 7.0. More information can be found at the following URL. http://msdn.microsoft.com/en-us/library/bb250471.aspx This particular control also has an additional prompt inquiring whether or not the user wishes to allow an "Endpoint Analysis" scan. The options presented are "Yes", "No", and "Always Allow". Clicking "Yes" or "Always Allow" can lead to exploitation. Clicking "No" can not result in exploitation. Also, clicking "Always Allow" will create a registry key enabling automatic scanning for all future uses of the control. IV. DETECTION The following versions of Citrix Access Gateway Enterprise Edition are vulnerable: V. WORKAROUND Setting the kill-bit for this control will prevent it from being loaded within Internet Explorer. However, doing so will prevent legitimate use of the control. VI. VENDOR RESPONSE Citrix has released a patch which addresses this issue. Information about downloadable vendor updates can be found by clicking on the URLs shown. https://www.citrix.com/English/ss/downloads/results.asp?productID=1500 5 VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 07/01/2009 Initial Vendor Notification 07/02/2009 Initial Vendor Reply 07/14/2011 Coordinated Public Disclosure IX. CREDIT This vulnerability was reported to iDefense by Michal Trojnara. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2011 Verisign Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.