Citrix ICA Client ActiveX Control Heap Overflow Vulnerability
Thursday, 07 December 2006 by Michel Roth
A vulnerability has been discovered in Citrix Presentation Server Client, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the "SendChannelData()" method in the ICA Client ActiveX control component (WFICA.OCX). This can be exploited to cause a heap-based buffer overflow by e.g. setting the "DataSize" and "DataType" parameters to "1" and passing an overly long string in the "Data" parameter.

Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website.

The vulnerability is confirmed in version 9.200.44376.0 included in the Citrix Presentation Server Client Package version 9.200. Other versions may also be affected.

Read the advisory here.

Related Items:

Microsoft Windows "itss.dll" Heap Corruption Unpatched Vulnerability (10 May 2006)
Internet Explorer "object" Tag Memory Corruption Code Execution (26 April 2006)
Warning: 0-Day Microsoft XMLHTTP ActiveX Control Code Execution Vulnerability (6 November 2006)
0-Day Microsoft Excel Unspecified Code Execution Vulnerability (19 June 2006)
Firefox IDN URL Domain Name Buffer Overflow (13 September 2005)
Trend Micro Products AntiVirus Library Buffer Overflow (27 February 2005)
VMware NAT Networking Buffer Overflow Vulnerability (21 December 2005)
Citrix Presentation Server Client Unspecified Code Execution (2 March 2007)
Citrix Metaframe XP Unspecified Buffer Overflow Vulnerability (23 December 2004)
Warning: Microsoft Windows WMF Handling Arbitrary Code Execution - Exploit In the Wild (29 December 2005)
Comments (0)
Show/Hide comment form