Citrix MetaFrame IMA Management Module Remote Heap Overflow Vulnerability
ZDI-06-038: November 9th, 2006CVE ID
Affected Vendors
Affected Products
TippingPoint™ IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 4494. For further product information on the TippingPoint IPS:Vulnerability Details
This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Citrix MetaFrame Presentation Server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the routine IMA_SECURE_DecryptData1() defined in ImaSystem.dll and is reachable through the Independant Management Architecture (IMA) service (ImaSrv.exe) that listens on TCP port 2512 or 2513. The encryption scheme used is reversible and relies on several 32-bit fields indicating the size of the packet and the offsets to the authentication strings. During the decryption of authentication data an attacker can specify invalid sizes that result in an exploitable heap corruption.
Vendor Response
Citrix has issued an update to correct this vulnerability. More details can be found at:Disclosure Timeline
-
2006-06-16 - Vulnerability reported to vendor
2006-11-09 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:-
Eric Detoisien and an anonymous researcher
