Advisory Details

November 9th, 2006

Citrix MetaFrame IMA Management Module Remote Heap Overflow Vulnerability

ZDI-06-038
ZDI-CAN-062

CVE ID CVE-2006-5821
CVSS SCORE
AFFECTED VENDORS Citrix
AFFECTED PRODUCTS Metaframe Server
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 4494. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS

This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Citrix MetaFrame Presentation Server. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the routine IMA_SECURE_DecryptData1() defined in ImaSystem.dll and is reachable through the Independant Management Architecture (IMA) service (ImaSrv.exe) that listens on TCP port 2512 or 2513. The encryption scheme used is reversible and relies on several 32-bit fields indicating the size of the packet and the offsets to the authentication strings. During the decryption of authentication data an attacker can specify invalid sizes that result in an exploitable heap corruption.

ADDITIONAL DETAILS Citrix has issued an update to correct this vulnerability. More details can be found at:
http://support.citrix.com/article/CTX111186
DISCLOSURE TIMELINE
  • 2006-06-16 - Vulnerability reported to vendor
  • 2006-11-09 - Coordinated public release of advisory
CREDIT Eric Detoisien and an anonymous researcher
BACK TO ADVISORIES