Advisory Details

January 24th, 2007

Citrix Metaframe Presentation Server Print Provider Buffer Overflow Vulnerability

ZDI-07-006
ZDI-CAN-101

CVE ID CVE-2007-0444
CVSS SCORE
AFFECTED VENDORS Citrix
AFFECTED PRODUCTS MetaFrame Presentation Server
MetaFrame XP
Presentation Server
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 3583. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS

This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of Citrix Presentation Server, Metaframe Presentation Server or MetaFrame XP. Authentication is not required to exploit this vulnerability.

The specific flaw exists in a print provider installed by the Presentation Server. The cpprov.dll library doesn't properly handle certain invalid calls to the EnumPrintersW() and OpenPrinter() functions. For example, passing a string of 130 or more characters in the first argument to the OpenPrinter() function results in a stack-based buffer overflow and can be leveraged to execute code in the context of the Spooler service, which runs as the privileged LocalSystem account.

ADDITIONAL DETAILS
DISCLOSURE TIMELINE
  • 2006-10-02 - Vulnerability reported to vendor
  • 2007-01-24 - Coordinated public release of advisory
CREDIT Anonymous
BACK TO ADVISORIES