Vulnerabilities > CVE-2011-2882 - Buffer Errors vulnerability in Citrix Access Gateway 8.1/9.0/9.1

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
citrix
CWE-119
critical
nessus
exploit available
metasploit

Summary

Stack-based buffer overflow in the NSEPA.NsepaCtrl.1 ActiveX control in nsepa.ocx in Citrix Access Gateway Enterprise Edition 8.1 before 8.1-67.7, 9.0 before 9.0-70.5, and 9.1 before 9.1-96.4 allows remote attackers to execute arbitrary code via crafted HTTP header data.

Vulnerable Configurations

Part Description Count
Application
Citrix
3

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

descriptionCitrix Gateway ActiveX Control Stack Based Buffer Overflow Vulnerability. CVE-2011-2882. Remote exploit for windows platform
idEDB-ID:17762
last seen2016-02-02
modified2011-08-31
published2011-08-31
reportermetasploit
sourcehttps://www.exploit-db.com/download/17762/
titleCitrix Gateway - ActiveX Control Stack Based Buffer Overflow Vulnerability

Metasploit

descriptionThis module exploits a stack based buffer overflow in the Citrix Gateway ActiveX control. Exploitation of this vulnerability requires user interaction. The victim must click a button in a dialog to begin a scan. This is typical interaction that users should be accustom to. Exploitation results in code execution with the privileges of the user who browsed to the exploit page.
idMSF:EXPLOIT/WINDOWS/BROWSER/CITRIX_GATEWAY_ACTX
last seen2020-05-22
modified2017-10-05
published2011-08-30
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/citrix_gateway_actx.rb
titleCitrix Gateway ActiveX Control Stack Based Buffer Overflow Vulnerability

Nessus

NASL familyWindows
NASL idCITRIX_ACCESS_GATEWAY_ACTIVEX_CTX129902.NASL
descriptionThe Citrix Access Gateway ActiveX control for Citrix Access Gateway Enterprise Edition is installed on the remote Windows host. It is the ActiveX component of the Citrix Access Gateway Plug-in for Windows and provides an SSL-based VPN via a web browser. The installed version of this control is affected by the following vulnerabilities that could lead to arbitrary code execution : - The control loads a dynamic link library (DLL) when processing HTTP header data from the Access Gateway server without properly ensuring that the DLL has a valid signature. (ZDI 928) - The control copies HTTP header data from the Access Gateway server into a fixed-size stack buffer without verifying the size of the data, which could result in a buffer overflow. (ZDI 929)
last seen2020-06-01
modified2020-06-02
plugin id55653
published2011-07-22
reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/55653
titleCitrix Access Gateway Plug-in for Windows ActiveX Control Multiple Vulnerabilities (CTX129902)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(55653);
  script_version("1.13");
  script_cvs_date("Date: 2018/11/15 20:50:26");

  script_cve_id("CVE-2011-2882", "CVE-2011-2883");
  script_bugtraq_id(48676);
  script_xref(name:"EDB-ID", value:"17762");

  script_name(english:"Citrix Access Gateway Plug-in for Windows ActiveX Control Multiple Vulnerabilities (CTX129902)");
  script_summary(english:"Checks control's version / kill bit");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote Windows host has an ActiveX control that is affected by
multiple vulnerabilities."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The Citrix Access Gateway ActiveX control for Citrix Access Gateway
Enterprise Edition is installed on the remote Windows host.  It is the
ActiveX component of the Citrix Access Gateway Plug-in for Windows and
provides an SSL-based VPN via a web browser.

The installed version of this control is affected by the following
vulnerabilities that could lead to arbitrary code execution :

  - The control loads a dynamic link library (DLL) when
    processing HTTP header data from the Access Gateway
    server without properly ensuring that the DLL has a
    valid signature. (ZDI 928)

  - The control copies HTTP header data from the Access
    Gateway server into a fixed-size stack buffer without
    verifying the size of the data, which could result in
    a buffer overflow. (ZDI 929)"
  );
   # http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=928
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9953dfa4");
   # http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=929
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8e4049bc");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/518891/30/0/threaded");
  script_set_attribute(attribute:"see_also", value:"https://support.citrix.com/article/CTX129902");
  script_set_attribute(
    attribute:"solution",
    value:
"Either set the kill bit for the control or upgrade to Citrix Access
Gateway Enterprise Edition 8.1-67.7 / 9.0-70.5 / 9.1-96.4 or later."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Citrix Gateway ActiveX Control Stack Based Buffer Overflow Vulnerability');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/07/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/07/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/07/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:citrix:access_gateway");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("smb_func.inc");
include("smb_activex_func.inc");


get_kb_item_or_exit("SMB/Registry/Enumerated");
if (activex_init() != ACX_OK) exit(1, "activex_init() failed.");


# Determine if the control is installed.
clsid = '{181BCAB2-C89B-4E4B-9E6B-59FA67A426B5}';

file = activex_get_filename(clsid:clsid);
if (isnull(file))
{
  activex_end();
  exit(1, "activex_get_filename() returned NULL.");
}
if (!file)
{
  activex_end();
  exit(0, "The control is not installed since the class id '"+clsid+"' is not defined on the remote host.");
}


# Get its version.
version = activex_get_fileversion(clsid:clsid);
if (!version)
{
  activex_end();
  exit(1, "Failed to get file version of '"+file+"'.");
}
ver_pat = "^([0-9]+\.[0-9]+)\.([0-9]+\.[0-9]+)$";
version_ui = ereg_replace(pattern:ver_pat, replace:"\1-\2", string:version);


# And check it.
if (version =~ "^8\.1\.") fixed_version = "8.1.67.7";
else if (version =~ "^9\.0\.") fixed_version = "9.0.70.5";
else if (version =~ "^9\.1\.") fixed_version = "9.1.96.4";
else exit(0, "Version "+version_ui+" of the control is installed, but it is not affected.");

info = '';
rc = activex_check_fileversion(clsid:clsid, fix:fixed_version);
if (rc == TRUE)
{
  if (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0)
  {
    fixed_version_ui = ereg_replace(pattern:ver_pat, replace:"\1-\2", string:fixed_version);

    info += '\n  Class Identifier  : ' + clsid +
            '\n  Filename          : ' + file +
            '\n  Installed version : ' + version_ui +
            '\n  Fixed version     : ' + fixed_version_ui + '\n';
  }
}
activex_end();


# Report findings.
if (info)
{
  if (report_paranoia > 1)
  {
    report = info +
      '\n' +
      'Note, though, that Nessus did not check whether the kill bit was\n' +
      "set for the control's CLSID because of the Report Paranoia setting" + '\n' +
      'in effect when this scan was run.\n';
  }
  else
  {
    report = info +
      '\n' +
      'Moreover, its kill bit is not set so it is accessible via Internet\n' +
      'Explorer.\n';
  }

  if (report_verbosity > 0) security_hole(port:kb_smb_transport(), extra:report);
  else security_hole(kb_smb_transport());

  exit(0);
}
else
{
  if (rc == FALSE) exit(0, "The control is not affected since it is version "+version_ui+".");
  else if (rc == TRUE) exit(0, "Version "+version_ui+" of the control is installed, but its kill bit is set.");
  else exit(1, "activex_check_fileversion() failed.");
}

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/104603/citrix_gateway_actx.rb.txt
idPACKETSTORM:104603
last seen2016-12-05
published2011-08-31
reporterMichal Trojnara
sourcehttps://packetstormsecurity.com/files/104603/Citrix-Gateway-ActiveX-Control-Stack-Based-Buffer-Overflow.html
titleCitrix Gateway ActiveX Control Stack Based Buffer Overflow

Saint

bid48676
descriptionCitrix Access Gateway NESPA ActiveX Control
osvdb74191
titlecitrix_access_gateway_activex_nsepa
typeclient

Seebug

bulletinFamilyexploit
descriptionNo description provided by source.
idSSV:72046
last seen2017-11-19
modified2014-07-01
published2014-07-01
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-72046
titleCitrix Gateway ActiveX Control Stack Based Buffer Overflow Vulnerability