Reported April 26 2005 by iDEFENSE
VERSIONS AFFECTED
Program
Neighborhood Agent for Win32
Citrix MetaFrame Presentation Server client for WinCE
|
DESCRIPTION
The Citrix Program
Neighborhood Agent contains an unchecked buffer that could allow an
intruder to run arbitrary code on an affected system. The code would
run in the same security context as the user who is currently logged in
to the system. The problem exists due to the way the agent software
builds the filenames of icons associated with cache applications.
A second vulnerability could allow an intruder to create arbitrary shortcuts in a user's startup folder.
VENDOR RESPONSE
Citrix Systems has
released updated versions of its client packages along with an article,
"Vulnerabilities
in Program Neighborhood Agent could allow arbitrary code execution,"
that describes the problem.
CREDITS:
The unchecked buffer vulnerability was discovered by Patrik
Karlsson and reported in conjunction with iDEFENSE. The shortcut creation vulnerability was discovered by iDEFENSE.