Flaw in Citrix Metaframe leaves door to system wide open
The Zero Day Initiative (ZDI) has made public a critical security hole in Citrix Presentation Server and Metaframe. Attackers could use a buffer overflow in Citrix' print provider, which prints from applications, to inject arbitrary code onto a system via the network and execute it with the rights of the printer spooler, which are system rights. The flaw is in the OpenPrinter function in file cpprov.dll and can be exploited by means of specially prepared RPC queries or local API calls.
No prior authentication is necessary for the attack to succeed. The following software is affected:
Citrix Presentation Server 4.0 for Microsoft Windows 2003
Citrix Presentation Server 4.0 for Microsoft Windows 2000
Citrix Presentation Server 4.0 x64 Edition
Citrix MetaFrame Presentation Server 3.0 for Microsoft Windows 2000
Citrix MetaFrame Presentation Server 3.0 for Microsoft Windows 2003
Citrix MetaFrame XP 1.0 for Microsoft Windows 2000
Citrix MetaFrame XP 1.0 for Microsoft Windows 2003
including previous versions. The vendor has released updates that close the hole. Also see:
- Vulnerability in Citrix Presentation Server's print provider could result in arbitrary code execution , Citrix' security advisory
- Citrix Metaframe Presentation Server Print Provider Buffer Overflow Vulnerability, ZDI's security advisory
(ehe)