Citrix Program Neighborhood Agent Malicious Shortcut Creation Vulnerability

Bugtraq ID:	13379
Class:	Design Error
CVE:	CVE-2004-1077
Remote:	Yes
Local:	No
Published:	Apr 26 2005 12:00AM
Updated:	Jul 12 2009 02:06PM
Credit:	Discovery credited to Patrik Karlsson.
Vulnerable:	Citrix Program Neighborhood Agent for Win32 8.0 Citrix Metaframe Presentation Server client for WinCE 8.0
Not Vulnerable:

Citrix Program Neighborhood Agent Malicious Shortcut Creation Vulnerability

Citrix Program Neighborhood Agent is prone to an issue that could allow malicious code to be executed in the context of the current user. The Program Neighborhood Agent allows shortcuts to be created in the Startup folder. If this shortcut points to a malicious file, it would be executed the next time the user starts Windows.

This issue was reported to affect Program Neighborhood Agent for Win32 and Citrix Metaframe Presentation Server client for WinCE.

Citrix Program Neighborhood Agent Malicious Shortcut Creation Vulnerability

An exploit is not required.

Citrix Program Neighborhood Agent Malicious Shortcut Creation Vulnerability

Solution:
Fixes are available:


Citrix Metaframe Presentation Server client for WinCE 8.0

• Citrix Client Updates
  http://www.citrix.com/English/SS/downloads/downloads.asp?dID=2755

Citrix Program Neighborhood Agent for Win32 8.0

• Citrix Client Updates
  http://www.citrix.com/English/SS/downloads/downloads.asp?dID=2755

Citrix Program Neighborhood Agent Malicious Shortcut Creation Vulnerability

References:

• Citrix Homepage (Citrix)
  
• CTX105650 Vulnerabilities in Program Neighborhood Agent could allow arbitrary c (Citrix)
  
• iDEFENSE Security Advisory 04.26.05: Citrix Program Neighborhood Agent Arbitrary ("iDEFENSE Labs" )