CVE-2011-2882
published 2011-07-21CVE-2011-2882: Stack-based buffer overflow in the NSEPA.NsepaCtrl.1 ActiveX control in nsepa.ocx in Citrix Access Gateway Enterprise Edition 8.1 before 8.1-67.7, 9.0 before…
PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
56.37%
98.9th percentile
Stack-based buffer overflow in the NSEPA.NsepaCtrl.1 ActiveX control in nsepa.ocx in Citrix Access Gateway Enterprise Edition 8.1 before 8.1-67.7, 9.0 before 9.0-70.5, and 9.1 before 9.1-96.4 allows remote attackers to execute arbitrary code via crafted HTTP header data.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | access_gateway | — | — |
| citrix | access_gateway | — | — |
| citrix | access_gateway | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit delivery via HTTP response serving nsepa.ocx with Content-Type application/binary from a non-Citrix host, or requests to /epaq URI path with User-Agent 'nsepa' ↗
- →Monitor for heap spray patterns targeting address 0x0c0c0c0c (IE6/XP) or 0x0c0c0b0b (IE7/XP/Vista) in browser memory, indicative of exploitation of this ActiveX overflow ↗
- →Exploitation requires user interaction — victim must click a button in a dialog to begin a scan; social engineering lure combined with NSEPA.NsepaCtrl.1 ActiveX instantiation on a web page is a strong indicator ↗
- →The exploit uses 'migrate -f' as InitialAutoRunScript, so post-exploitation process migration should be expected immediately after code execution; monitor for unusual process spawning from browser processes ↗
- →Crafted HTTP header data triggers the overflow in nsepa.ocx; inspect HTTP headers in requests/responses involving the NSEPA ActiveX control for anomalous length or content ↗
- ·Exploitation requires user interaction — the victim must actively click a button in a dialog; drive-by silent exploitation without user action is not possible with this vulnerability ↗
- ·Metasploit module payload space is limited to 500 bytes; payloads larger than this will not function correctly in exploit attempts ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Citrix
CVE-2011-2882: Stack-based buffer overflow in the NSEPA.NsepaCtrl.1 ActiveX control in nsepa.ocx in Citrix Access Gateway Enterprise Edition 8.1 before 8.1-67.7, 9.0
vendor_citrix·2011-07-21·CVSS 9.3
CVE-2011-2882 [CRITICAL] CWE-119 CVE-2011-2882: Stack-based buffer overflow in the NSEPA.NsepaCtrl.1 ActiveX control in nsepa.ocx in Citrix Access Gateway Enterprise Edition 8.1 before 8.1-67.7, 9.0
CVE-2011-2882: Stack-based buffer overflow in the NSEPA.NsepaCtrl.1 ActiveX control in nsepa.ocx in Citrix Access Gateway Enterprise Edition 8.1 before 8.1-67.7, 9.0 before 9.0-70.5, and 9.1 before 9.1-96.4 allows remote attackers to execute arbitrary code via crafted HTTP header data.
GHSA
GHSA-cwj2-353m-w5fv: Stack-based buffer overflow in the NSEPA
ghsa_unreviewed·2022-05-17
CVE-2011-2882 [HIGH] CWE-119 GHSA-cwj2-353m-w5fv: Stack-based buffer overflow in the NSEPA
Stack-based buffer overflow in the NSEPA.NsepaCtrl.1 ActiveX control in nsepa.ocx in Citrix Access Gateway Enterprise Edition 8.1 before 8.1-67.7, 9.0 before 9.0-70.5, and 9.1 before 9.1-96.4 allows remote attackers to execute arbitrary code via crafted HTTP header data.
No detection rules found.
Exploit-DB
Citrix Gateway - ActiveX Control Stack Buffer Overflow (Metasploit)
exploitdb·2011-08-31
CVE-2011-2882 Citrix Gateway - ActiveX Control Stack Buffer Overflow (Metasploit)
Citrix Gateway - ActiveX Control Stack Buffer Overflow (Metasploit)
---
##
# $Id: citrix_gateway_actx.rb 13670 2011-08-31 00:15:46Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Citrix Gateway ActiveX Control Stack Based Buffer Overflow Vulnerability',
'Description' => %q{
This module exploits a stack based buffer overflow in the Citrix Gateway
ActiveX control. Exploitation of this vulnerability requires user interaction.
The victim must click a button in a dialog to begin a scan. This is typical
interaction that users should be
Metasploit
Citrix Gateway ActiveX Control Stack Based Buffer Overflow Vulnerability
metasploit
Citrix Gateway ActiveX Control Stack Based Buffer Overflow Vulnerability
Citrix Gateway ActiveX Control Stack Based Buffer Overflow Vulnerability
This module exploits a stack based buffer overflow in the Citrix Gateway ActiveX control. Exploitation of this vulnerability requires user interaction. The victim must click a button in a dialog to begin a scan. This is typical interaction that users should be accustom to. Exploitation results in code execution with the privileges of the user who browsed to the exploit page.
No writeups or analysis indexed.
2011-07-21
Published