1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Citrix Presentation Client ActiveX BO

HTTP Citrix Presentation Client ActiveX BO

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.


This signature detects attempt to exploit a buffer overflow vulnerability by passing long arguments into a property of Citrix Presentation Server Client WFICA.OCX ActiveX Control.

Additional Information

The Citrix Presentation Server Client is an ICA client application that includes Citrix support. It includes an ActiveX component that is used to integrate the client application into web pages.

The application is prone to a heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.

In particular, the vulnerability resides in the 'DataSize', 'DataType', and 'Data' parameters of the 'SendChannelData()' function. If an attacker sets the 'DataSize' and 'DataType' parameters to '1' and then supplies an excessively large 'Data' parameter, memory will be overwritten and become corrupted as a result of a heap-based buffer overflow.

The issue affects the 'wfica.ocx' COM object with class ID {238F6F83-B8B4-11CF-8771-00A024541EE3} and is installed by default at 'C:Program FilesCitrixICA ClientWfica.ocx'.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in denial-of-service conditions.


  • Citrix Presentation Server Client 9.200
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube