Internet Security Systems PAM ICQ Server Response Processing
Vulnerability

Release Date:
March 18, 2004

Date Reported:
March 8, 2004

Severity:
High (Remote Code Execution)

Vendor:
Internet Security Systems

Systems Affected:
RealSecure Network 7.0, XPU 22.11 and before
RealSecure Server Sensor 7.0 XPU 22.11 and before 
RealSecure Server Sensor 6.5 for Windows SR 3.10 and before 
Proventia A Series XPU 22.11 and before
Proventia G Series XPU 22.11 and before
Proventia M Series XPU 1.9 and before
RealSecure Desktop 7.0 ebl and before
RealSecure Desktop 3.6 ecf and before
RealSecure Guard 3.6 ecf and before 
RealSecure Sentry 3.6 ecf and before 
BlackICE Agent for Server 3.6 ecf and before
BlackICE PC Protection 3.6 ccf and before
BlackICE Server Protection 3.6 ccf and before
 
Description:
 
A critical vulnerability has been discovered in the PAM (Protocol
Analysis Module) component used in all current ISS host, server, and
network device solutions. A routine within the Protocol Analysis Module
(PAM) that monitors ICQ server responses contains a series of stack
based buffer overflow vulnerabilities. If the source port of an incoming
UDP packet is 4000, it is assumed to be an ICQ v5 server response. Any
incoming packet matching this criterion will be forwarded to the
vulnerable routine. By delivering a carefully crafted response packet to
the broadcast address of a network operating RealSecure/BlackICE agents
an attacker can achieve anonymous, remote SYSTEM access across all
vulnerable nodes.

Technical Description:

If the PAM ICQ response handling routine receives a SRV_META_USER
response the nickname, firstname, lastname, and email address buffers
will be assigned a pointer into a general purpose structure. Later in
the parent routine each of these buffers will be temporarily copied into
a 512 byte stack based buffer without any sanity checking. In order to
reach the vulnerable function calls the attacker needs to craft a
SRV_MULTI response that contains two embedded response packets, a
SRV_USER_ONLINE response and a SRV_META_USER response. If both are
supplied then a condition is met and the entire ICQ decoder structure is
filled out, and the vulnerable sprintf calls will be followed.

Since UDP is a stateless protocol, most IDS products are incapable of
keeping state or record of a concurrent connection. Such a feature would
be too costly to the performance of the IDS engine. With this in mind,
this flaw can be exploited by sending a single spoofed datagram.
 
In our test environment we successfully compromised a BlackICE
installation with "paranoid" configuration enabled, application
protection enabled, file sharing support disabled, and network
neighborhood support disabled.

It should be noted that the BlackICE/RealSecure engine listens for
packets received on the broadcast interface. This allows the
vulnerability to be exploited simultaneously across every vulnerable
host within a targeted network by issuing a single, spoofed, UDP
datagram. 

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.

Vendor Status:
Internet Security Systems have released patches for these issues. The
patches are available at: http://www.iss.net/download/. The Internet
Security Systems security bulletin can be found at:
http://xforce.iss.net/xforce/alerts/id/166

Credit:
Discovery: Riley Hassell + Barnaby Jack = Briley Hassell-Jack
Additional Research: Derek Soeder

Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/Products/Retina/index.html

Greetings:
Arturo Gatti, Ms. Milidonis, and AGold.

Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.

Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
http://www.eEye.com
info@eEye.com