what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

eEye.iss.txt

eEye.iss.txt
Posted Mar 19, 2004
Authored by eEye Digital Security | Site eEye.com

eEye Security Advisory - A critical vulnerability has been discovered in the PAM component used in all current ISS host, server, and network device solutions. A routine within the Protocol Analysis Module (PAM) that monitors ICQ server responses contains a series of stack based buffer overflow vulnerabilities. If the source port of an incoming UDP packet is 4000, it is assumed to be an ICQ v5 server response. Any incoming packet matching this criterion will be forwarded to the vulnerable routine. By delivering a carefully crafted response packet to the broadcast address of a network operating RealSecure/BlackICE agents an attacker can achieve anonymous, remote SYSTEM access across all vulnerable nodes.

tags | advisory, remote, overflow, udp, vulnerability, protocol
SHA-256 | c6c0d8948e71c161a5add829f745ebab0f86413f58d23225b1380cf524cb01c0

eEye.iss.txt

Change Mirror Download
Internet Security Systems PAM ICQ Server Response Processing
Vulnerability

Release Date:
March 18, 2004

Date Reported:
March 8, 2004

Severity:
High (Remote Code Execution)

Vendor:
Internet Security Systems

Systems Affected:
RealSecure Network 7.0, XPU 22.11 and before
RealSecure Server Sensor 7.0 XPU 22.11 and before
RealSecure Server Sensor 6.5 for Windows SR 3.10 and before
Proventia A Series XPU 22.11 and before
Proventia G Series XPU 22.11 and before
Proventia M Series XPU 1.9 and before
RealSecure Desktop 7.0 ebl and before
RealSecure Desktop 3.6 ecf and before
RealSecure Guard 3.6 ecf and before
RealSecure Sentry 3.6 ecf and before
BlackICE Agent for Server 3.6 ecf and before
BlackICE PC Protection 3.6 ccf and before
BlackICE Server Protection 3.6 ccf and before

Description:

A critical vulnerability has been discovered in the PAM (Protocol
Analysis Module) component used in all current ISS host, server, and
network device solutions. A routine within the Protocol Analysis Module
(PAM) that monitors ICQ server responses contains a series of stack
based buffer overflow vulnerabilities. If the source port of an incoming
UDP packet is 4000, it is assumed to be an ICQ v5 server response. Any
incoming packet matching this criterion will be forwarded to the
vulnerable routine. By delivering a carefully crafted response packet to
the broadcast address of a network operating RealSecure/BlackICE agents
an attacker can achieve anonymous, remote SYSTEM access across all
vulnerable nodes.

Technical Description:

If the PAM ICQ response handling routine receives a SRV_META_USER
response the nickname, firstname, lastname, and email address buffers
will be assigned a pointer into a general purpose structure. Later in
the parent routine each of these buffers will be temporarily copied into
a 512 byte stack based buffer without any sanity checking. In order to
reach the vulnerable function calls the attacker needs to craft a
SRV_MULTI response that contains two embedded response packets, a
SRV_USER_ONLINE response and a SRV_META_USER response. If both are
supplied then a condition is met and the entire ICQ decoder structure is
filled out, and the vulnerable sprintf calls will be followed.

Since UDP is a stateless protocol, most IDS products are incapable of
keeping state or record of a concurrent connection. Such a feature would
be too costly to the performance of the IDS engine. With this in mind,
this flaw can be exploited by sending a single spoofed datagram.

In our test environment we successfully compromised a BlackICE
installation with "paranoid" configuration enabled, application
protection enabled, file sharing support disabled, and network
neighborhood support disabled.

It should be noted that the BlackICE/RealSecure engine listens for
packets received on the broadcast interface. This allows the
vulnerability to be exploited simultaneously across every vulnerable
host within a targeted network by issuing a single, spoofed, UDP
datagram.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.

Vendor Status:
Internet Security Systems have released patches for these issues. The
patches are available at: http://www.iss.net/download/. The Internet
Security Systems security bulletin can be found at:
http://xforce.iss.net/xforce/alerts/id/166

Credit:
Discovery: Riley Hassell + Barnaby Jack = Briley Hassell-Jack
Additional Research: Derek Soeder

Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/Products/Retina/index.html

Greetings:
Arturo Gatti, Ms. Milidonis, and AGold.

Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.

Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
http://www.eEye.com
info@eEye.com
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close