Advisories
Internet Security Systems PAM ICQ Server Response Processing Vulnerability
Release Date:
March 18, 2004
Date Reported:
March 8, 2004
Patch Development Time (In Days):
Severity:
High (Remote Code Execution)
Vendor:
Internet Security Systems
Systems Affected:
RealSecure Network 7.0, XPU 22.11 and before
RealSecure Server Sensor 7.0 XPU 22.11 and before
RealSecure Server Sensor 6.5 for Windows SR 3.10 and before
Proventia A Series XPU 22.11 and before
Proventia G Series XPU 22.11 and before
Proventia M Series XPU 1.9 and before
RealSecure Desktop 7.0 ebl and before
RealSecure Desktop 3.6 ecf and before
RealSecure Guard 3.6 ecf and before
RealSecure Sentry 3.6 ecf and before
BlackICE Agent for Server 3.6 ecf and before
BlackICE PC Protection 3.6 ccf and before
BlackICE Server Protection 3.6 ccf and before
Overview:
eEye Digital Security has discovered a critical vulnerability in the PAM (Protocol Analysis Module) component used in all current ISS host, server, and network device solutions. A routine within the Protocol Analysis Module (PAM) that monitors ICQ server responses contains a series of stack based buffer overflow vulnerabilities. If the source port of an incoming UDP packet is 4000, it is assumed to be an ICQ v5 server response.
Technical Details:
Technical Description:
If the PAM ICQ response handling routine receives a SRV_META_USER response the nickname, firstname, lastname, and email address buffers will be assigned a pointer into a general purpose structure. Later in the parent routine each of these buffers will be temporarily copied into a 512 byte stack based buffer without any sanity checking. In order to reach the vulnerable function calls the attacker needs to craft a SRV_MULTI response that contains two embedded response packets, a SRV_USER_ONLINE response and a SRV_META_USER response. If both are supplied then a condition is met and the entire ICQ decoder structure is filled out, and the vulnerable sprintf calls will be followed.
Since UDP is a stateless protocol, most IDS products are incapable of keeping state or record of a concurrent connection. Such a feature would be too costly to the performance of the IDS engine. With this in mind, this flaw can be exploited by sending a single spoofed datagram.
In our test environment we successfully compromised a BlackICE installation with "paranoid" configuration enabled, application protection enabled, file sharing support disabled, and network neighborhood support disabled.
It should be noted that the BlackICE/RealSecure engine listens for packets received on the broadcast interface. This allows the vulnerability to be exploited simultaneously across every vulnerable host within a targeted network by issuing a single, spoofed, UDP datagram.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Vendor Status:
ISS have released patches for these issues. The patches are available at: http://www.iss.net/download/. The Internet Security Systems security bulletin can be found at: http://xforce.iss.net/xforce/alerts/id/166.
Credit:
Discovery: Riley Hassell + Barnaby Jack = Briley Hassell-Jack
Additional Research: Derek Soeder
Related Links:
Retina Network Security Scanner - Free 15 Day Trial http://www.eeye.com/html/Products/Retina/download.html
Greetings:
Arturo Gatti, Ms. Milidonis, and AGold.
Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
March 18, 2004
Date Reported:
March 8, 2004
Patch Development Time (In Days):
 |
|
|
|
| 10 |
Severity:
High (Remote Code Execution)
Vendor:
Internet Security Systems
Systems Affected:
RealSecure Network 7.0, XPU 22.11 and before
RealSecure Server Sensor 7.0 XPU 22.11 and before
RealSecure Server Sensor 6.5 for Windows SR 3.10 and before
Proventia A Series XPU 22.11 and before
Proventia G Series XPU 22.11 and before
Proventia M Series XPU 1.9 and before
RealSecure Desktop 7.0 ebl and before
RealSecure Desktop 3.6 ecf and before
RealSecure Guard 3.6 ecf and before
RealSecure Sentry 3.6 ecf and before
BlackICE Agent for Server 3.6 ecf and before
BlackICE PC Protection 3.6 ccf and before
BlackICE Server Protection 3.6 ccf and before
Overview:
eEye Digital Security has discovered a critical vulnerability in the PAM (Protocol Analysis Module) component used in all current ISS host, server, and network device solutions. A routine within the Protocol Analysis Module (PAM) that monitors ICQ server responses contains a series of stack based buffer overflow vulnerabilities. If the source port of an incoming UDP packet is 4000, it is assumed to be an ICQ v5 server response.
Technical Details:
Technical Description:
If the PAM ICQ response handling routine receives a SRV_META_USER response the nickname, firstname, lastname, and email address buffers will be assigned a pointer into a general purpose structure. Later in the parent routine each of these buffers will be temporarily copied into a 512 byte stack based buffer without any sanity checking. In order to reach the vulnerable function calls the attacker needs to craft a SRV_MULTI response that contains two embedded response packets, a SRV_USER_ONLINE response and a SRV_META_USER response. If both are supplied then a condition is met and the entire ICQ decoder structure is filled out, and the vulnerable sprintf calls will be followed.
Since UDP is a stateless protocol, most IDS products are incapable of keeping state or record of a concurrent connection. Such a feature would be too costly to the performance of the IDS engine. With this in mind, this flaw can be exploited by sending a single spoofed datagram.
In our test environment we successfully compromised a BlackICE installation with "paranoid" configuration enabled, application protection enabled, file sharing support disabled, and network neighborhood support disabled.
It should be noted that the BlackICE/RealSecure engine listens for packets received on the broadcast interface. This allows the vulnerability to be exploited simultaneously across every vulnerable host within a targeted network by issuing a single, spoofed, UDP datagram.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Vendor Status:
ISS have released patches for these issues. The patches are available at: http://www.iss.net/download/. The Internet Security Systems security bulletin can be found at: http://xforce.iss.net/xforce/alerts/id/166.
Credit:
Discovery: Riley Hassell + Barnaby Jack = Briley Hassell-Jack
Additional Research: Derek Soeder
Related Links:
Retina Network Security Scanner - Free 15 Day Trial http://www.eeye.com/html/Products/Retina/download.html
Greetings:
Arturo Gatti, Ms. Milidonis, and AGold.
Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
