|
Brought to you by:
Suppliers of:
|
|
|
| |
| A critical vulnerability has been discovered in the PAM (Protocol Analysis Module) component used in all current ISS host, server, and network device solutions. A routine within the Protocol Analysis Module (PAM) that monitors ICQ server responses contains a series of stack based buffer overflow vulnerabilities. |
| |
Credit:
The information has been provided by Marc Maiffret of eEye Digital Security.
|
| |
Vulnerable Systems:
* RealSecure Network version 7.0, XPU 22.11 and before
* RealSecure Server Sensor version 7.0 XPU 22.11 and before
* RealSecure Server Sensor version 6.5 for Windows SR 3.10 and before
* Proventia A Series XPU 22.11 and before
* Proventia G Series XPU 22.11 and before
* Proventia M Series XPU 1.9 and before
* RealSecure Desktop version 7.0 ebl and before
* RealSecure Desktop version 3.6 ecf and before
* RealSecure Guard version 3.6 ecf and before
* RealSecure Sentry version 3.6 ecf and before
* BlackICE Agent for Server version 3.6 ecf and before
* BlackICE PC Protection version 3.6 ccf and before
* BlackICE Server Protection version 3.6 ccf and before
A UDP packet received with a UDP source port of 4000 is assumed to be an ICQ protocol version 5 server response. A packet such as this is automatically forwarded to a vulnerable routine in the PAM. By delivering a carefully crafted response packet to the broadcast address of a network operating RealSecure/BlackICE agents an attacker can achieve anonymous, remote SYSTEM access across all vulnerable nodes.
When the PAM ICQ response handling routine receives a SRV_META_USER response, the nickname, firstname, lastname, and email address buffers are assigned a pointer into a general-purpose data structure. Later on those buffers are copied into normal stack based buffers of 512 bytes length with no sanity and bounds checking. In order to reach the vulnerable code an attacker needs to craft a SRV_MULTI response that contains two embedded response packets - a SRV_USER_ONLINE response and a SRV_META_USER response.
Since UDP is a connectionless protocol it is possible to exploit the issue using a single spoofed UDP datagram. Furthermore, since the BlackICE/RealSecure engines listens on the broadcast address it opens up the possibility of exploiting the vulnerability simultaneously across every vulnerable host in a targeted network using a single spoofed UDP datagram. At the very least this could lead to a very easily triggering of a Denial of Service condition.
Internet Security System's advisory can be found at http://xforce.iss.net/xforce/alerts/id/166.
Vendor Status:
ISS has been informed of the issue and a patch has been released.
|
|
|
|
|
