Internet Security Systems Protocol Analysis Module ICQ Parsing Buffer Overflow Vulnerability
BID:9913
Info
Internet Security Systems Protocol Analysis Module ICQ Parsing Buffer Overflow Vulnerability
| Bugtraq ID: | 9913 |
| Class: | Boundary Condition Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 18 2004 12:00AM |
| Updated: | Mar 18 2004 12:00AM |
| Credit: | Discovery is credited to eEye Digital Security <http://www.eeye.com>. |
| Vulnerable: |
Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.9 Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.8 Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.7 Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.6 Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.5 Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.4 Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.3 Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.2 Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.11 Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.10 Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.1 Internet Security Systems RealSecure Server Sensor 6.5 Win SR3.9 Internet Security Systems RealSecure Server Sensor 6.5 Win SR3.8 Internet Security Systems RealSecure Server Sensor 6.5 Win SR3.7 Internet Security Systems RealSecure Server Sensor 6.5 Win SR3.6 Internet Security Systems RealSecure Server Sensor 6.5 Win SR3.5 Internet Security Systems RealSecure Server Sensor 6.5 Win SR3.4 Internet Security Systems RealSecure Server Sensor 6.5 Win SR3.3 Internet Security Systems RealSecure Server Sensor 6.5 Win SR3.2 Internet Security Systems RealSecure Server Sensor 6.5 Win SR3.10 Internet Security Systems RealSecure Server Sensor 6.5 Win SR3.1 Internet Security Systems RealSecure Server Sensor 6.5 Win Internet Security Systems RealSecure Server Sensor 6.0.1 Win SR1.1 Internet Security Systems RealSecure Server Sensor 6.0.1 Win Internet Security Systems RealSecure Server Sensor 6.0 Win Internet Security Systems RealSecure Sentry 3.6 ecd Internet Security Systems RealSecure Sentry 3.6 ecf Internet Security Systems RealSecure Sentry 3.6 ece Internet Security Systems RealSecure Sentry 3.6 ecc Internet Security Systems RealSecure Sentry 3.6 ecb Internet Security Systems RealSecure Sentry 3.6 eca Internet Security Systems RealSecure Sentry 3.6 ebz Internet Security Systems RealSecure Network Sensor 7.0 XPU 22.4 Internet Security Systems RealSecure Network Sensor 7.0 XPU 22.9 Internet Security Systems RealSecure Network Sensor 7.0 XPU 22.10 Internet Security Systems RealSecure Network Sensor 7.0 XPU 20.11 Internet Security Systems RealSecure Network Sensor 7.0 Internet Security Systems RealSecure Guard 3.6 ecd Internet Security Systems RealSecure Guard 3.6 ecf Internet Security Systems RealSecure Guard 3.6 ece Internet Security Systems RealSecure Guard 3.6 ecc Internet Security Systems RealSecure Guard 3.6 ecb Internet Security Systems RealSecure Guard 3.6 eca Internet Security Systems RealSecure Guard 3.6 ebz Internet Security Systems RealSecure Desktop 7.0 ebl Internet Security Systems RealSecure Desktop 7.0 ebk Internet Security Systems RealSecure Desktop 7.0 ebj Internet Security Systems RealSecure Desktop 7.0 ebh Internet Security Systems RealSecure Desktop 7.0 ebg Internet Security Systems RealSecure Desktop 7.0 ebf Internet Security Systems RealSecure Desktop 7.0 eba Internet Security Systems RealSecure Desktop 3.6 ecf Internet Security Systems RealSecure Desktop 3.6 ece Internet Security Systems RealSecure Desktop 3.6 ecd Internet Security Systems RealSecure Desktop 3.6 ecb Internet Security Systems RealSecure Desktop 3.6 eca Internet Security Systems RealSecure Desktop 3.6 ebz Internet Security Systems Proventia M Series XPU 1.9 Internet Security Systems Proventia M Series XPU 1.8 Internet Security Systems Proventia M Series XPU 1.7 Internet Security Systems Proventia M Series XPU 1.6 Internet Security Systems Proventia M Series XPU 1.5 Internet Security Systems Proventia M Series XPU 1.4 Internet Security Systems Proventia M Series XPU 1.3 Internet Security Systems Proventia M Series XPU 1.2 Internet Security Systems Proventia M Series XPU 1.1 Internet Security Systems Proventia A Series XPU 22.9 Internet Security Systems Proventia A Series XPU 22.10 Internet Security Systems Proventia A Series XPU 20.11 Internet Security Systems Proventia A Series XPU 22.8 Internet Security Systems Proventia A Series XPU 22.7 Internet Security Systems Proventia A Series XPU 22.6 Internet Security Systems Proventia A Series XPU 22.5 Internet Security Systems Proventia A Series XPU 22.4 Internet Security Systems Proventia A Series XPU 22.3 Internet Security Systems Proventia A Series XPU 22.2 Internet Security Systems Proventia A Series XPU 22.1 Internet Security Systems BlackIce Server Protection 3.6 ccf Internet Security Systems BlackIce Server Protection 3.6 cce Internet Security Systems BlackIce Server Protection 3.6 ccd Internet Security Systems BlackIce Server Protection 3.6 ccc Internet Security Systems BlackIce Server Protection 3.6 ccb Internet Security Systems BlackIce Server Protection 3.6 cca Internet Security Systems BlackIce Server Protection 3.6 cbz Internet Security Systems BlackICE PC Protection 3.6 ccf Internet Security Systems BlackICE PC Protection 3.6 cce Internet Security Systems BlackICE PC Protection 3.6 ccd Internet Security Systems BlackICE PC Protection 3.6 ccc Internet Security Systems BlackICE PC Protection 3.6 ccb Internet Security Systems BlackICE PC Protection 3.6 cca Internet Security Systems BlackICE PC Protection 3.6 .cbz Internet Security Systems BlackICE Agent for Server 3.6 ecf Internet Security Systems BlackICE Agent for Server 3.6 ece Internet Security Systems BlackICE Agent for Server 3.6 ecd Internet Security Systems BlackICE Agent for Server 3.6 ecc Internet Security Systems BlackICE Agent for Server 3.6 ecb Internet Security Systems BlackICE Agent for Server 3.6 eca Internet Security Systems BlackICE Agent for Server 3.6 ebz IBM Proventia G Series XPU 22.9 IBM Proventia G Series XPU 22.8 IBM Proventia G Series XPU 22.7 IBM Proventia G Series XPU 22.6 IBM Proventia G Series XPU 22.5 IBM Proventia G Series XPU 22.4 IBM Proventia G Series XPU 22.3 IBM Proventia G Series XPU 22.2 IBM Proventia G Series XPU 22.11 IBM Proventia G Series XPU 22.10 IBM Proventia G Series XPU 22.1 |
| Not Vulnerable: |
Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.12 Internet Security Systems RealSecure Server Sensor 6.5 Win SR3.11 Internet Security Systems RealSecure Network Sensor 7.0 XPU 20.12 Internet Security Systems RealSecure Guard 3.6 ecg Internet Security Systems RealSecure Desktop 7.0 ebm Internet Security Systems RealSecure Desktop 3.6 ecg Internet Security Systems Proventia M Series XPU 1.10 Internet Security Systems Proventia A Series XPU 20.12 Internet Security Systems BlackIce Server Protection 3.6 ccg Internet Security Systems BlackICE PC Protection 3.6 ccg Internet Security Systems BlackICE Agent for Server 3.6 ecg IBM Proventia G Series XPU 22.12 |
Discussion
Internet Security Systems Protocol Analysis Module ICQ Parsing Buffer Overflow Vulnerability
It has been reported that the Internet Security Systems (ISS) Protocol Analysis Module is prone to a remote buffer overflow vulnerability when parsing the ICQ protocol. This issue exists due to insufficient bounds checking performed on certain unspecified ICQ protocol fields supplied in ICQ response data.
Successful exploitation of this issue may allow a remote attacker to execute arbitrary code on a vulnerable system in order to gain unauthorized access. This attack would occur in the context of the vulnerable process.
This module is used to parse network protocols and is included in a number of products provided by ISS, including various RealSecure and BlackICE releases.
It has been reported that the Internet Security Systems (ISS) Protocol Analysis Module is prone to a remote buffer overflow vulnerability when parsing the ICQ protocol. This issue exists due to insufficient bounds checking performed on certain unspecified ICQ protocol fields supplied in ICQ response data.
Successful exploitation of this issue may allow a remote attacker to execute arbitrary code on a vulnerable system in order to gain unauthorized access. This attack would occur in the context of the vulnerable process.
This module is used to parse network protocols and is included in a number of products provided by ISS, including various RealSecure and BlackICE releases.
Exploit / POC
Internet Security Systems Protocol Analysis Module ICQ Parsing Buffer Overflow Vulnerability
CORE has developed a working commercial exploit for their IMPACT
product. This exploit is not otherwise publicly available or known
to be circulating in the wild.
This vulnerability is being actively exploited in the wild. The W32.Witty.Worm (MCID 2675) exploits this issue and it is propagating with a fixed source port of UDP port 4000. The worm appears to be contained in a single UDP datagram. Sam has supplied the following proof of concept exploit:
CORE has developed a working commercial exploit for their IMPACT
product. This exploit is not otherwise publicly available or known
to be circulating in the wild.
This vulnerability is being actively exploited in the wild. The W32.Witty.Worm (MCID 2675) exploits this issue and it is propagating with a fixed source port of UDP port 4000. The worm appears to be contained in a single UDP datagram. Sam has supplied the following proof of concept exploit:
Solution / Fix
Internet Security Systems Protocol Analysis Module ICQ Parsing Buffer Overflow Vulnerability
Solution:
ISS has released an advisory with fix information to address this issue. Please see the referenced advisory for more information.
Internet Security Systems Proventia A Series XPU 20.11
Internet Security Systems RealSecure Desktop 3.6 ecf
Internet Security Systems RealSecure Sentry 3.6 ecf
Internet Security Systems BlackICE PC Protection 3.6 ccf
Internet Security Systems BlackIce Server Protection 3.6 ccf
Internet Security Systems RealSecure Network Sensor 7.0 XPU 20.11
Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.11
Solution:
ISS has released an advisory with fix information to address this issue. Please see the referenced advisory for more information.
Internet Security Systems Proventia A Series XPU 20.11
-
Internet Security Systems Proventia A Series XPU 22.12
http://www.iss.net/download/
Internet Security Systems RealSecure Desktop 3.6 ecf
-
Internet Security Systems RealSecure Desktop 3.6 ecg
http://www.iss.net/download/
Internet Security Systems RealSecure Sentry 3.6 ecf
-
Internet Security Systems RealSecure Sentry 3.6 ecg
http://www.iss.net/download/
Internet Security Systems BlackICE PC Protection 3.6 ccf
-
Internet Security Systems BlackICE PC Protection 3.6 ccg
http://www.iss.net/download/
Internet Security Systems BlackIce Server Protection 3.6 ccf
-
Internet Security Systems BlackICE Server Protection 3.6 ccg
http://www.iss.net/download/
Internet Security Systems RealSecure Network Sensor 7.0 XPU 20.11
-
Internet Security Systems RealSecure Network 7.0, XPU 22.12
http://www.iss.net/download/
Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.11
-
Internet Security Systems RealSecure Server Sensor 7.0 XPU 22.12
http://www.iss.net/download/
References
Internet Security Systems Protocol Analysis Module ICQ Parsing Buffer Overflow Vulnerability
References:
References:
- BlackICE ICQ ISS-PAM1 Exploit (CORE Security)
- BlackICE Witty Worm Propagation (Internet Security systems)
- Internet Security Systems PAM ICQ Server Response Processing Vulnerability (eEye Digital Security)
- Vulnerability in ICQ Parsing in ISS Products (ISS)
- EEYE: Internet Security Systems PAM ICQ Server Response Processing Vulnerability ("Marc Maiffret"