[NT] RealSecure/BlackICE Server Message Block (SMB) Processing Overflow

• Previous message: SecuriTeam: "[NT] WinZip MIME Parsing Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 1 Mar 2004 18:51:06 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  RealSecure/BlackICE Server Message Block (SMB) Processing Overflow
------------------------------------------------------------------------

SUMMARY

" <http://blackice.iss.net/> BlackICE is professional-strength protection
for your PC. BlackICE PC Protection features both an intrusion detection
system and a personal firewall for a one-two punch of protection."

A flaw in the component that handles the processing of Server Message
Block (SMB) packets exists which allows a remote attacker to reliably
overwrite heap memory with user-controlled data and execute arbitrary code
within the SYSTEM context even in BlackICE's paranoid settings.

DETAILS

Vulnerable Systems:
 * RealSecure Network versions 7.0, XPU 20.15 through 22.9
 * RealSecure Server Sensor versions 7.0 XPU 20.16 through 22.9
 * Proventia A Series XPU 20.15 through 22.9
 * Proventia G Series XPU 22.3 through 22.9
 * Proventia M Series XPU 1.3 through 1.7
 * RealSecure Desktop versions 7.0 eba through ebh
 * RealSecure Desktop versions 3.6 ebr through ecb
 * RealSecure Guard versions 3.6 ebr through ecb
 * RealSecure Sentry versions 3.6 ebr through ecb
 * BlackICE PC Protection versions 3.6 cbr through ccb
 * BlackICE Server Protection versions 3.6 cbr through ccb

By issuing an authentication request with a long username value, a direct
heap overwrite is triggered, and reliable code execution is then possible.
When BlackICE encounters an SMB packet the packet undergoes analysis and
reconstruction. When re-assembling the packet, the custom data for the
authentication request is passed unchecked to an insufficiently sized
heap-based buffer. All processing is done before any authentication takes
place. However, the flaw still allows compromising the BlackICE server.

To exploit the vulnerability only one packet is required. The client must
issue an "SMB Session Setup AndX request". This SMB is used to "set up" a
session previously established with the negotiate protocol. A primary
function of this request is to perform a user login to a remote host. As
neither RealSecure nor BlackICE requires the state to be kept, no previous
negotiation is required. By issuing an AccountName parameter string over
300 bytes in length the heap overflow is triggered.

The required packet structure is outlined in
<http://www.snia.org/tech_activities/CIFS/CIFS-TR-1p00_FINAL.pdf>
http://www.snia.org/tech_activities/CIFS/CIFS-TR-1p00_FINAL.pdf

Vendor Status:
ISS has released a patches for the issue. Refer to the download center at
<http://www.iss.net/download/> http://www.iss.net/download/

ADDITIONAL INFORMATION

The information has been provided by <mailto:mmaiffret@eeye.com> Marc
Maiffret.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] WinZip MIME Parsing Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]