[NT] ISS PAM ICQ Server Response Processing Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 03/23/04

Next message: SecuriTeam: "[NT] Norton Internet Security Remote Command Execution (WrapNISUM)"

Previous message: SecuriTeam: "[UNIX] Local Buffer Overflow in REP (Long ARG)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 23 Mar 2004 20:41:21 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

ISS PAM ICQ Server Response Processing Vulnerability
------------------------------------------------------------------------

SUMMARY

A critical vulnerability has been discovered in the PAM (Protocol Analysis
Module) component used in all current ISS host, server, and network device
solutions. A routine within the Protocol Analysis Module (PAM) that
monitors ICQ server responses contains a series of stack based buffer
overflow vulnerabilities.

DETAILS

Vulnerable Systems:
* RealSecure Network version 7.0, XPU 22.11 and before
* RealSecure Server Sensor version 7.0 XPU 22.11 and before
* RealSecure Server Sensor version 6.5 for Windows SR 3.10 and before
* Proventia A Series XPU 22.11 and before
* Proventia G Series XPU 22.11 and before
* Proventia M Series XPU 1.9 and before
* RealSecure Desktop version 7.0 ebl and before
* RealSecure Desktop version 3.6 ecf and before
* RealSecure Guard version 3.6 ecf and before
* RealSecure Sentry version 3.6 ecf and before
* BlackICE Agent for Server version 3.6 ecf and before
* BlackICE PC Protection version 3.6 ccf and before
* BlackICE Server Protection version 3.6 ccf and before

A UDP packet received with a UDP source port of 4000 is assumed to be an
ICQ protocol version 5 server response. A packet such as this is
automatically forwarded to a vulnerable routine in the PAM. By delivering
a carefully crafted response packet to the broadcast address of a network
operating RealSecure/BlackICE agents an attacker can achieve anonymous,
remote SYSTEM access across all vulnerable nodes.

When the PAM ICQ response handling routine receives a SRV_META_USER
response, the nickname, firstname, lastname, and email address buffers are
assigned a pointer into a general-purpose data structure. Later on those
buffers are copied into normal stack based buffers of 512 bytes length
with no sanity and bounds checking. In order to reach the vulnerable code
an attacker needs to craft a SRV_MULTI response that contains two embedded
response packets - a SRV_USER_ONLINE response and a SRV_META_USER
response.

Since UDP is a connectionless protocol it is possible to exploit the issue
using a single spoofed UDP datagram. Furthermore, since the
BlackICE/RealSecure engines listens on the broadcast address it opens up
the possibility of exploiting the vulnerability simultaneously across
every vulnerable host in a targeted network using a single spoofed UDP
datagram. At the very least this could lead to a very easily triggering of
a Denial of Service condition.

Internet Security System's advisory can be found at
<http://xforce.iss.net/xforce/alerts/id/166>
http://xforce.iss.net/xforce/alerts/id/166.

Vendor Status:
ISS has been informed of the issue and a patch has been released.

ADDITIONAL INFORMATION

The information has been provided by <mailto:mmaiffret@eeye.com> Marc
Maiffret of eEye Digital Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[NT] Norton Internet Security Remote Command Execution (WrapNISUM)"

Previous message: SecuriTeam: "[UNIX] Local Buffer Overflow in REP (Long ARG)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[EXPL] Exploit Code Released for MFC ISAPI Framework Buffer Overflow (BadBlue PWS)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The vulnerability itself lies in the way MFC's ISAPI ... Resources' BadBlue PWS. ... Response Center within minutes of this e-mail from the ...
(Securiteam)
RE: Open Response To Microsoft Security - RE: Its Time to End In formation Anarchy
... Subject: Open Response To Microsoft Security - RE: It's Time to End In formation Anarchy ... people finding vulnerabilities in a product, considering, those same vendors ... made possible not by the research that discovered the vulnerability they ...
(Vuln-Dev)
RE: Open Response To Microsoft Security - RE: Its Time to End Information Anarchy
... Subject: Open Response To Microsoft Security - RE: It's Time to End Information Anarchy ... people finding vulnerabilities in a product, considering, those same vendors ... made possible not by the research that discovered the vulnerability they ...
(Vuln-Dev)
SecurityFocus Microsoft Newsletter #165
... Tenable Security ... distribute, manage, and communicate vulnerability and intrusion detection ... Microsoft Internet Explorer MHTML Forced File Execution Vuln... ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #174
... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...
(Focus-Microsoft)