Re: firewalls

From: Duane Arnold (notme_at_notme.com)
Date: 03/23/04 

Date: Tue, 23 Mar 2004 09:52:47 GMT

jealousxmp@aol.commonplace (jealous xmp) wrote in
news:20040322233336.08514.00000248@mb-m10.aol.com:

>>Why was BlackIce broke into so easy?
> Because someone was targetting ISS products.
>
>>Plus why didn't it effect ZoneAlarm
>>customers?
>
> Same reason a Solaris exploit doesn't work against Windows. This is
> the summary of the exploit, discovered (supposedly ...) March 8,
> released March 18.
>
> "A critical vulnerability has been discovered in the PAM (Protocol
> Analysis Module) component used in all current ISS host, server, and
> network device solutions. A routine within the Protocol Analysis
> Module (PAM) that monitors ICQ server responses contains a series of
> stack based buffer overflow vulnerabilities. If the source port of an
> incoming UDP packet is 4000, it is assumed to be an ICQ v5 server
> response. Any incoming packet matching this criterion will be
> forwarded to the vulnerable routine. By delivering a carefully crafted
> response packet to the broadcast address of a network operating
> RealSecure/BlackICE agents"

That statement is not true. It is on certain versions of the
RealSecure/BlackIce solutions that this vulnerability exists, which can
be corrected by a patch. The current version of BI 3.6 ccg does not have
this exploit, according to documentation on this matter.

BlackICET Agent for Server 3.6 ebz, ecd, ece, ecf
BlackICE PC Protection 3.6 cbz, ccd, ccf
BlackICE Server Protection 3.6 cbz, ccd, ccf
RealSecureŽ Network 7.0, XPU 22.4 and 22.10
RealSecure Server Sensor 7.0 XPU 22.4 and 22.10
RealSecure Desktop 7.0 ebf, ebj, ebk, ebl
RealSecure Desktop 3.6 ebz, ecd, ece, ecf
RealSecure Guard 3.6 ebz, ecd, ece, ecf
RealSecure Sentry 3.6 ebz, ecd, ece, ecf

I suspect that this may have been done by some unhappy person who worked
for the company that knew the ins and outs of the application.

Duane :)