From mmaiffret@eeye.com Fri Mar 19 03:38:41 2004 From: Marc Maiffret To: full-disclosure@lists.netsys.com Date: Thu, 18 Mar 2004 16:01:37 -0800 Subject: [Full-Disclosure] EEYE: Internet Security Systems PAM ICQ Server Response Processing Vulnerability Internet Security Systems PAM ICQ Server Response Processing Vulnerability Release Date: March 18, 2004 Date Reported: March 8, 2004 Severity: High (Remote Code Execution) Vendor: Internet Security Systems Systems Affected: RealSecure Network 7.0, XPU 22.11 and before RealSecure Server Sensor 7.0 XPU 22.11 and before RealSecure Server Sensor 6.5 for Windows SR 3.10 and before Proventia A Series XPU 22.11 and before Proventia G Series XPU 22.11 and before Proventia M Series XPU 1.9 and before RealSecure Desktop 7.0 ebl and before RealSecure Desktop 3.6 ecf and before RealSecure Guard 3.6 ecf and before RealSecure Sentry 3.6 ecf and before BlackICE Agent for Server 3.6 ecf and before BlackICE PC Protection 3.6 ccf and before BlackICE Server Protection 3.6 ccf and before Description: A critical vulnerability has been discovered in the PAM (Protocol Analysis Module) component used in all current ISS host, server, and network device solutions. A routine within the Protocol Analysis Module (PAM) that monitors ICQ server responses contains a series of stack based buffer overflow vulnerabilities. If the source port of an incoming UDP packet is 4000, it is assumed to be an ICQ v5 server response. Any incoming packet matching this criterion will be forwarded to the vulnerable routine. By delivering a carefully crafted response packet to the broadcast address of a network operating RealSecure/BlackICE agents an attacker can achieve anonymous, remote SYSTEM access across all vulnerable nodes. Technical Description: If the PAM ICQ response handling routine receives a SRV_META_USER response the nickname, firstname, lastname, and email address buffers will be assigned a pointer into a general purpose structure. Later in the parent routine each of these buffers will be temporarily copied into a 512 byte stack based buffer without any sanity checking. In order to reach the vulnerable function calls the attacker needs to craft a SRV_MULTI response that contains two embedded response packets, a SRV_USER_ONLINE response and a SRV_META_USER response. If both are supplied then a condition is met and the entire ICQ decoder structure is filled out, and the vulnerable sprintf calls will be followed. Since UDP is a stateless protocol, most IDS products are incapable of keeping state or record of a concurrent connection. Such a feature would be too costly to the performance of the IDS engine. With this in mind, this flaw can be exploited by sending a single spoofed datagram. In our test environment we successfully compromised a BlackICE installation with "paranoid" configuration enabled, application protection enabled, file sharing support disabled, and network neighborhood support disabled. It should be noted that the BlackICE/RealSecure engine listens for packets received on the broadcast interface. This allows the vulnerability to be exploited simultaneously across every vulnerable host within a targeted network by issuing a single, spoofed, UDP datagram. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Vendor Status: Internet Security Systems have released patches for these issues. The patches are available at: http://www.iss.net/download/. The Internet Security Systems security bulletin can be found at: http://xforce.iss.net/xforce/alerts/id/166 Credit: Discovery: Riley Hassell + Barnaby Jack = Briley Hassell-Jack Additional Research: Derek Soeder Related Links: Retina Network Security Scanner - Free 15 Day Trial http://www.eeye.com/html/Products/Retina/index.html Greetings: Arturo Gatti, Ms. Milidonis, and AGold. Copyright (c) 1998-2004 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback Please send suggestions, updates, and comments to: eEye Digital Security http://www.eEye.com info@eEye.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html