Home page logo

fulldisclosure logo Full Disclosure mailing list archives

EEYE: Internet Security Systems PAM ICQ Server Response Processing Vulnerability
From: "Marc Maiffret" <mmaiffret () eeye com>
Date: Thu, 18 Mar 2004 16:01:37 -0800

Internet Security Systems PAM ICQ Server Response Processing

Release Date:
March 18, 2004

Date Reported:
March 8, 2004

High (Remote Code Execution)

Internet Security Systems

Systems Affected:
RealSecure Network 7.0, XPU 22.11 and before
RealSecure Server Sensor 7.0 XPU 22.11 and before 
RealSecure Server Sensor 6.5 for Windows SR 3.10 and before 
Proventia A Series XPU 22.11 and before
Proventia G Series XPU 22.11 and before
Proventia M Series XPU 1.9 and before
RealSecure Desktop 7.0 ebl and before
RealSecure Desktop 3.6 ecf and before
RealSecure Guard 3.6 ecf and before 
RealSecure Sentry 3.6 ecf and before 
BlackICE Agent for Server 3.6 ecf and before
BlackICE PC Protection 3.6 ccf and before
BlackICE Server Protection 3.6 ccf and before
A critical vulnerability has been discovered in the PAM (Protocol
Analysis Module) component used in all current ISS host, server, and
network device solutions. A routine within the Protocol Analysis Module
(PAM) that monitors ICQ server responses contains a series of stack
based buffer overflow vulnerabilities. If the source port of an incoming
UDP packet is 4000, it is assumed to be an ICQ v5 server response. Any
incoming packet matching this criterion will be forwarded to the
vulnerable routine. By delivering a carefully crafted response packet to
the broadcast address of a network operating RealSecure/BlackICE agents
an attacker can achieve anonymous, remote SYSTEM access across all
vulnerable nodes.

Technical Description:

If the PAM ICQ response handling routine receives a SRV_META_USER
response the nickname, firstname, lastname, and email address buffers
will be assigned a pointer into a general purpose structure. Later in
the parent routine each of these buffers will be temporarily copied into
a 512 byte stack based buffer without any sanity checking. In order to
reach the vulnerable function calls the attacker needs to craft a
SRV_MULTI response that contains two embedded response packets, a
SRV_USER_ONLINE response and a SRV_META_USER response. If both are
supplied then a condition is met and the entire ICQ decoder structure is
filled out, and the vulnerable sprintf calls will be followed.

Since UDP is a stateless protocol, most IDS products are incapable of
keeping state or record of a concurrent connection. Such a feature would
be too costly to the performance of the IDS engine. With this in mind,
this flaw can be exploited by sending a single spoofed datagram.
In our test environment we successfully compromised a BlackICE
installation with "paranoid" configuration enabled, application
protection enabled, file sharing support disabled, and network
neighborhood support disabled.

It should be noted that the BlackICE/RealSecure engine listens for
packets received on the broadcast interface. This allows the
vulnerability to be exploited simultaneously across every vulnerable
host within a targeted network by issuing a single, spoofed, UDP

Retina Network Security Scanner has been updated to identify this

Vendor Status:
Internet Security Systems have released patches for these issues. The
patches are available at: http://www.iss.net/download/. The Internet
Security Systems security bulletin can be found at:

Discovery: Riley Hassell + Barnaby Jack = Briley Hassell-Jack
Additional Research: Derek Soeder

Related Links:
Retina Network Security Scanner - Free 15 Day Trial

Arturo Gatti, Ms. Milidonis, and AGold.

Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert () eEye com for permission.

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.

Please send suggestions, updates, and comments to:
eEye Digital Security
info () eEye com

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • EEYE: Internet Security Systems PAM ICQ Server Response Processing Vulnerability Marc Maiffret (Mar 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]