SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Intrusion Detection)  >   IBM Proventia Vendors:   Internet Security Systems
(Proventia Not Affected by Witty Worm) ISS Proventia Buffer Overflow in Processing ICQ Messages May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1009504
SecurityTracker URL:  http://securitytracker.com/id/1009504
CVE Reference:   CVE-2004-0362   (Links to External Site)
Updated:  Mar 23 2004
Original Entry Date:  Mar 20 2004
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Proventia A Series XPU 22.11 and before, G Series XPU 22.11 and before, M Series XPU 1.9 and before
Description:   A buffer vulnerability was reported in ISS Proventia in the ICQ protocol analysis component. A remote user can execute arbitrary code on the target system.

ISS confirmed that that the component does not properly parse the ICQ protocol. A remote user can send a specially crafted packet over a network monitored by Proventia to trigger the flaw and execute arbitrary code on the target system.

The vulnerability was originally reported by eEye Digital Security as affecting ISS RealSecure and BlackICE (Alert IDs 1009348 and 1009347).

A worm that exploits the ICQ parsing flaw in ISS BlackICE and other ISS products has been reported. However, ISS reports that Proventia is not affected by this worm.

The worm sends a spoofed ICQ packet to randomly generated IP addresses with random destination ports and a source port of UDP 4000. On vulnerable systems, the worm may be able to execute arbitrary code on the target system.

Once infected, the worm on the infected system will send packets to 20,000 random IP addresses and then opens a random physical drive and performs certain operations (the anti-virus vendors are uncertain of what it does at this time). The worm will eventually crash.

The worm reportedly includes the following text:

(^.^) insert witty message here (^.^)

The ISS description of the worm is available at:

http://xforce.iss.net/xforce/alerts/id/167

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fix, available at the ISS Download Center:

http://www.iss.net/download/

The following fixed versions are available:

Proventia A Series XPU 22.12
Proventia G Series XPU 22.12
Proventia M Series XPU 1.10

Vendor URL:  xforce.iss.net/xforce/alerts/id/166 (Links to External Site)
Cause:   Boundary error

Message History:   This archive entry is a follow-up to the message listed below.
Mar 18 2004 ISS Proventia Buffer Overflow in Processing ICQ Messages May Let Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  Witty Worm


A worm that exploits the ICQ parsing flaw in ISS BlackICE and other products has been 
reported.

The worm sends a spoofed ICQ packet to randomly generated IP addresses with random 
destination ports and a source port of UDP 4000.  On vulnerable systems, the worm may be 
able to execute arbitrary code on the target system.

Once infected, the worm on the infected system will send packets to 20,000 random IP 
addresses and then opens a random physical drive and performs certain operations (the 
anti-virus vendors are uncertain of what it does at this time).  The worm will eventually 
crash.

The worm reportedly includes the following text:

    (^.^)      insert witty message here      (^.^)


References:

http://www.f-secure.com/v-descs/witty.shtml
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WITTY.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.worm.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC