SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   RealSecure Vendors:   Internet Security Systems
(A Worm is Spreading) ISS RealSecure ICQ Buffer Overflow Yields SYSTEM Level Access to Remote Users
SecurityTracker Alert ID:  1009505
SecurityTracker URL:  http://securitytracker.com/id/1009505
CVE Reference:   CVE-2004-0362   (Links to External Site)
Updated:  Mar 23 2004
Original Entry Date:  Mar 20 2004
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Network 7.0, XPU 22.11 and before, Server Sensor 7.0 XPU 22.11 and before, Server Sensor 6.5 for Windows SR 3.10 and before, Desktop 7.0 ebl and before, Desktop 3.6 ecf and before, Guard 3.6 ecf and before, Sentry 3.6 ecf and before
Description:   A buffer overflow vulnerability was reported in ISS RealSecure in the processing of ICQ messages. A remote user can gain SYSTEM level access.

eEye Digital Security reported that they have discovered a vulnerability in ISS RealSecure and ISS BlackICE. According to ISS, the vulnerability is a buffer overflow in the processing of ICQ protocol response messages.

A remote user can send a specially crafted packet over a network monitored by or to a desktop monitored by RealSecure to trigger the flaw and execute arbitrary code on the system running RealSecure. According to the report, a remote user can gain SYSTEM level access on the target system.

A worm that exploits the ICQ parsing flaw in ISS BlackICE and other ISS products has been reported.

The worm sends a spoofed ICQ packet to randomly generated IP addresses with random destination ports and a source port of UDP 4000. On vulnerable systems, the worm may be able to execute arbitrary code on the target system.

Once infected, the worm on the infected system will send packets to 20,000 random IP addresses and then opens a random physical drive and performs certain operations (the anti-virus vendors are uncertain of what it does at this time). The worm will eventually crash.

The worm reportedly includes the following text:

(^.^) insert witty message here (^.^)

Impact:   A remote user can gain SYSTEM level access on the target system.
Solution:   The vendor has issued a fix, available at the ISS Download Center:

http://www.iss.net/download/

The following fixed versions are available:

RealSecure Network 7.0, XPU 22.12
RealSecure Server Sensor 7.0 XPU 22.12
RealSecure Desktop 7.0 ebm
RealSecure Desktop 3.6 ecg
RealSecure Guard 3.6 ecg
RealSecure Sentry 3.6 ecg
RealSecure Server Sensor 6.5 for Windows SR 3.11

Vendor URL:  www.iss.net/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Red Hat Linux), UNIX (Solaris - SunOS), Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 9 2004 ISS RealSecure ICQ Buffer Overflow Yields SYSTEM Level Access to Remote Users



 Source Message Contents

Subject:  Witty Worm


A worm that exploits the ICQ parsing flaw in ISS BlackICE and other products has been 
reported.

The worm sends a spoofed ICQ packet to randomly generated IP addresses with random 
destination ports and a source port of UDP 4000.  On vulnerable systems, the worm may be 
able to execute arbitrary code on the target system.

Once infected, the worm on the infected system will send packets to 20,000 random IP 
addresses and then opens a random physical drive and performs certain operations (the 
anti-virus vendors are uncertain of what it does at this time).  The worm will eventually 
crash.

The worm reportedly includes the following text:

    (^.^)      insert witty message here      (^.^)


References:

http://www.f-secure.com/v-descs/witty.shtml
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WITTY.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.worm.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC