SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   BlackICE Vendors:   Internet Security Systems
(A Worm is Spreading) ISS BlackICE ICQ Buffer Overflow Yields SYSTEM Level Access to Remote Users
SecurityTracker Alert ID:  1009506
SecurityTracker URL:  http://securitytracker.com/id/1009506
CVE Reference:   CVE-2004-0362   (Links to External Site)
Updated:  Mar 23 2004
Original Entry Date:  Mar 20 2004
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Agent for Server 3.6 ecf and before, PC Protection 3.6 ccf and before, and Server Protection 3.6 ccf and before
Description:   A buffer overflow vulnerability was reported in BlackICE in the processing of ICQ response messages. A remote user can gain SYSTEM level access on the target system.

eEye Digital Security reported that they discovered a vulnerability in ISS RealSecure and ISS BlackICE. ISS confirmed that the component does not properly parse the ICQ protocol.

A remote user can send a specially crafted packet to a target system running BlackICE to trigger the flaw and execute arbitrary code on the target system. According to the report, a remote user can gain SYSTEM level access on the target system.

The ISS advisory is available at xforce.iss.net/xforce/alerts/id/166

A worm that exploits the ICQ parsing flaw in ISS BlackICE and other ISS products has been reported.

The worm sends a spoofed ICQ packet to randomly generated IP addresses with random destination ports and a source port of UDP 4000. On vulnerable systems, the worm may be able to execute arbitrary code on the target system.

Once infected, the worm on the infected system will send packets to 20,000 random IP addresses and then opens a random physical drive and performs certain operations (the anti-virus vendors are uncertain of what it does at this time). The worm will eventually crash.

The worm reportedly includes the following text:

(^.^) insert witty message here (^.^)

Impact:   A remote user can gain SYSTEM level access on the target system.
Solution:   ISS has released a fix, available at the ISS Download Center:

http://www.iss.net/download

The following fixes are available:

BlackICE PC Protection 3.6 ccg
BlackICE Server Protection 3.6 ccg

Vendor URL:  xforce.iss.net/xforce/alerts/id/166 (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 9 2004 ISS BlackICE ICQ Buffer Overflow Yields SYSTEM Level Access to Remote Users



 Source Message Contents

Subject:  Witty Worm


A worm that exploits the ICQ parsing flaw in ISS BlackICE and other products has been 
reported.

The worm sends a spoofed ICQ packet to randomly generated IP addresses with random 
destination ports and a source port of UDP 4000.  On vulnerable systems, the worm may be 
able to execute arbitrary code on the target system.

Once infected, the worm on the infected system will send packets to 20,000 random IP 
addresses and then opens a random physical drive and performs certain operations (the 
anti-virus vendors are uncertain of what it does at this time).  The worm will eventually 
crash.

The worm reportedly includes the following text:

    (^.^)      insert witty message here      (^.^)


References:

http://www.f-secure.com/v-descs/witty.shtml
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WITTY.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.worm.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC