Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

eEye:RealSecure/BlackICE Server Message Block (SMB) Processing Overflow

Feb 27, 2004 1:28AM PST

Release Date: February 26, 2004
Date Reported: February 18, 2004
Severity: High (Remote Code Execution)
Vendor: Internet Security Systems
Systems Affected:
RealSecure Network 7.0, XPU 20.15 through 22.9
RealSecure Server Sensor 7.0 XPU 20.16 through 22.9
Proventia A Series XPU 20.15 through 22.9
Proventia G Series XPU 22.3 through 22.9
Proventia M Series XPU 1.3 through 1.7
RealSecure Desktop 7.0 eba through ebh
RealSecure Desktop 3.6 ebr through ecb
RealSecure Guard 3.6 ebr through ecb
RealSecure Sentry 3.6 ebr through ecb
BlackICE PC Protection 3.6 cbr through ccb
BlackICE Server Protection 3.6 cbr through ccb

Description:
The RealSecure and BlackICE product lines from Internet Security Systems offer host-based intrusion detection/prevention for large servers and home networks. By design, these products attempt to identify and block network attacks and intrusions.

eEye Digital Security has discovered a critical vulnerability in both RealSecure and BlackICE. The vulnerability allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code within the SYSTEM context. This attack will succeed with BlackICE using its most paranoid settings.

This specific flaw exists within the component that handles the processing of Server Message Block (SMB) packets. By issuing an authentication request with a long username value, a direct heap overwrite is triggered, and reliable code execution is then possible.

Vendor Status:
ISS have released patches for these issues. The patches are available at: http://www.iss.net/download/

http://www.eeye.com/html/Research/Advisories/AD20040226.html

Discussion is locked