cbcvebase.
CVE-2004-0362
published 2004-04-15

CVE-2004-0362: Multiple stack-based buffer overflows in the ICQ parsing routines of the ISS Protocol Analysis Module (PAM) component, as used in various RealSecure…

PriorityP261high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
73.33%
99.4th percentile
Multiple stack-based buffer overflows in the ICQ parsing routines of the ISS Protocol Analysis Module (PAM) component, as used in various RealSecure, Proventia, and BlackICE products, allow remote attackers to execute arbitrary code via a SRV_MULTI response containing a SRV_USER_ONLINE response packet and a SRV_META_USER response packet with long (1) nickname, (2) firstname, (3) lastname, or (4) email address fields, as exploited by the Witty worm.

Affected

93 ranges· showing 25
VendorProductVersion rangeFixed in
issblackice_agent_server
issblackice_agent_server
issblackice_agent_server
issblackice_agent_server
issblackice_agent_server
issblackice_agent_server
issblackice_agent_server
issblackice_pc_protection
issblackice_pc_protection
issblackice_pc_protection
issblackice_pc_protection
issblackice_pc_protection
issblackice_pc_protection
issblackice_pc_protection
issblackice_server_protection
issblackice_server_protection
issblackice_server_protection
issblackice_server_protection
issblackice_server_protection
issblackice_server_protection
issblackice_server_protection
issproventia_a_series_xpu
issproventia_a_series_xpu
issproventia_a_series_xpu
issproventia_a_series_xpu

Detection & IOCsextracted from sources · hover to see the quote

filenameiss_pam1.dll
filenameiss-pam1.dll
pathC:\Program Files\ISS\BlackICE
port4000/udp
bytes
\x05\x00\x00\x00\x00\x00\x00\x12\x02
bytes
\x05\x00\x00\x00\x00\x00\x00\xde\x03
bytes
\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01\xfc\xff\xff\x83\xe4\xfc
  • The exploit binds locally to UDP port 4000 and sends the overflow packet as a single UDP datagram (~1199 bytes). A single oversized UDP packet to a BlackICE/RealSecure host on any port (destination port is randomised) containing the ICQ SRV_MULTI + SRV_META_USER structure is a strong indicator.
  • The exploit can be sent to a broadcast address and with a spoofed source IP. Network detection should not rely solely on source IP matching; inspect payload content for the ICQ opcode sequence 0x0212 / 0x006e / 0x03de within a single UDP datagram.
  • The Metasploit module uses a payload space of 469 bytes (504-31-4) with no NOPs and a stack adjustment of -3500. The overflow overwrites the return address; known RET gadget addresses include 0x5e0a47ef and 0x5e0da1db inside iss-pam1.dll itself, making DLL-specific memory address monitoring viable.
  • The ISS exception handler recovers the process after each overflow, enabling bruteforce exploitation. Repeated UDP packets with the same ICQ SRV_MULTI/SRV_META_USER structure in a short time window (bruteforce pattern) should be alerted on.
  • ·The destination UDP port is randomised by the Metasploit module (rand(65536)), so port-based filtering alone will not reliably block or detect this exploit.
  • ·The exploit packet can be sent to a broadcast address, meaning a single packet can target all hosts on a subnet simultaneously. Perimeter firewall rules blocking inbound UDP to individual host IPs are insufficient; broadcast UDP must also be filtered.
  • ·The source IP of the exploit packet can be spoofed, so source-IP-based ACLs or reputation blocking will not prevent exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.