{"vuid":"VU#947254","idnumber":"947254","name":"Internet Security Systems Protocol Analysis Module (PAM) does not properly handle ICQ server response messages","keywords":["Internet Security Systems","RealSecure","BlackICE","EEYEB-20040308","ICQ","PAM"],"overview":"The Protocol Analysis Module (PAM) used by Internet Security Systems (ISS) intrusion detection and prevention products does not properly handle ICQ server response messages. An unauthenticated, remote attacker could execute arbitrary code by sending a specially crafted UDP packet.","clean_desc":"ISS intrusion detection and prevention products include a component that performs application layer inspection of the ICQ protocol. From the ISS Alert: The Protocol Analysis Module (PAM) facilitates the parsing of network protocols in order to perform further analysis and attack detection. ICQ is a popular instant messaging application developed by ICQ Inc., a subsidiary of America Online. In order to detect attacks targeting instant messaging software, PAM parses several IM protocols including ICQ. A UDP packet with a source port of 4000 is handled by the PAM as an ICQ server response message. The PAM contains a stack buffer overflow in code that parses ICQ server response messages. An unauthenticated, remote attacker could exploit this vulnerability with a specially crafted UDP packet. In most cases, it is trivial for an attacker to spoof the source of a UDP packet. Since RealSecure and BlackICE products listen on the broadcast interface, an attacker may be able to reach multiple targets with one packet. As noted in the ISS Alert, ISS Proventia, RealSecure, and BlackICE products share the vulnerable PAM code.","impact":"An unauthenticated, remote attacker could execute arbitrary code with the privileges of the process running the PAM. RealSecure and BlackICE products run on Microsoft Windows platforms with SYSTEM privileges. An Internet worm called \"Witty\" exploits this vulnerability in RealSecure and BlackICE products on Windows systems (Proventia products are not affected). The worm overwrites sections of the target system's hard drive, which could corrupt stored data and render the target system inoperable. For more information, please see the ISS Alert.","resolution":"Upgrade\nUpgrade as specified in the ISS Alert. ISS distributed updates prior to the public release of information about this vulnerability.","workarounds":"Block or restrict access Block UDP packets with a source port of 4000. Note that this will prevent ICQ applications from operating.","sysaffected":"","thanks":"This vulnerability was reported by eEye Digital Security.","author":"This document was written by Art Manion and Jason A. Rafail.","public":["http://www.eeye.com/html/Research/Upcoming/20040308.html","http://www.eeye.com/html/Research/Advisories/AD20040318.html","http://xforce.iss.net/xforce/alerts/id/166","http://xforce.iss.net/xforce/alerts/id/167","http://www.iss.net/download/","http://secunia.com/advisories/11073/","http://www.securityfocus.com/bid/9913","http://www.caida.org/research/security/witty/"],"cveids":["CVE-2004-0362"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2004-03-10T14:41:45Z","publicdate":"2004-03-08T00:00:00Z","datefirstpublished":"2004-03-20T21:37:05Z","dateupdated":"2009-06-12T21:38:00Z","revision":42,"vrda_d1_directreport":"0","vrda_d1_population":"1","vrda_d1_impact":"4","cam_widelyknown":"18","cam_exploitation":"12","cam_internetinfrastructure":"11","cam_population":"10","cam_impact":"20","cam_easeofexploitation":"11","cam_attackeraccessrequired":"18","cam_scorecurrent":"30.4425","cam_scorecurrentwidelyknown":"31.9275","cam_scorecurrentwidelyknownexploited":"37.8675","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":30.4425,"vulnote":null}