[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nfr-users
Subject:    [nfr-users] RAPID RESPONSE - SMB Session AndX Long Account Name Version 1
From:       Tim Otis <tim () nfr ! net>
Date:       2004-02-28 1:19:08
Message-ID: Pine.BSF.4.58.0402272018150.72532 () codered ! hq ! nfr ! net
[Download RAW message or body]

SMB Session AndX Long Account Name Version 1

OVERVIEW

A packet with characteristics of a RealSecure/BlackICE SMB parser heap
overflow attack was observed.


TECHNICAL INFORMATION

SMB Session Setup AndX packets usually contain SMB authentication
dialogue and login information.  An SMB Session Setup AndX packet containing
a long username value will trigger a heap overwrite in the SMB message-parsing
routines in certain BlackICE/RealSecure products.

Vulnerable Systems include:

RealSecure Network 7.0, XPU 20.15 through 22.9
RealSecure Server Sensor 7.0 XPU 20.16 through 22.9
Proventia A Series XPU 20.15 through 22.9
Proventia G Series XPU 22.3 through 22.9
Proventia M Series XPU 1.3 through 1.7
RealSecure Desktop 7.0 eba through ebh
RealSecure Desktop 3.6 ebr through ecb
RealSecure Guard 3.6 ebr through ecb
RealSecure Sentry 3.6 ebr through ecb
BlackICE PC Protection 3.6 cbr through ccb
BlackICE Server Protection 3.6 cbr through ccb


WHY THIS IS IMPORTANT

A successful attack on an unpatched machine can lead to arbitrary code
execution.


REFERENCES

Vulnerability in SMB Parsing in ISS Products
http://xforce.iss.net/xforce/alerts/id/165

RealSecure/BlackICE Server Message Block (SMB) Processing Overflow
http://www.eeye.com/html/Research/Advisories/AD20040226.html

_______________________________________________
nfr-users mailing list
nfr-users@nfr.com
http://list.nfr.com/mailman/listinfo/nfr-users
[prev in list] [next in list] [prev in thread] [next in thread]