Vulnerabilities > CVE-2004-0362 - Buffer Overflow vulnerability in Internet Security Systems Protocol Analysis Module ICQ Parsing
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple stack-based buffer overflows in the ICQ parsing routines of the ISS Protocol Analysis Module (PAM) component, as used in various RealSecure, Proventia, and BlackICE products, allow remote attackers to execute arbitrary code via a SRV_MULTI response containing a SRV_USER_ONLINE response packet and a SRV_META_USER response packet with long (1) nickname, (2) firstname, (3) lastname, or (4) email address fields, as exploited by the Witty worm.
Vulnerable Configurations
Exploit-Db
description RealSecure / Blackice iss_pam1.dll Remote Overflow Exploit. CVE-2004-0362. Remote exploit for windows platform id EDB-ID:168 last seen 2016-01-31 modified 2004-03-28 published 2004-03-28 reporter Sam source https://www.exploit-db.com/download/168/ title RealSecure / Blackice iss_pam1.dll Remote Overflow Exploit description ISS PAM.dll ICQ Parser Buffer Overflow. CVE-2004-0362. Remote exploit for windows platform id EDB-ID:16464 last seen 2016-02-01 modified 2010-09-20 published 2010-09-20 reporter metasploit source https://www.exploit-db.com/download/16464/ title ISS PAM.dll ICQ Parser Buffer Overflow
Metasploit
| description | This module exploits a stack buffer overflow in the ISS products that use the iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation will result in arbitrary code execution as LocalSystem. This exploit only requires 1 UDP packet, which can be both spoofed and sent to a broadcast address. The ISS exception handler will recover the process after each overflow, giving us the ability to bruteforce the service and exploit it multiple times. |
| id | MSF:EXPLOIT/WINDOWS/FIREWALL/BLACKICE_PAM_ICQ |
| last seen | 2020-05-23 |
| modified | 2017-07-24 |
| published | 2007-01-07 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/firewall/blackice_pam_icq.rb |
| title | ISS PAM.dll ICQ Parser Buffer Overflow |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/83212/blackice_pam_icq.rb.txt |
| id | PACKETSTORM:83212 |
| last seen | 2016-12-05 |
| published | 2009-11-26 |
| reporter | spoonm |
| source | https://packetstormsecurity.com/files/83212/ISS-PAM.dll-ICQ-Parser-Buffer-Overflow.html |
| title | ISS PAM.dll ICQ Parser Buffer Overflow |
References
- http://marc.info/?l=bugtraq&m=107965651712378&w=2
- http://secunia.com/advisories/11073
- http://www.ciac.org/ciac/bulletins/o-104.shtml
- http://www.eeye.com/html/Research/Advisories/AD20040318.html
- http://www.kb.cert.org/vuls/id/947254
- http://www.osvdb.org/4355
- http://www.securityfocus.com/bid/9913
- http://xforce.iss.net/xforce/alerts/id/166
- https://exchange.xforce.ibmcloud.com/vulnerabilities/15442
- https://exchange.xforce.ibmcloud.com/vulnerabilities/15543