Signature Detail

SMB: ISS AccountName Overflow Exploit

This signature detects buffer overflow attempts against an Internet Security Systems (ISS) Intrusion Detection device. Attackers may send an excessively long AccountName argument in an SMB packet to overflow a buffer inside the device, enabling them to remotely execute code with SYSTEM privileges.

Extended Description

The Internet Security Systems (ISS) Protocol Analysis Module, included in multiple ISS products, is prone to a remotely exploitable heap overrun vulnerability. The issue exists in the SMB parsing routines provided by the module and is due to insufficient bounds checking of protocol fields. This issue could potentially be exploited to execute arbitrary code on systems hosting the vulnerable software, potentially resulting in system compromise.

Affected Products

• IBM BlackICE PC Protection 3.6.0 cbr
• IBM BlackICE PC Protection 3.6.0 .cbz
• IBM BlackICE PC Protection 3.6.0 ccb
• IBM BlackIce Server Protection 3.6.0 cbr
• IBM BlackIce Server Protection 3.6.0 cbz
• IBM BlackIce Server Protection 3.6.0 ccb
• IBM Proventia A Series XPU 20.15
• IBM Proventia A Series XPU 22.9
• IBM Proventia G Series XPU 22.3
• IBM Proventia G Series XPU 22.9
• IBM Proventia M Series XPU 1.3
• IBM Proventia M Series XPU 1.7
• IBM RealSecure Desktop 3.6.0 ebr
• IBM RealSecure Desktop 3.6.0 eca
• IBM RealSecure Desktop 3.6.0 ecb
• IBM RealSecure Desktop 7.0.0 eba
• IBM RealSecure Desktop 7.0.0 ebg
• IBM RealSecure Desktop 7.0.0 ebh
• IBM RealSecure Guard 3.6.0 ebr
• IBM RealSecure Guard 3.6.0 ecb
• IBM RealSecure Network Sensor 7.0.0 XPU 20.11
• IBM RealSecure Network Sensor 7.0.0 XPU 22.9
• IBM RealSecure Sentry 3.6.0 ebr
• IBM RealSecure Sentry 3.6.0 ecb
• IBM RealSecure Server Sensor 7.0.0 XPU 20.16
• IBM RealSecure Server Sensor 7.0.0 XPU 20.18
• IBM RealSecure Server Sensor 7.0.0 XPU 20.19
• IBM RealSecure Server Sensor 7.0.0 XPU 22.9

References

• BugTraq: 9752
• CVE: CVE-2004-0193
• URL: http://xforce.iss.net/xforce/alerts/id/165