TAIWAN
2004-03-02, 09:10 PM
ISS RealSecure 及 BlackICE SMB 緩衝區漏洞
An IDS/IPS system, by its very nature, requires that every packet entering a system be parsed and dealt with accordingly. When BlackICE and RealSecure encounter an SMB packet, the packet is analyzed, processed and re-assembled. It is during this assembly phase that our custom data is passed to an insufficiently sized heap-based buffer. All processing is conducted before any authentication.
To successfully replicate this vulnerability only one SMB packet is required. The client must issue an "SMB Session Setup AndX request". This SMB is used to "set up" a session previously established with the negotiate protocol. A primary function of this request is to perform a user login to a remote host. As neither RealSecure nor BlackICE require the state to be kept, no previous negotiation is required. To cause a reliable heap overwrite, the AccountName parameter should contain a string with a length of 300 bytes or greater.
請速至 ISS 原廠網站 http://www.iss.net 更新
An IDS/IPS system, by its very nature, requires that every packet entering a system be parsed and dealt with accordingly. When BlackICE and RealSecure encounter an SMB packet, the packet is analyzed, processed and re-assembled. It is during this assembly phase that our custom data is passed to an insufficiently sized heap-based buffer. All processing is conducted before any authentication.
To successfully replicate this vulnerability only one SMB packet is required. The client must issue an "SMB Session Setup AndX request". This SMB is used to "set up" a session previously established with the negotiate protocol. A primary function of this request is to perform a user login to a remote host. As neither RealSecure nor BlackICE require the state to be kept, no previous negotiation is required. To cause a reliable heap overwrite, the AccountName parameter should contain a string with a length of 300 bytes or greater.
請速至 ISS 原廠網站 http://www.iss.net 更新