Heap Overflow Vulnerability in ISS RealSecure and BlackICE Servers

Reported February 26, 2004 by eEye Digital Security.





  • RealSecure Network 7.0, XPU 20.15 through 22.9

  • Real Secure Server Sensor 7.0 XPU 20.16 through 22.9

  • Proventia A Series XPU 20.15 through 22.9

  • Proventia G Series XPU 22.3 through 22.9

  • Proventia M Series XPU 1.3 through 1.7

  • RealSecure Desktop 7.0 eba through ebh

  • RealSecure Desktop 3.6 ebr through ecb

  • RealSecure Guard 3.6 ebr through ecb

  • RealSecure Sentry 3.6 ebr through ecb

  • BlackICE PC Protection 3.6 cbr through ccb

  • BlackICE Server Protection 3.6 cbr through ccb




A heap-overflow vulnerability in RealSecure and BlackICE servers can result in the arbitrary execution of code on the vulnerable server. This vulnerability is a result of a flaw that exists within the component that handles the processing of Server Message Block (SMB) packets. By issuing an authentication request with a long username value, an attacker can trigger a direct heap overwrite and subsequently execute code.



Internet Security Systems has released patches for the affected servers and recommends that affected users immediately apply them.


Discovered by Barnaby Jack.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.