This is a multi-part message in MIME format.

------=_NextPart_000_002E_01C53C57.7A3E6D20
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

||=20
|| [ISR]         =20
|| Infobyte Security Research=20
|| www.infobyte.com.ar
|| 04.08.2005=20
||


.:: SUMMARY

ISS - Internet Security Systems, RealSecure Desktop and BlackICE PC =
Protection
Format String

Version: BlackIce 7.0.322, It is suspected that all previous versions of =
BlackIce
are vulnerable.

.:: BACKGROUND

BlackICE products provide Intrusion Detection, personal firewall, and =
application protection.

    http://www.iss.com   =20

.:: DESCRIPTION

A local format string vulnerability affect RealSecure Desktop and =
BlackICE PC Protection
This issue is due to a failure of the application to securely copy =
user-supplied data into
field name of rules that user create.

Buffer used: AAAA%n%n%n%n

Information of Registers:
EAX 41414141
ECX 00000004
EDX 00000200
EBX 0000006E
ESP 0012E578
EBP 0012E7D0
ESI 0012E82A ASCII "%n, "
EDI 00000800
EIP 7800FB05 MSVCRT.7800FB05
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 0038 32bit 7FFDE000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_ALREADY_EXISTS (000000B7)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -NAN FFFF FFF8FCF8 FFF8FCF8
ST1 empty -??? FFFF 00000000 00000000
ST2 empty -??? FFFF 00FE00F7 00FB00F7
ST3 empty -??? FFFF 00FE00F7 00FB00F7
ST4 empty -NAN FFFF FFF8FCF8 FFF8FCF8
ST5 empty -??? FFFF 00FF00F8 00FC00F8
ST6 empty -??? FFFF 00000000 00000000
ST7 empty -??? FFFF 00800080 00800080
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

.:: EXTRA

We did not find any way to gain additional privileges


.:: DISCLOSURE TIMELINE

03/22/2005  Initial vendor notification
03/25/2005  Initial vendor response
04/08/2005  Public disclosure

.:: CREDIT

Francisco Amato is credited with discovering this vulnerability.
famato][at][infobyte][dot][com][dot][ar

.:: LEGAL NOTICES

Copyright (c) 2005 by [ISR] Infobyte Security Research.
Permission to redistribute this alert electronically is granted as long =
as it is not=20
edited in any way unless authorized by Infobyte Security Research =
Response.=20
Reprinting the whole or part of this alert in any medium other than =
electronically=20
requires permission from infobyte com ar

Disclaimer
The information in the advisory is believed to be accurate at the time =
of publishing=20
based on currently available information. Use of the information =
constitutes acceptance=20
for use in an AS IS condition. There are no warranties with regard to =
this information.=20
Neither the author nor the publisher accepts any liability for any =
direct, indirect, or=20
consequential loss or damage arising from use of, or reliance on, this =
information.

------=_NextPart_000_002E_01C53C57.7A3E6D20
Content-Type: text/html;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1491" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff><PRE>||=20
|| [ISR]         =20
|| Infobyte Security Research=20
|| www.infobyte.com.ar
|| 04.08.2005=20
||


.:: SUMMARY

ISS - Internet Security Systems, RealSecure Desktop and BlackICE PC =
Protection
Format String

Version: BlackIce 7.0.322, It is suspected that all previous versions of =
BlackIce
are vulnerable.

.:: BACKGROUND

BlackICE products provide Intrusion Detection, personal firewall, and =
application protection.

    http://www.iss.com   =20

.:: DESCRIPTION

A local format string vulnerability affect RealSecure Desktop and =
BlackICE PC Protection
This issue is due to a failure of the application to securely copy =
user-supplied data into
field name of rules that user create.

Buffer used: AAAA%n%n%n%n

Information of Registers:
EAX 41414141
ECX 00000004
EDX 00000200
EBX 0000006E
ESP 0012E578
EBP 0012E7D0
ESI 0012E82A ASCII "%n, "
EDI 00000800
EIP 7800FB05 MSVCRT.7800FB05
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 0038 32bit 7FFDE000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_ALREADY_EXISTS (000000B7)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -NAN FFFF FFF8FCF8 FFF8FCF8
ST1 empty -??? FFFF 00000000 00000000
ST2 empty -??? FFFF 00FE00F7 00FB00F7
ST3 empty -??? FFFF 00FE00F7 00FB00F7
ST4 empty -NAN FFFF FFF8FCF8 FFF8FCF8
ST5 empty -??? FFFF 00FF00F8 00FC00F8
ST6 empty -??? FFFF 00000000 00000000
ST7 empty -??? FFFF 00800080 00800080
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

.:: EXTRA

We did not find any way to gain additional privileges


.:: DISCLOSURE TIMELINE

03/22/2005  Initial vendor notification
03/25/2005  Initial vendor response
04/08/2005  Public disclosure

.:: CREDIT

Francisco Amato is credited with discovering this vulnerability.
famato][at][infobyte][dot][com][dot][ar

.:: LEGAL NOTICES

Copyright (c) 2005 by [ISR] Infobyte Security Research.
Permission to redistribute this alert electronically is granted as long =
as it is not=20
edited in any way unless authorized by Infobyte Security Research =
Response.=20
Reprinting the whole or part of this alert in any medium other than =
electronically=20
requires permission from infobyte com ar

Disclaimer
The information in the advisory is believed to be accurate at the time =
of publishing=20
based on currently available information. Use of the information =
constitutes acceptance=20
for use in an AS IS condition. There are no warranties with regard to =
this information.=20
Neither the author nor the publisher accepts any liability for any =
direct, indirect, or=20
consequential loss or damage arising from use of, or reliance on, this =
information.
</PRE>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_002E_01C53C57.7A3E6D20--