COMMAND

    IRIS

SYSTEMS AFFECTED

    Eeye Iris 1.01, SpyNet CaptureNet v3.12

PROBLEM

    The Ussr Team has found a problem  in Eeye IRIS 1.01.  There is  a
    heap memory  buffer o  verflow in  IRIS 1.01  that causes not only
    this network sniffing  program to crash,  but also to  take system
    resources up to 100% usage, until it crashes.

    The vulnerability arises after sending multiple udp connection  to
    random  ports  on  the  host  that  IRIS  or  SpyNet CaptureNet is
    running.  The results of this will cause the following crash:

        http://www.ussrback.com/iriscrash.jpg

    D.O.S Code (Binary or source (console win32)):

        http://www.ussrback.com/iris101d.zip

    Indeed, the system resources go up to 100% usage. That is  because
    "DoS" program  goes into  a sendto()  loop and  sends thousands of
    packets that  Iris has  to redraw  on screen.   If any  program in
    Windows  has  to  redraw  massive  ammounts  of  information  very
    quickly then  it is  going to  end up  taking a  lot of processing
    power.   Just  as  "exploit"  program  will  consume  100%  of the
    attackers system resources when it goes into its sendto() loop.

    When  you  open  up  the  Iris,  it  writes  out  a  file   called
    "settings.html", and upon  closure, it deletes  the file.   So far
    so good, however if one  creates a "settings.html" and sets  it to
    be readonly, the program refuses to load.  Only until the  removal
    of this file  will Iris begin  to load properly.   This is a  poor
    example, but it shows the laziness of coding involved.

SOLUTION

    Iris  1.01  is  _BETA_.   SpyNet  was  purchased  by  eEye Digital
    Security a  few months  back.   SpyNet is  no longer supported and
    all SpyNet customers should contact us for a free upgrade to Iris.

    This "DoS" is not possible over the Internet unless the  attacking
    machine and the target machine have better then a DS3.

    If you are really  worried about this, until  Iris is out of  beta
    and fixes  the "problem",  then we  recommend you  turn off Iris's
    Capture packet display feature and use Iris's decode view instead.

    This appears to be directly  related to processing power (or  lack
    thereof).  One  last thing to  add is that  this product, although
    it is  beta, apparently  is commercially  available for  a sum  of
    money,  making  it  a  legitimate   product  to  be  tested   (and
    criticised) for bugs.