BlackICE IDS flaw and patch

Discussion in 'other firewalls' started by Paul Wilders, Feb 10, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    ALERT: ISS BlackICE Kernel Overflow Exploitable

    Release Date:
    February 8th, 2002

    Severity:
    High

    Systems Affected:
    BlackICE Defender 2.9
    BlackICE Defender for Server 2.9
    BlackICE Agent for Workstation 3.0 and 3.1
    BlackICE Agent for Server 3.0 and 3.1
    RealSecure Server Sensor 6.0.1 and 6.5

    Description:
    This is an eEye Digital Security Alert. This is not an Advisory as we did not initially discover this vulnerability. We did, however, provide further research and the following are our findings.

    A few days ago, Matt Taylor (quisit@quest.net)(http://www.securityfocus.com/archive/1/253997) posted to several security mailing lists stating that BlackICE was vulnerable to a Denial of Service attack that could result in the BlackICE service crashing and or blue screening the remote system. There was various talk on mailing lists about the "Denial of Service" attack and what other versions it affected.

    The day after Matt posted his DoS attack against BlackICE to various mailing lists, ISS (Makers of BlackICE) then posted a security advisory to notify clients of the new vulnerability, and provided a work-around until the patch is released. ISS's advisory also described the vulnerability as a Denial of Service attack.

    As of yet we have not seen anyone produce accurate technical information about the "Denial of Service" vulnerability. Ryan Permeh and Riley Hassell, however, conducted research recently that shows the BlackICE "Denial of Service" vulnerability is in fact an exploitable buffer overflow, therefore allowing anyone to remotely compromise users of BlackICE (and potentially RealSecure Server Sensor).

    The research was done against BlackICE Defender 2.9 with a blackice.exe of 3.1.10. We are not sure if the other variants of BlackICE or RealSecure are also exploitable. However, since they are all vulnerable to the same Denial of Service attack we would assume that they are also exploitable.

    The BlackICE buffer overflow exposes a significant flaw that will allow an attacker to execute code within the kernel context. Our testing has shown that by sending only a handful of large ICMP echo request packets (16 60k packets, although it looks like packet size is not important as long as it fragments), we get the kernel to return directly into our ICMP payload.

    Our testing has shown that we have a significant amount of space to work with in our payload, allowing a large number of exploit scenarios. This can include, but not limited to, trojaning the NT kernel.

    The code gets executed within 0xF5XXXXXX, meaning we are clearly within kernel memory space. We have a pointer to more of our code within EBX (roughly 60,000 bytes of potential shellcode), and several bytes of potential jumpable code after our code shifts.

    Example:
    To cause the kernel to fault using an interrupt 3 (0xCC, or hard break on Intel hardware), issue the following command against a BlackICE protected server from a Linux machine:
    xxxxxxxxx (x-out by forum admin)

    We have verified operations on Win2k Server and Professional, and are currently finishing a pure kmode exploit to allow an attacker to manipulate the kernel and execute arbitrary code within the kernel context. We will not be publishing this exploit. This alert contains enough technical details within it to show that indeed we are overflowing and hitting our interrupt 0xCC, which shows were able to jump and execute our code of choice.

    Again, this is not simply a Denial of Service attack. If you're running a vulnerable version of BlackICE, then you're vulnerable to a remote kernel level compromise fom which remote attacks can execute arbitrary code.

    SecurityFocus.com has also created a threat analysis of the BlackICE vulnerabilities. For more information visit the ARIS Threat Management System at http://tms.securityfocus.com/.

    Vendor Status:
    ISS has released a patch for this buffer overflow vulnerability. You can find out more information about the patch from here: http://www.iss.net/support/consumer/BI_downloads.php

    Credit:
    Matt Taylor (quisit@quest.net), Ryan Permeh, Riley Hassell

    Greetings:
    The guys and gal in Washington.

    Copyright (c) 1998-2001 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission.

    Disclaimer
    The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

    Feedback
    Please send suggestions, updates, and comments to:

    eEye Digital Security
    http://www.eEye.com
    info@eEye.com

    -------

    source: www.eeye.com

    regards.

    paul
     
  2. danielrm26

    danielrm26 Registered Member

    Joined:
    Feb 11, 2002
    Posts:
    3
    Location:
    USA
    The fix...

    Ok, this is pretty serious now.

    Let me just confirm that the blocking of ICMP via manually editing the .ini file will still solve the problem, right?
     
  3. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Re: The fix...

    That is confirmed to solve at least the overflow problem.

    I have not received confirmation on whether or not it solves the other (more serious) problem. It would seem as though it would (from what the bulletin says).
     
  4. roberteyewhy

    roberteyewhy Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    1
    Doesn't fix the issue with XP pro and Norton Personal Firewall 2002.  Entered the appropriate lines in the .ini files (startup. sleep = 30, etc) as per tech support and Yahoo/GRC forums with sporadic results (occasional BSOD and BI stopping whenever).  Have it on a Laptop with XP pro and ZoneAlarm Pro with absolutely no problems.  Running it on a W2K machine with ZA with no problems also.  Must just be with Norton as they did have problems with Norton Antivirus also.  And, may not be XP specific too.  Doesn't hurt me much as behind a Linksys also.  I'll just wait for ZA pro 3 and/or when Kerio or Tiny finalizes their firewall's as never had a problem with Norton running with Tiny or ZA.
     
  5. danielrm26

    danielrm26 Registered Member

    Joined:
    Feb 11, 2002
    Posts:
    3
    Location:
    USA
    They just posted a patch...

    Hey, guys...

    There is a patch on the ISS site now.

    Here is the link:

    http://update.networkice.com/scripts/bidpatchb.exe
     
  6. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    More to firewalls than just stealthing...hmmmm.
     
Thread Status:
Not open for further replies.