Bugtraq mailing list archives

BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2

From: juancho () NETWORKICE COM (Juancho Forlanda)
Date: Tue, 20 Jun 2000 15:30:22 -0700


Vulnerable Applications
-----------------------
BlackICE Defender 2.1 (by Network ICE Corp.) and older versions configured
at security level NERVOUS or lower

BlackICE Pro Agent 2.0.23 (by Network ICE Corp.) and older versions
configured at security level NERVOUS or lower

Non-Vulnerable Applications
---------------------------
BlackICE Defender 2.1 (by Network ICE Corp.) and older versions configured
at security level PARANOID

BlackICE Pro Agent 2.0.23 (by Network ICE Corp.) and older versions
configured at security level PARANOID

Vulnerability
-------------
At security level NERVOUS or lower, BlackICE and the host protected by
BlackICE are vulnerable to Back Orifice (BO) 1.2.

Recall that BO 1.2 uses UDP as a client-server transport protocol, and the
BO server uses a high UDP port, by default, to run its service.  BlackICE
configured at NERVOUS security level or below does not block the high UDP
ports.

If a BO 1.2 server infects a host and that BO server runs at a high UDP port
(1024 or higher), then  BlackICE set to security level NERVOUS or below will
not be able to fully protect a host from BO client-transmitted commands
because at least one BO command will get through before the automated
BlackICE protection engine kicks in.  As such, the BO infected and
BlackICE-protected host is vulnerable to almost any commands a BO 1.2 client
can issue.

Pre 2.1 versions of BlackICE (where auto-IP address blocking is available,
but auto-port blocking is not available) are vulnerable to being shutdown by
a BO server controlled by a remote BO client if the cracker has access to
two different IP addresses.

Reproducing the vulnerability
-----------------------------
To reproduce this vulnerability you need BlackICE on a Windows 95/98/NT/2000
system infected it with a BO 1.2 server.  The BlackICE security level must
be set to Nervous or lower.

From another machine, run the BO 1.2 client and issue one of the many

commands available to it against the host running BlackICE.  You will notice
that after a few seconds, the BO 1.2 client has been IP address-blocked by
BlackICE (on BlackICE Defender 2.1 or newer, an auto-port block also kicks
in), but the BO command is executed on the target system and a response
transmitted back to the  client.  Note that BlackICE will detect the Back
Orifice response; this is what triggers the auto blocking countermeasures.

If you are running pre-2.1 BlackICE, then you have the ability to shutdown
the BlackICE engine.  You can do this by issuing a BO command that will
return a process list from the infected host.  Although the first BO client
host will be IP address-blocked by BlackICE, another BO client on a
different IP address can use the returned information collected from the
first BO client to determine the process ID of blackd.exe (the BlackICE
protection and detection engine) and send a kill process command to the BO
server running on the target host.

Solutions, fixes, work-arounds
------------------------------
If you don't have anti-virus software on your machine, and BlackICE detects
a Back Orifice response, then your machine is infected by BO.  Immediately
set your protection level to PARANOID.  This will break any communication
between the BO client and server.

Better yet, simply set the BlackICE security level to PARANOID before
BlackICE detects such an event.  The BO client will never be able to go
through the BlackICE firewall.

This solution will work regardless of the version of BlackICE you are using.

If you are running on Windows NT or 2000, your system will not likely be
infected by BO if you use a non-admin account to do your day to day work on
the system.  This means that you will not expose BlackICE to the
vulnerability presented by BO 1.2.

If you are running on Win 95 or 98, and for some reason you prefer not to
set your security level to PARANOID, then use anti-virus as a measure to
prevent your system and BlackICE from being exposed to this vulnerability.

Credits
-------
Many thanks for the diligent work of Mike DeMaria (Network Computing) for
finding and reporting this vulnerability.

Current thread:

Re: NAI WebShield SMTP does not scan base64 encoding Fronck, Destry (Jun 20)
- Re: NAI WebShield SMTP does not scan base64 encoding chris.paget () ANALYSYS COM (Jun 20)
- BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2 Juancho Forlanda (Jun 20)
  - BEA WebLogic /file/ showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 20)
  - Re: BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2 Mike DeMaria (Jun 21)
- <Possible follow-ups>
- Re: NAI WebShield SMTP does not scan base64 encoding Sato, Ken (Jun 20)
  - Microsoft Security Bulletin MS00-038 Update Microsoft Product Security (Jun 20)
  - rh 6.2 - gid compromises, etc Michal Zalewski (Jun 21)
    - Immunix OS 6.2 (StackGuarded Red Hat 6.2) Crispin Cowan (Jun 21)
    - Warning regarding new kernel RPMs Joseph V Moss (Jun 21)
    - Re: Warning regarding new kernel RPMs Dave Walter (Jun 22)
    - Re: rh 6.2 - gid compromises, etc [+ MORE!!!] Stan Bubrouski (Jun 21)
    - Re: rh 6.2 - gid compromises, etc [+ MORE!!!] Wietse Venema (Jun 23)

(Thread continues...)