Bugtraq mailing list archives
Re: BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2
From: demaria () NAND NET (Mike DeMaria)
Date: Wed, 21 Jun 2000 10:45:18 -0400
I would like to expand on this vulnerability I found. BlackICE has four main security levels. Trusting, Caution, Nervous, Paranoid. At paranoid level, all incoming TCP and UDP are blocked. The vulnerability I found does not happen when you set the security to paranoid. However, this may interfere with some internet programs, so many users may want to set it to Nervous or lower. BlackICE defender and agent are suppose to do real time intrusion detection. To it's credit, BlackICE did detect a Back Orifice 1.20 attack. However, it catches it after the fact, allowing a few response packets to be transmitted. Using BlackICE 2.0.23, I was able to issue one BO command, "proclist". This gave me the list of processes running. I looked for the blackd.exe process ID. By this point in time, BlackICE shuns my IP address. So I changed my IP and issue a prockill command on the blackd.exe PID, killing the firewall completely and taking over the machine. I also noticed that, when I tried on a different machine, I was able to issue the "dir" command about 4 times before it shunned my IP address. It should be fairly simple to create a simple script to do a proclist, grep for blackd.exe, and kill the PID all within a second or two. BlackICE defender 2.1 automatically shuns not only the IP, but the port when it detects a BO attack. However, once again, this is only after the fact. I could issue between 1 to 5 BO commands by hand before BlackICE detects it. You could perform the same vulnerability as done above by either 1) running two back orifice servers on the victim, or 2) type fast enough, perferrably with a script. I used the two server method, and was able to kill the firewall completely. Either way, if you wish to annoy, you can always type the lockup or reboot BO command. The issue here is not the quantity of BO commands, but speed. BlackICE will detect a BO attack if you send it just one command. The problem is, there is a few second delay, which opens up this hole. Please note that this problem does not exist with BO2K (which tries to make a connection to the host machine first before allowing commands to be executed), and I have not tried it with other UDP based trojans. Remember, Back Orifice 1.20 (the origional one) can run on any UDP port, high or low. To protect yourself, you must either set security to paranoid (block all incoming TCP and UDP ports), or catch it with anti-virus software. Mike DeMaria System Administrator of Client Services nand.net internet services
Date: Tue, 20 Jun 2000 15:30:22 -0700 From: Juancho Forlanda <juancho () NETWORKICE COM> To: BUGTRAQ () SECURITYFOCUS COM Subject: BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2 Vulnerable Applications ----------------------- BlackICE Defender 2.1 (by Network ICE Corp.) and older versions configured at security level NERVOUS or lower BlackICE Pro Agent 2.0.23 (by Network ICE Corp.) and older versions configured at security level NERVOUS or lower
Current thread:
- Re: NAI WebShield SMTP does not scan base64 encoding Fronck, Destry (Jun 20)
- Re: NAI WebShield SMTP does not scan base64 encoding chris.paget () ANALYSYS COM (Jun 20)
- BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2 Juancho Forlanda (Jun 20)
- BEA WebLogic /file/ showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 20)
- Re: BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2 Mike DeMaria (Jun 21)
- <Possible follow-ups>
- Re: NAI WebShield SMTP does not scan base64 encoding Sato, Ken (Jun 20)
- Microsoft Security Bulletin MS00-038 Update Microsoft Product Security (Jun 20)
- rh 6.2 - gid compromises, etc Michal Zalewski (Jun 21)
- Immunix OS 6.2 (StackGuarded Red Hat 6.2) Crispin Cowan (Jun 21)
- Warning regarding new kernel RPMs Joseph V Moss (Jun 21)
- Re: Warning regarding new kernel RPMs Dave Walter (Jun 22)
- Re: rh 6.2 - gid compromises, etc [+ MORE!!!] Stan Bubrouski (Jun 21)
- Re: rh 6.2 - gid compromises, etc [+ MORE!!!] Wietse Venema (Jun 23)
- Re: rh 6.2 - gid compromises, etc Stan Bubrouski (Jun 22)
- Allaire Security Bulletin (ASB00-15)- Workaround available for vu lnerabilities exposed by JRun 2.3.x code sample Jesse Noller (Jun 22)