Re: BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2

[demaria () NAND NET (Mike DeMaria)]

I would like to expand on this vulnerability I found.

BlackICE has four main security levels.  Trusting, Caution, Nervous,
Paranoid.  At paranoid level, all incoming TCP and UDP are blocked.
The vulnerability I found does not happen when you set the security to
paranoid.   However, this may interfere with some internet programs, so
many users may want to set it to Nervous or lower.

BlackICE defender and agent are suppose to do real time intrusion
detection.  To it's credit, BlackICE did detect a Back Orifice 1.20
attack.  However, it catches it after the fact, allowing a few response
packets to be transmitted.

Using BlackICE 2.0.23, I was able to issue one BO command, "proclist".
This gave me the list of processes running.  I looked for the blackd.exe
process ID.  By this point in time, BlackICE shuns my IP address.  So I
changed my IP and issue a prockill command on the blackd.exe PID, killing
the firewall completely and taking over the machine.  I also noticed that,
when I tried on a different machine, I was able to issue the "dir" command
about 4 times before it shunned my IP address.  It should be fairly simple
to create a simple script to do a proclist, grep for blackd.exe, and kill
the PID all within a second or two.

BlackICE defender 2.1 automatically shuns not only the IP, but the port
when it detects a BO attack.  However, once again, this is only after the
fact.  I could issue between 1 to 5 BO commands by hand before BlackICE
detects it.  You could perform the same vulnerability as done above by
either 1) running two back orifice servers on the victim, or 2) type fast
enough, perferrably with a script.  I used the two server method, and was
able to kill the firewall completely.  Either way, if you wish to annoy,
you can always type the lockup or reboot BO command.

The issue here is not the quantity of BO commands, but speed.  BlackICE
will detect a BO attack if you send it just one command.  The problem is,
there is a few second delay, which opens up this hole.  Please note that
this problem does not exist with BO2K (which tries to make a connection to
the host machine first before allowing commands to be executed), and I
have not tried it with other UDP based trojans.  Remember, Back Orifice
1.20 (the origional one) can run on any UDP port, high or low.

To protect yourself, you must either set security to paranoid (block all
incoming TCP and UDP ports), or catch it with anti-virus software.

Mike DeMaria
System Administrator of Client Services
nand.net internet services

> Date: Tue, 20 Jun 2000 15:30:22 -0700
> From: Juancho Forlanda <juancho () NETWORKICE COM>
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: BlackICE by Network ICE Corp vulnerability against Back Orifice              1.2
>
> Vulnerable Applications
> -----------------------
> BlackICE Defender 2.1 (by Network ICE Corp.) and older versions configured
> at security level NERVOUS or lower
>
> BlackICE Pro Agent 2.0.23 (by Network ICE Corp.) and older versions
> configured at security level NERVOUS or lower