ALERT: ISS BlackICE Kernel Overflow Exploitable Release Date: February 8, 2002 Severity: High Systems Affected: BlackICE Defender 2.9 BlackICE Defender for Server 2.9 BlackICE Agent for Workstation 3.0 and 3.1 BlackICE Agent for Server 3.0 and 3.1 RealSecure Server Sensor 6.0.1 and 6.5 Description: This is an eEye Digital Security Alert. This is not an eEye Digital Security Advisory as we did not initially discover this vulnerability. We did however provide further research and the following is our findings. A few days ago Matt Taylor <quisitat_private> (http://www.securityfocus.com/archive/1/253997) posted to several security mailing lists stating that BlackICE was vulnerable to a Denial of Service attack that could result in the BlackICE service crashing and or blue screens of the remote system. There was various talk on mailing lists about the "Denial of Service" attack and what other versions it affected. The day after Matt posted his DoS attack against BlackICE to various mailing lists, ISS (Makers of BlackICE) then posted their security advisory to notify clients of the new vulnerability and a work around until a patch is released. ISS's advisory also described the vulnerability as a denial of service attack. As of yet we've not seen anyone produce accurate technical information about the "Denial of Service" vulnerability. Ryan Permeh and Riley Hassell however conducted research recently that shows the BlackICE "Denial of Service" vulnerability is in fact an exploitable buffer overflow. Therefore allowing anyone to remotely compromise users of BlackICE and potentially RealSecure Server Sensor. The research was done against BlackICE Defender 2.9 with a blackice.exe of 3.1.10. We are not sure if the other variants of BlackICE or RealSecure are also exploitable. However, since they are all vulnerable to the same "denial of service" attack we would assume that they are also exploitable. The BlackICE buffer overflow exposes a significant flaw that will allow an attacker to execute code within the kernel context. Our testing has shown that by sending only a handful of large ICMP echo request packets (16 60k packets, although it looks like packet size is not important as long as it fragments), we get the kernel to return directly into our ICMP payload. Our testing has shown that we have a significant amount of space to work with in our payload, allowing a large number of exploit scenarios. This can include but not limited to, trojaning the NT kernel. The code gets executed within 0xF5XXXXXX, meaning we are clearly within kernel memory space at this point. We have a pointer to more of our code within EBX (roughly 60,000 bytes of potential shellcode), and several bytes of potential jumpable code after our code shifts. Example: To cause the kernel to fault using an interrupt 3 (0xCC, or hard break on Intel hardware), issue the following command against a BlackICE protected server from a Linux machine. ping -s 60000 -c 16 -p CC 1.1.1.1 We have verified operations on win2k server and professional, and are currently finishing a pure kmode exploit to allow an attacker to manipulate the kernel and execute arbitrary code within the kernel context. We will not be publishing this exploit. This alert contains enough technical details within it to show that indeed we are overflowing and hitting our interrupt 0xCC, which shows were able to jump and execute our code of choice. So once again it is not simply a denial of service attack. If your running a vulnerable version of BlackICE then your vulnerable to a remote kernel level compromise in which remote attacks can execute arbitrary code. Also SecurityFocus.com has created a threat analysis of the BlackICE vulnerabilities. For more information visit the ARIS Threat Management System at http://tms.securityfocus.com/. Vendor Status: ISS has released a patch for this buffer overflow vulnerability. You can find out more information about the patch from here: http://www.iss.net/support/consumer/BI_downloads.php Credit: Matt Taylor <quisitat_private>, Ryan Permeh, Riley Hassell Greetings: The guys and gal in Washington. Copyright (c) 1998-2002 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alertat_private for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback Please send suggestions, updates, and comments to: eEye Digital Security http://www.eEye.com infoat_private
This archive was generated by hypermail 2b30 : Fri Feb 08 2002 - 17:21:08 PST