Advisories
ALERT: ISS BlackICE Kernel Overflow Exploitable
Release Date:
February 8, 2002
Severity:
High
Vendor:
Internet Security Systems
Systems Affected:
BlackICE Defender 2.9
BlackICE Defender for Server 2.9
BlackICE Agent for Workstation 3.0 and 3.1
BlackICE Agent for Server 3.0 and 3.1
RealSecure Server Sensor 6.0.1 and 6.5
Overview:
This is an eEye Digital Security Alert. This is not an Advisory as we did not initially discover this vulnerability. We did, however, provide further research and the following are our findings.
A few days ago, Matt Taylor (quisit@quest.net)(http://www.securityfocus.com/archive/1/253997) posted to several security mailing lists stating that BlackICE was vulnerable to a Denial of Service attack that could result in the BlackICE service crashing and or blue screening the remote system. There was various talk on mailing lists about the "Denial of Service" attack and what other versions it affected.
The day after Matt posted his DoS attack against BlackICE to various mailing lists, ISS (Makers of BlackICE) then posted a security advisory to notify clients of the new vulnerability, and provided a work-around until the patch is released. ISS's advisory also described the vulnerability as a Denial of Service attack.
Technical Details:
As of yet we have not seen anyone produce accurate technical information about the "Denial of Service" vulnerability. Ryan Permeh and Riley Hassell, however, conducted research recently that shows the BlackICE "Denial of Service" vulnerability is in fact an exploitable buffer overflow, therefore allowing anyone to remotely compromise users of BlackICE (and potentially RealSecure Server Sensor).
The research was done against BlackICE Defender 2.9 with a blackice.exe of 3.1.10. We are not sure if the other variants of BlackICE or RealSecure are also exploitable. However, since they are all vulnerable to the same Denial of Service attack we would assume that they are also exploitable.
The BlackICE buffer overflow exposes a significant flaw that will allow an attacker to execute code within the kernel context. Our testing has shown that by sending only a handful of large ICMP echo request packets (16 60k packets, although it looks like packet size is not important as long as it fragments), we get the kernel to return directly into our ICMP payload.
Our testing has shown that we have a significant amount of space to work with in our payload, allowing a large number of exploit scenarios. This can include, but not limited to, trojaning the NT kernel.
The code gets executed within 0xF5XXXXXX, meaning we are clearly within kernel memory space. We have a pointer to more of our code within EBX (roughly 60,000 bytes of potential shellcode), and several bytes of potential jumpable code after our code shifts.
Example:
To cause the kernel to fault using an interrupt 3 (0xCC, or hard break on Intel hardware), issue the following command against a BlackICE protected server from a Linux machine:
ping -s 60000 -c 16 -p CC 1.1.1.1
We have verified operations on Win2k Server and Professional, and are currently finishing a pure kmode exploit to allow an attacker to manipulate the kernel and execute arbitrary code within the kernel context. We will not be publishing this exploit. This alert contains enough technical details within it to show that indeed we are overflowing and hitting our interrupt 0xCC, which shows were able to jump and execute our code of choice.
Again, this is not simply a Denial of Service attack. If you're running a vulnerable version of BlackICE, then you're vulnerable to a remote kernel level compromise fom which remote attacks can execute arbitrary code.
SecurityFocus.com has also created a threat analysis of the BlackICE vulnerabilities. For more information visit the ARIS Threat Management System at http://tms.securityfocus.com/.
Vendor Status:
ISS has released a patch for this buffer overflow vulnerability. You can find out more information about the patch from here: http://www.iss.net/support/consumer/BI_downloads.php
Credit:
Matt Taylor (quisit@quest.net), Ryan Permeh, Riley Hassell
Greetings:
The guys and gal in Washington.
Copyright (c) 1998-2009 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
February 8, 2002
Severity:
High
Vendor:
Internet Security Systems
Systems Affected:
BlackICE Defender 2.9
BlackICE Defender for Server 2.9
BlackICE Agent for Workstation 3.0 and 3.1
BlackICE Agent for Server 3.0 and 3.1
RealSecure Server Sensor 6.0.1 and 6.5
Overview:
This is an eEye Digital Security Alert. This is not an Advisory as we did not initially discover this vulnerability. We did, however, provide further research and the following are our findings.
A few days ago, Matt Taylor (quisit@quest.net)(http://www.securityfocus.com/archive/1/253997) posted to several security mailing lists stating that BlackICE was vulnerable to a Denial of Service attack that could result in the BlackICE service crashing and or blue screening the remote system. There was various talk on mailing lists about the "Denial of Service" attack and what other versions it affected.
The day after Matt posted his DoS attack against BlackICE to various mailing lists, ISS (Makers of BlackICE) then posted a security advisory to notify clients of the new vulnerability, and provided a work-around until the patch is released. ISS's advisory also described the vulnerability as a Denial of Service attack.
Technical Details:
As of yet we have not seen anyone produce accurate technical information about the "Denial of Service" vulnerability. Ryan Permeh and Riley Hassell, however, conducted research recently that shows the BlackICE "Denial of Service" vulnerability is in fact an exploitable buffer overflow, therefore allowing anyone to remotely compromise users of BlackICE (and potentially RealSecure Server Sensor).
The research was done against BlackICE Defender 2.9 with a blackice.exe of 3.1.10. We are not sure if the other variants of BlackICE or RealSecure are also exploitable. However, since they are all vulnerable to the same Denial of Service attack we would assume that they are also exploitable.
The BlackICE buffer overflow exposes a significant flaw that will allow an attacker to execute code within the kernel context. Our testing has shown that by sending only a handful of large ICMP echo request packets (16 60k packets, although it looks like packet size is not important as long as it fragments), we get the kernel to return directly into our ICMP payload.
Our testing has shown that we have a significant amount of space to work with in our payload, allowing a large number of exploit scenarios. This can include, but not limited to, trojaning the NT kernel.
The code gets executed within 0xF5XXXXXX, meaning we are clearly within kernel memory space. We have a pointer to more of our code within EBX (roughly 60,000 bytes of potential shellcode), and several bytes of potential jumpable code after our code shifts.
Example:
To cause the kernel to fault using an interrupt 3 (0xCC, or hard break on Intel hardware), issue the following command against a BlackICE protected server from a Linux machine:
ping -s 60000 -c 16 -p CC 1.1.1.1
We have verified operations on Win2k Server and Professional, and are currently finishing a pure kmode exploit to allow an attacker to manipulate the kernel and execute arbitrary code within the kernel context. We will not be publishing this exploit. This alert contains enough technical details within it to show that indeed we are overflowing and hitting our interrupt 0xCC, which shows were able to jump and execute our code of choice.
Again, this is not simply a Denial of Service attack. If you're running a vulnerable version of BlackICE, then you're vulnerable to a remote kernel level compromise fom which remote attacks can execute arbitrary code.
SecurityFocus.com has also created a threat analysis of the BlackICE vulnerabilities. For more information visit the ARIS Threat Management System at http://tms.securityfocus.com/.
Vendor Status:
ISS has released a patch for this buffer overflow vulnerability. You can find out more information about the patch from here: http://www.iss.net/support/consumer/BI_downloads.php
Credit:
Matt Taylor (quisit@quest.net), Ryan Permeh, Riley Hassell
Greetings:
The guys and gal in Washington.
Copyright (c) 1998-2009 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
