RE: Vulnerability in Black ICE Defender

From: Chris Paget (
Date: 02/05/02

From: "Chris Paget" <>
To: "Matt Taylor" <>, <>
Date: Tue, 5 Feb 2002 15:34:30 -0000

This email contains the results of my preliminary testing on this issue.

This issue has been replicated when either sending or receiving 10,000-byte
ping packets when running Black Ice Defender, latest version (2.9.cap). In
both cases, a kernel-mode exception was triggered, causing a BSOD. The
circumstances differ depending on whether the machine was sending or
receiving the packets.

When the sender of the flood is running BID, the machine quickly suffers a
BSOD, exception 0x1E, in blackdrv.sys. Exception 0x1E occurs when a
kernel-mode exception is not handled, indicating poor coding practice or
insufficient testing within a kernel-mode driver.

When a machine running BID is the recipient of the flood, a different
kernel-mode exception is seen, again in blackd.sys. STOP 0xD1 indicates
that a driver has tried to access pageable or non-existant memory while the
process IRQL was high. In at least one instance, the fault was generated by
an attempted write to address 0x0 - a common error when coding in C++.

Several points to note about this issue:

1) A 10,000-byte PING flood requires a lot of bandwidth. This attack has
not been observed to be successful when using a bandwidth of less than
500kbit/sec (in each direction - that's 1mbit/sec of half-duplex traffic).
This may affect cable modem users, but is unlikely to affect dial-up users.

2) Nothing is logged by Black Ice about the attack.

3) The exceptions generated are kernel-mode, and do not indicate any kind
of buffer overflow. As such, it is extremely unlikely that arbitrary code
can be executed.

4) No exceptions were observed in blackd.exe (the Black Ice service) before
the kernel-mode crash. This is a kernel-mode issue, not a user-mode one.
Again, it is unlikely that this is anything more than a DoS (albeit a fairly
nasty one).

5) As far as I can tell so far, stopping the Black Ice service eliminates
the issue; uninstalling the driver is not necessary.

<personal rant>
The machine used for this testing has been heavily stressed with a range of
applications for several months, and this was the first BSOD it has
suffered. People should not be so quick to criticise Microsoft's coding
practices when it comes to kernel-mode development; this vulnerability alone
shows how a common piece of software can bring any OS to its knees through a
flawed kernel-mode driver. Those who say that Windows is unstable should
learn how to debug a crashdump and find out for themselves what is truly to


Chris Paget
Security Consultant
Defcom Internet Security UK

-----Original Message----- From: Matt Taylor [] Sent: 04 February 2002 04:27 To: Subject: Vulnerability in Black ICE Defender

The current version of BlackICE Defender (2.9.caq and 2.9.cap) running on a Windows 2000 machine can be remotely crashed using a very basic ping flood. This has been tested with Divine Intervention 2 & 3, Sisoft Sandra Network (LAN) benchmark. Setting the packet size to about 10,000 bytes causes a Blue Screen of Death (or immediate system reboot). After extensive correspondence with ISS support they basically told me they'd "look into it." They have not responded since 12/21/01 and their newest patch 2.9.caq (released after) does not address this issue. More details available if requested.

Matt Taylor