Re: DoS Vulnerability found in ISS BlackICE Defender

From: dr.kaos (dr.kaos@kaos.to)
Date: 02/06/02 

From: dr.kaos <dr.kaos@kaos.to>
To: "Riley Hassell" <rhassell@eeye.com>, "'Robert Graham'" <robert_david_graham@yahoo.com>, "'Jensenne Roculan'" <jroculan@securityfocus.com>, "'Fernando Martins'" <fernando.martins@esoterica.pt>
Date: Wed, 6 Feb 2002 17:13:54 -0500

On Wednesday 06 February 2002 03:58 pm, Riley Hassell wrote:
> Is this exploitable?

I assume that most on this list also subscribe to bugtraq; if so, sorry to
span lists, but just in case you haven't yet seen this:

---------- Forwarded Message ----------

Subject: RE: Black ICE Ping Vulnerability Side Note
Date: Wed, 6 Feb 2002 15:16:36 -0500
From: "Keith T. Morgan" <keith.morgan@terradon.com>
To: "Stoic forty-four" <stoic44@yahoo.com>
Cc: <bugtraq@securityfocus.com>, <vuln-dev@securitfocus.com>

Verified. I set BID (without ICE CAP) to it's paranoid setting, then did the
 following:

root@stonegate:/var/log# ping -f -s 65000 -c 4000 192.168.x.x
PING 192.168.x.x (192.168.x.x): 65000 data bytes
.............................................................................
............................................................... ---
 192.168.x.x ping statistics ---
4310 packets transmitted, 4000 packets received, 7% packet loss
round-trip min/avg/max = 15.1/22.7/337.7 ms
root@stonegate:/var/log# telnet 192.168.x.x 5900
Trying 192.168.x.x...
Connected to 192.168.x.x.
Escape character is '^]'.
RFB 003.003

The system tray icon for BID switched to the blue eyeball shield with the red
 diagonal slash. Service stopped. I was able to connect to the VNC port.

-----Original Message-----
From: Stoic forty-four [mailto:stoic44@yahoo.com]
Sent: Wednesday, February 06, 2002 12:25 PM
To: bugtraq@securityfocus.com
Subject: Black ICE Ping Vulnerability Side Note

When attempting to replicate the ping vulnerability
discovered by Matt Taylor a different outcome was
discovered. Rather than the large ping causing the
server to blue screen and/or hang the black ice
service was actually stopped thus allowing an intruder
to gain access to the host.

Testing consisted of Black ICE Agent version 3.1eaj
generated and deployed by ICE CAP version 3.1. The
agent was installed on a Dell 6450 running Windows
2000 SP2 and was running WinVNC 3.3 server in
application mode. The Black ICE agent generated was
set to use the Paranoid setting in order to prevent
any inbound connections. Using VNC viewer from my
dektop, I attempted to connect to the VNC server
running on the Dell and was blocked. I then issued the
command ping -l 65000 -t X.X.X.X, waited 5 seconds,
and attempted to connect to the VNC server again and
was successful. Upon connecting to the VNC server and
gaining access to the desktop, a Black ICE pop up
window appeared stating that the Black ICE service has
stopped would you like to start it? I chose to start
the service again which was successful but did not
disconnect my VNC session and as mentioned before did
not leave any logs in Black ICE showing anything had
occurred.

This information would more than likely affect
Enterpises that have deployed Black ICE agents and
have ICE CAP infrastructure deployed to manage them. I
would like to know if anyone else is able to replicate
this.

Brandon Young