ALERT: ISS BlackICE Kernel Overflow Exploitable

From: Marc Maiffret (marc@eeye.com)
Date: 02/09/02


From: "Marc Maiffret" <marc@eeye.com>
To: "FOCUS-IDS" <FOCUS-IDS@SECURITYFOCUS.COM>
Date: Fri, 8 Feb 2002 16:30:04 -0800

ALERT: ISS BlackICE Kernel Overflow Exploitable

Release Date:
February 8, 2002

Severity:
High

Systems Affected:
BlackICE Defender 2.9
BlackICE Defender for Server 2.9
BlackICE Agent for Workstation 3.0 and 3.1
BlackICE Agent for Server 3.0 and 3.1
RealSecure Server Sensor 6.0.1 and 6.5

Description:
This is an eEye Digital Security Alert. This is not an eEye Digital Security
Advisory as we did not initially discover this vulnerability. We did however
provide further research and the following is our findings.

A few days ago Matt Taylor <quisit@quest.net>
(http://www.securityfocus.com/archive/1/253997) posted to several security
mailing lists stating that BlackICE was vulnerable to a Denial of Service
attack that could result in the BlackICE service crashing and or blue
screens of the remote system. There was various talk on mailing lists about
the "Denial of Service" attack and what other versions it affected.

The day after Matt posted his DoS attack against BlackICE to various mailing
lists, ISS (Makers of BlackICE) then posted their security advisory to
notify clients of the new vulnerability and a work around until a patch is
released. ISS's advisory also described the vulnerability as a denial of
service attack.

As of yet we've not seen anyone produce accurate technical information about
the "Denial of Service" vulnerability. Ryan Permeh and Riley Hassell however
conducted research recently that shows the BlackICE "Denial of Service"
vulnerability is in fact an exploitable buffer overflow. Therefore allowing
anyone to remotely compromise users of BlackICE and potentially RealSecure
Server Sensor.

The research was done against BlackICE Defender 2.9 with a blackice.exe of
3.1.10. We are not sure if the other variants of BlackICE or RealSecure are
also exploitable. However, since they are all vulnerable to the same "denial
of service" attack we would assume that they are also exploitable.

The BlackICE buffer overflow exposes a significant flaw that will allow an
attacker to execute code within the kernel context. Our testing has shown
that by sending only a handful of large ICMP echo request packets (16 60k
packets, although it looks like packet size is not important as long as it
fragments), we get the kernel to return directly into our ICMP payload.
Our testing has shown that we have a significant amount of space to work
with in our payload, allowing a large number of exploit scenarios. This can
include but not limited to, trojaning the NT kernel.

The code gets executed within 0xF5XXXXXX, meaning we are clearly within
kernel memory space at this point. We have a pointer to more of our code
within EBX (roughly 60,000 bytes of potential shellcode), and several bytes
of potential jumpable code after our code shifts.

Example:
To cause the kernel to fault using an interrupt 3 (0xCC, or hard break on
Intel hardware), issue the following command against a BlackICE protected
server from a Linux machine.
ping -s 60000 -c 16 -p CC 1.1.1.1

We have verified operations on win2k server and professional, and are
currently finishing a pure kmode exploit to allow an attacker to manipulate
the kernel and execute arbitrary code within the kernel context. We will not
be publishing this exploit. This alert contains enough technical details
within it to show that indeed we are overflowing and hitting our interrupt
0xCC, which shows were able to jump and execute our code of choice.

So once again it is not simply a denial of service attack. If your running a
vulnerable version of BlackICE then your vulnerable to a remote kernel level
compromise in which remote attacks can execute arbitrary code.

Also SecurityFocus.com has created a threat analysis of the BlackICE
vulnerabilities. For more information visit the ARIS Threat Management
System at http://tms.securityfocus.com/.

Vendor Status:
ISS has released a patch for this buffer overflow vulnerability. You can
find out more information about the patch from here:
http://www.iss.net/support/consumer/BI_downloads.php

Credit: Matt Taylor <quisit@quest.net>, Ryan Permeh, Riley Hassell

Greetings: The guys and gal in Washington.

Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com