Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Hacking Techniques :: blackibo.htm

BlackICE Defender 1.2 can fail to block Back Orifice traffic BKI:



Vulnerability

    BlackICE

Affected

    BlackICE Defender 1.2

Description

    Mike DeMaria  found following  against BlackICE  Defender 2.1  (by
    Network ICE Corp.) and older versions configured at security level
    NERVOUS or lower.   Also vulnerable is  BlackICE Pro Agent  2.0.23
    (by Network ICE Corp.)  and older versions configured  at security
    level NERVOUS or lower.

    At  security  level  NERVOUS  or  lower,  BlackICE  and  the  host
    protected by  BlackICE are  vulnerable to  Back Orifice  (BO) 1.2.
    Recall that BO 1.2 uses UDP as a client-server transport protocol,
    and the BO  server uses a  high UDP port,  by default, to  run its
    service.  BlackICE configured  at NERVOUS security level  or below
    does not block the high UDP ports.

    If a BO  1.2 server infects  a host and  that BO server  runs at a
    high UDP  port (1024  or higher),  then BlackICE  set to  security
    level NERVOUS or below  will not be able  to fully protect a  host
    from  BO  client-transmitted  commands  because  at  least  one BO
    command will get through before the automated BlackICE  protection
    engine kicks in.  As such, the BO infected and  BlackICE-protected
    host is  vulnerable to  almost any  commands a  BO 1.2  client can
    issue.

    Pre 2.1 versions  of BlackICE (where  auto-IP address blocking  is
    available,  but   auto-port  blocking   is  not   available)   are
    vulnerable  to  being  shutdown  by  a  BO  server controlled by a
    remote BO  client if  the cracker  has access  to two different IP
    addresses.

    To reproduce  this vulnerability  you need  BlackICE on  a Windows
    95/98/NT/2000  system  infected  it  with  a  BO  1.2 server.  The
    BlackICE security level must be set to Nervous or lower.

    From another machine, run the BO  1.2 client and issue one of  the
    many commands available to  it against the host  running BlackICE.
    You will notice that  after a few seconds,  the BO 1.2 client  has
    been IP address-blocked by  BlackICE (on BlackICE Defender  2.1 or
    newer, an auto-port  block also kicks  in), but the  BO command is
    executed on the target system  and a response transmitted back  to
    the  client.   Note  that  BlackICE  will  detect the Back Orifice
    response; this is what triggers the auto blocking countermeasures.

    If you are running pre-2.1 BlackICE, then you have the ability  to
    shutdown the BlackICE  engine.  You  can do this  by issuing a  BO
    command that will  return a process  list from the  infected host.
    Although the first  BO client host  will be IP  address-blocked by
    BlackICE, another BO client on a different IP address can use  the
    returned  information  collected  from  the  first  BO  client  to
    determine the  process ID  of blackd.exe  (the BlackICE protection
    and detection engine)  and send a  kill process command  to the BO
    server running on the target host.

    BlackICE  has  four  main  security  levels.   Trusting,  Caution,
    Nervous, Paranoid.   At paranoid level,  all incoming TCP  and UDP
    are blocked.  The vulnerability  I found does not happen  when you
    set the security to paranoid.    However, this may interfere  with
    some  internet  programs,  so  many  users  may  want to set it to
    Nervous or lower.  BlackICE  defender and agent are suppose  to do
    real  time  intrusion  detection.   To  it's  credit, BlackICE did
    detect a Back Orifice 1.20  attack.  However, it catches  it after
    the fact, allowing a few response packets to be transmitted.

    Using BlackICE  2.0.23, Mike  was able  to issue  one BO  command,
    "proclist".   This gave  him the  list of  processes running.   He
    looked for  the blackd.exe  process ID.   By this  point in  time,
    BlackICE shuns  your IP  address.   So changing  IP and  issuing a
    prockill command  on the  blackd.exe PID,  will kill  the firewall
    completely and  take over  the machine.   Mike also  noticed that,
    when he tried  on a different  machine, he was  able to issue  the
    "dir" command about 4 times before it shunned his IP address.   It
    should  be  fairly  simple  to  create  a  simple  script  to do a
    proclist,  grep  for  blackd.exe,  and  kill  the PID all within a
    second or two.

    BlackICE defender 2.1 automatically shuns not only the IP, but the
    port when it detects  a BO attack.   However, once again, this  is
    only after the fact.  One  could issue between 1 to 5  BO commands
    by hand before  BlackICE detects it.   You could perform  the same
    vulnerability as done above by either 1) running two back  orifice
    servers on the victim, or 2) type fast enough, perferrably with  a
    script.  Mike  used the two  server method, and  was able to  kill
    the firewall completely.   Either way, if  you wish to  annoy, you
    can always type the lockup or reboot BO command.

    The issue  here is  not the  quantity of  BO commands,  but speed.
    BlackICE will detect a BO attack if you send it just one  command.
    The problem is, there is a  few second delay, which opens up  this
    hole.   Please note  that this  problem does  not exist  with BO2K
    (which  tries  to  make  a  connection  to  the host machine first
    before allowing commands to be executed).

Solution

    BlackICE Defender 2.1  (by Network ICE  Corp.) and older  versions
    configured  at  security  level  PARANOID  and  BlackICE Pro Agent
    2.0.23 (by  Network ICE  Corp.) and  older versions  configured at
    security level PARANOID.

    If  you  don't  have  anti-virus  software  on  your  machine, and
    BlackICE detects  a Back  Orifice response,  then your  machine is
    infected  by  BO.   Immediately  set  your  protection  level   to
    PARANOID.  This will break any communication between the BO client
    and server.   Better yet, simply  set the BlackICE  security level
    to PARANOID before BlackICE detects such an event.  The BO  client
    will never  be able  to go  through the  BlackICE firewall.   This
    solution will work regardless of  the version of BlackICE you  are
    using.

    If you are  running on Windows  NT or 2000,  your system will  not
    likely be infected by BO if you use a non-admin account to do your
    day to  day work  on the  system.   This means  that you  will not
    expose BlackICE to the vulnerability presented by BO 1.2.  If  you
    are running on Win  95 or 98, and  for some reason you  prefer not
    to set your security level  to PARANOID, then use anti-virus  as a
    measure to prevent your system and BlackICE from being exposed  to
    this vulnerability.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH