Secure Network Operations, Inc. http://www.secnetops.com/research Strategic Reconnaissance Team research[at]secnetops[.]com Team Lead Contact kf[at]secnetops[.]com Spam Contact `rm -rf /`@snosoft.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. To learn more about our company, products and services or to request a demo of ANVIL FCS please visit our site at http://www.secnetops.com, or call us at: 978-263-3829 Quick Summary: ************************************************************************ Advisory Number : SRT2004-01-17-0227 Product : BlackICE PC Protection Version : <= 3.6.cbz ? Vendor : http://blackice.iss.net/product_pc_protection.php Class : Local Criticality : Low to Medium Operating System(s) : Win32 Notice ************************************************************************ 1-2 day Early Warning List: --------------------------- Secure Network Operations, inc. will very shortly have its own advisory notification mailing list. This list will notify you of advisories 1-2 days in advance of public release to other mailing lists. To subscribe please visit http://advisories.secnetops.com in the immediate future. 30-60 day Early Warning List: ----------------------------- Our early warning service will notify you of new vulnerabilities 30-60 days in advance of public release. This service has been created to protect companies by allowing them to repair security vulnerabilities before they become public knowledge. To purchase a one year subscription to this service please contact us at 978-263-3767. Alert *********************************************************************** Our advisories will contain full details excluding a working Proof of Concept. Our web page will contain our working proof of concept for the advisory if it exists. Yes folks this is a policy change for us. We will exercise our own discretion in regards to delay of exploit release vs advisory release. List subscribers will have advanced access to working proof of concept code depending on the severity and list subscription type. Basic Explanation ************************************************************************ High Level Description : BlackICE allows local users to become SYSTEM. What to do : Enable BlackICE Application Protection or upgrade. Basic Technical Details ************************************************************************ Proof Of Concept Status : Proof of concept is attached to this advisory. Low Level Description : BlackICE products provide Intrusion Detection, personal firewall, and application protection all in one easy to use package. The technology behind BlackICE goes beyond basic file scanning to actually monitoring ongoing system activity and communications so that it can automatically stop suspect activity before it can harm your system. Based on vendor documentation BlackICE will run on the following systems: Windows 98 (retail, SP1, Second Edition), Windows NT 4 (SP5, SP6, SP6a), Windows 2000 (SP1, SP2, SP3), Windows Me, and Windows XP Pro (SP1) / Home (SP1). Please note that the suggested browser versions (Internet Explorer 5.0 or greater) depending on patch level may aid in facilitating the below mentioned attack scenarios. Please see http://die.leox.com/ie_unpatched/index.html The following text is a documentation of my personal experience with BlackICE. This text may or may not reflect your experience with BlackICE products. My testing and research was done using a random copy of a BlackICE eval (BIDEvalSetup27360.exe) that was lying around on an internal file share. I took all defaults while installing BlackICE. After clicking next, next, next... all the way through the install I ended up with: Network ICE BlackICE Defender Rel 2.5.ch EVALUATION . blackdll.dll version 2.5.33 . blackdrv.sys version 2.5.35 (for Win NT/2000) . blackdrv.vxd version 2.5.34 (for Win 95/98/Me) . blackd.exe version 2.5.36 . blackice.exe version 2.5.34 The original ini files are installed as follows. (This is a GOOD thing) Administrator@none /cygdrive/f/Program Files/Network ICE/BlackICE $ ls -al *ini -rwx------+ 1 Administ None 111 Jan 12 05:59 blackice.ini -rwx------+ 1 Administ None 1486 Jan 12 05:59 firewall.ini -rwx------+ 1 Administ None 84 Jan 12 05:59 sigs.ini You should note that the above files are NOT everyone full control. As soon as we open the BlackICE gui we see that there are some nice red exclamation marks. In the status window it says [Informational] A firewall filter could not be set. Clicking on advICE tells us "To correct this problem, make sure you have updated BlackICE to the latest release or patch applicable to your operating system". That’s fair enough... I have no problem updating my old demo. Next we click on tools download update. I just accept all defaults and upgrade to version 3.6cbz. I have tell it I am still evaluating the product obviously... I am not sure if anything changes when you purchase a real version (enter a serial number). I have not used any ISS products beyond this particular demo version of BlackICE. Our version numbers are now: Network ICE BlackICE PC Protection Release 3.6.cbz . blackdll.dll version 3.6.37 . BlackDrv.sys version 3.6.37 . iss-pam1.dll version 3.6.50 . blackd.exe version 3.6.48 . blackice.exe version 3.6.44 After the update to 3.6cbz the local security of our install appears to have been downgraded. Above only the Administrator had access to the .ini files. Now everyone has full control of them. I feel this causes its own set of security issues aside from what we document below. Administrator@none /cygdrive/f/Program Files/Network ICE/BlackICE $ ls -al *ini -rwxrwxrwx+ 1 Administ None 233 Jan 12 06:10 blackice.ini -rwxrwxrwx+ 1 Administ None 1605 Jan 12 06:10 firewall.ini -rwxrwxrwx+ 1 Administ None 178 Jan 12 06:10 protect.ini -rwxrwxrwx+ 1 Administ None 84 Jan 12 06:10 sigs.ini The default install options leave Application Protection off... oddly enough I had considered turning it on at first but I am a lazy guy, it told me it would take "several minutes" to install Application Protection. I was really not interested in waiting several minutes. =] During the discovery phase there was some disagreement over the various attack scenarios. The discussion centered around the multi-user capabilities or lack there of in the above mentioned operating systems. So just for the sake of argument the machine that I am evaluating BlackICE on is Windows 2000 Server SP4, no terminal services are installed (thus classifying the machine for an Enterprise BlackICE solution?). The only service on this machine is VNC. VNC is provided so that various individuals (not necessarily administrators) can login to this machine remotely. The configuration for VNC is set to "Logoff Workstation when last client disconnects to provide some level of additional security. The point of the below scenarios are to show that the config file permissions combined with the buffer overflow in the blackd.exe service can be used in conjunction with other attacks to further leverage privileges. After the install I have rebooted, the login prompt is on the console, and VNC is listening just as it was during the installation. From a remote box I connect as a user with minimal rights. Upon connecting via VNC I must send control alt del and then login. I now have local access to the machine that I am attempting to exploit via remote control software. You should note that NO BlackICE warnings were triggered by the VNC connection. Keep in mind that BlackICE has not been tweaked beyond its initial configuration either. Lets see who we are really quick. F:\Documents and Settings\kf>whoami NONE\kf A quick netstat shows us the ports that are currently open. F:\Documents and Settings\kf>netstat -a Active Connections Proto Local Address Foreign Address State TCP none:epmap none:0 LISTENING TCP none:microsoft-ds none:0 LISTENING TCP none:1025 none:0 LISTENING TCP none:1026 none:0 LISTENING TCP none:3389 none:0 LISTENING TCP none:netbios-ssn none:0 LISTENING UDP none:microsoft-ds *:* UDP none:netbios-ns *:* UDP none:netbios-dgm *:* If you look at task manager you will note that blackd.exe is running as SYSTEM. After some toying with the GUI we discovered a buffer overflow in the packetLog functionality. The overflow can be triggered with the following .ini options. [Packet Logging] packetLog.logging=enabled packetLog.fileprefix= packetLog.maxKbytes=2048 packetLog.maxfiles=10 A 217 Character log prefix makes BlackICE blackd crash with the EIP and ECX both overwritten with user supplied data. We simply run the BlackICE exploit that we prepared for the above condition. F:\Documents and Settings\kf> perl BlackICEdefender_ex.pl Wait a bit for the FileChange Event to trigger, or trigger any alert yourself. Ssh traffic seemed like a quick and easy alert to trigger in the event the file changes are not detected immediately. F:\Program Files\Network ICE\BlackICE>telnet 192.168.1.1 22 Connecting To 192.168.1.1... SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.2.1 Protocol mismatch. Check what’s listening again. You should note the new port 9191 in the list. F:\Documents and Settings\kf>netstat -a Active Connections Proto Local Address Foreign Address State TCP none:epmap none:0 LISTENING TCP none:microsoft-ds none:0 LISTENING TCP none:1025 none:0 LISTENING TCP none:1026 none:0 LISTENING TCP none:3389 none:0 LISTENING TCP none:9191 none:0 LISTENING TCP none:netbios-ssn none:0 LISTENING UDP none:microsoft-ds *:* UDP none:netbios-ns *:* UDP none:netbios-dgm *:* F:\Documents and Settings\kf>telnet localhost 9191 Connecting To localhost... Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. F:\Program Files\Network ICE\BlackICE>whoami NT AUTHORITY\SYSTEM At this point we pretty much have the equivalent of root access to this windows machine. With out local access to the machine I feel that it is still quite trivial to trigger this vulnerability. A quick trip to http://die.leox.com/ie_unpatched/ gave me enough to prove the basic point. The following Full-Disclosure post outlines the attack and its limitations. http://www.mail-archive.com/full-disclosure@lists.netsys.com/msg06791.html Obviously the example requires interaction from a victim. I am sure there is no shortage on other bugs that could deliver a malicious blackice.ini. Opening the above html file from within the MyComputer zone would cause the blackice.ini to be overwritten. The final note I have to include on this advisory is that the BlackICE Application Protection DOES work... so use it. When the AP is enabled this attack is not possible because BlackICE simply will not allow the configfiles to be modified. Functional PoC can be located in the archives at http://advisories.secnetops.com Vendor Status : Vendor fixes should be available as of 1/27/04 Bugtraq URL : To be assigned. Disclaimer ---------------------------------------------------------------------- This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Release of exploit code is done at our own discretion. ---------------------------------------------------------------------- All content of this advisory is property of Secure Network Operations. ---------------------------------------------------------------------- Secure Network Operations, Inc. || http://www.secnetops.com "Embracing the future of technology, protecting you."