OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2
From: Juancho Forlanda (juanchoNETWORKICE.COM)
Date: Tue Jun 20 2000 - 17:30:22 CDT


Vulnerable Applications
-----------------------
BlackICE Defender 2.1 (by Network ICE Corp.) and older versions configured
at security level NERVOUS or lower

BlackICE Pro Agent 2.0.23 (by Network ICE Corp.) and older versions
configured at security level NERVOUS or lower

Non-Vulnerable Applications
---------------------------
BlackICE Defender 2.1 (by Network ICE Corp.) and older versions configured
at security level PARANOID

BlackICE Pro Agent 2.0.23 (by Network ICE Corp.) and older versions
configured at security level PARANOID

Vulnerability
-------------
At security level NERVOUS or lower, BlackICE and the host protected by
BlackICE are vulnerable to Back Orifice (BO) 1.2.

Recall that BO 1.2 uses UDP as a client-server transport protocol, and the
BO server uses a high UDP port, by default, to run its service. BlackICE
configured at NERVOUS security level or below does not block the high UDP
ports.

If a BO 1.2 server infects a host and that BO server runs at a high UDP port
(1024 or higher), then BlackICE set to security level NERVOUS or below will
not be able to fully protect a host from BO client-transmitted commands
because at least one BO command will get through before the automated
BlackICE protection engine kicks in. As such, the BO infected and
BlackICE-protected host is vulnerable to almost any commands a BO 1.2 client
can issue.

Pre 2.1 versions of BlackICE (where auto-IP address blocking is available,
but auto-port blocking is not available) are vulnerable to being shutdown by
a BO server controlled by a remote BO client if the cracker has access to
two different IP addresses.

Reproducing the vulnerability
-----------------------------
To reproduce this vulnerability you need BlackICE on a Windows 95/98/NT/2000
system infected it with a BO 1.2 server. The BlackICE security level must
be set to Nervous or lower.

From another machine, run the BO 1.2 client and issue one of the many
commands available to it against the host running BlackICE. You will notice
that after a few seconds, the BO 1.2 client has been IP address-blocked by
BlackICE (on BlackICE Defender 2.1 or newer, an auto-port block also kicks
in), but the BO command is executed on the target system and a response
transmitted back to the client. Note that BlackICE will detect the Back
Orifice response; this is what triggers the auto blocking countermeasures.

If you are running pre-2.1 BlackICE, then you have the ability to shutdown
the BlackICE engine. You can do this by issuing a BO command that will
return a process list from the infected host. Although the first BO client
host will be IP address-blocked by BlackICE, another BO client on a
different IP address can use the returned information collected from the
first BO client to determine the process ID of blackd.exe (the BlackICE
protection and detection engine) and send a kill process command to the BO
server running on the target host.

Solutions, fixes, work-arounds
------------------------------
If you don't have anti-virus software on your machine, and BlackICE detects
a Back Orifice response, then your machine is infected by BO. Immediately
set your protection level to PARANOID. This will break any communication
between the BO client and server.

Better yet, simply set the BlackICE security level to PARANOID before
BlackICE detects such an event. The BO client will never be able to go
through the BlackICE firewall.

This solution will work regardless of the version of BlackICE you are using.

If you are running on Windows NT or 2000, your system will not likely be
infected by BO if you use a non-admin account to do your day to day work on
the system. This means that you will not expose BlackICE to the
vulnerability presented by BO 1.2.

If you are running on Win 95 or 98, and for some reason you prefer not to
set your security level to PARANOID, then use anti-virus as a measure to
prevent your system and BlackICE from being exposed to this vulnerability.

Credits
-------
Many thanks for the diligent work of Mike DeMaria (Network Computing) for
finding and reporting this vulnerability.