When attempting to replicate the ping vulnerability
discovered by Matt Taylor a different outcome was
discovered. Rather than the large ping causing the
server to blue screen and/or hang the black ice
service was actually stopped thus allowing an intruder
to gain access to the host.

Testing consisted of Black ICE Agent version 3.1eaj
generated and deployed by ICE CAP version 3.1. The
agent was installed on a Dell 6450 running Windows
2000 SP2 and was running WinVNC 3.3 server in
application mode. The Black ICE agent generated was
set to use the Paranoid setting in order to prevent
any inbound connections. Using VNC viewer from my
dektop, I attempted to connect to the VNC server
running on the Dell and was blocked. I then issued the
command ping -l 65000 -t X.X.X.X, waited 5 seconds,
and attempted to connect to the VNC server again and
was successful. Upon connecting to the VNC server and
gaining access to the desktop, a Black ICE pop up
window appeared stating that the Black ICE service has
stopped would you like to start it? I chose to start
the service again which was successful but did not
disconnect my VNC session and as mentioned before did
not leave any logs in Black ICE showing anything had
occurred.

This information would more than likely affect
Enterpises that have deployed Black ICE agents and
have ICE CAP infrastructure deployed to manage them. I
would like to know if anyone else is able to replicate
this.

Brandon Young

__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]