Bugtraq mailing list archives

SRT2004-01-17-0227 - BlackICE allows local users to become SYSTEM

From: KF <dotslash () snosoft com>
Date: Tue, 27 Jan 2004 21:36:46 -0500

Secure Network Operations, Inc. http://www.secnetops.com/research
Strategic Reconnaissance Team research[at]secnetops[.]com
Team Lead Contact kf[at]secnetops[.]com
Spam Contact `rm -rf /`@snosoft.com

Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.

To learn more about our company, products and services or to request a
demo of ANVIL FCS please visit our site at http://www.secnetops.com, or
call us at: 978-263-3829

Quick Summary:
************************************************************************
Advisory Number : SRT2004-01-17-0227
Product : BlackICE PC Protection
Version : <= 3.6.cbz ?
Vendor : http://blackice.iss.net/product_pc_protection.php
Class : Local
Criticality : Low to Medium
Operating System(s) : Win32

Notice
************************************************************************
1-2 day Early Warning List:
---------------------------
Secure Network Operations, inc. will very shortly have its own advisory
notification mailing list. This list will notify you of advisories 1-2
days in advance of public release to other mailing lists. To subscribe
please visit http://advisories.secnetops.com in the immediate future.

30-60 day Early Warning List:
-----------------------------
Our early warning service will notify you of new vulnerabilities 30-60
days in advance of public release. This service has been created to protect
companies by allowing them to repair security vulnerabilities before they
become public knowledge. To purchase a one year subscription to this
service please contact us at 978-263-3767.

Alert
***********************************************************************
Our advisories will contain full details excluding a working Proof of
Concept. Our web page will contain our working proof of concept for the
advisory if it exists. Yes folks this is a policy change for us. We
will exercise our own discretion in regards to delay of exploit release
vs advisory release. List subscribers will have advanced access to working
proof of concept code depending on the severity and list subscription type.

Basic Explanation
************************************************************************
High Level Description : BlackICE allows local users to become SYSTEM.
What to do : Enable BlackICE Application Protection or upgrade.

Basic Technical Details
************************************************************************
Proof Of Concept Status : Proof of concept is attached to this advisory.

Low Level Description : BlackICE products provide Intrusion Detection,
personal firewall, and application protection all in one easy to use package.
The technology behind BlackICE goes beyond basic file scanning to actually
monitoring ongoing system activity and communications so that it can
automatically stop suspect activity before it can harm your system.

Based on vendor documentation BlackICE will run on the following systems:
Windows 98 (retail, SP1, Second Edition), Windows NT 4 (SP5, SP6, SP6a),
Windows 2000 (SP1, SP2, SP3), Windows Me, and Windows XP Pro (SP1) / Home
(SP1). Please note that the suggested browser versions (Internet Explorer
5.0 or greater) depending on patch level may aid in facilitating the below
mentioned attack scenarios. Please see http://die.leox.com/ie_unpatched/index.html

The following text is a documentation of my personal experience with BlackICE.
This text may or may not reflect your experience with BlackICE products. My
testing and research was done using a random copy of a BlackICE eval
(BIDEvalSetup27360.exe) that was lying around on an internal file share. I
took all defaults while installing BlackICE. After clicking next, next, next...
all the way through the install I ended up with:

Network ICE BlackICE Defender Rel 2.5.ch EVALUATION
. blackdll.dll version 2.5.33
. blackdrv.sys version 2.5.35 (for Win NT/2000)
. blackdrv.vxd version 2.5.34 (for Win 95/98/Me)
. blackd.exe version 2.5.36
. blackice.exe version 2.5.34

The original ini files are installed as follows. (This is a GOOD thing)
Administrator@none /cygdrive/f/Program Files/Network ICE/BlackICE
$ ls -al *ini
-rwx------+ 1 Administ None 111 Jan 12 05:59 blackice.ini
-rwx------+ 1 Administ None 1486 Jan 12 05:59 firewall.ini
-rwx------+ 1 Administ None 84 Jan 12 05:59 sigs.ini

You should note that the above files are NOT everyone full control.

As soon as we open the BlackICE gui we see that there are some nice red
exclamation marks. In the status window it says [Informational] A firewall
filter could not be set. Clicking on advICE tells us "To correct this problem,
make sure you have updated BlackICE to the latest release or patch applicable
to your operating system".

Thats fair enough... I have no problem updating my old demo. Next we click on
tools download update. I just accept all defaults and upgrade to version
3.6cbz. I have tell it I am still evaluating the product obviously... I am not
sure if anything changes when you purchase a real version (enter a serial
number). I have not used any ISS products beyond this particular demo version
of BlackICE.

Our version numbers are now:

Network ICE BlackICE PC Protection Release 3.6.cbz
. blackdll.dll version 3.6.37
. BlackDrv.sys version 3.6.37
. iss-pam1.dll version 3.6.50
. blackd.exe version 3.6.48
. blackice.exe version 3.6.44

After the update to 3.6cbz the local security of our install appears to have
been downgraded. Above only the Administrator had access to the .ini files. Now
everyone has full control of them. I feel this causes its own set of security
issues aside from what we document below.

Administrator@none /cygdrive/f/Program Files/Network ICE/BlackICE
$ ls -al *ini
-rwxrwxrwx+ 1 Administ None 233 Jan 12 06:10 blackice.ini
-rwxrwxrwx+ 1 Administ None 1605 Jan 12 06:10 firewall.ini
-rwxrwxrwx+ 1 Administ None 178 Jan 12 06:10 protect.ini
-rwxrwxrwx+ 1 Administ None 84 Jan 12 06:10 sigs.ini

The default install options leave Application Protection off... oddly enough I
had considered turning it on at first but I am a lazy guy, it told me it would
take "several minutes" to install Application Protection. I was really not
interested in waiting several minutes. =]

During the discovery phase there was some disagreement over the various attack
scenarios. The discussion centered around the multi-user capabilities or lack
there of in the above mentioned operating systems. So just for the sake of
argument the machine that I am evaluating BlackICE on is Windows 2000 Server SP4,
no terminal services are installed (thus classifying the machine for an Enterprise
BlackICE solution?). The only service on this machine is VNC. VNC is provided
so that various individuals (not necessarily administrators) can login to this
machine remotely. The configuration for VNC is set to "Logoff Workstation when
last client disconnects to provide some level of additional security.

The point of the below scenarios are to show that the config file permissions
combined with the buffer overflow in the blackd.exe service can be used in
conjunction with other attacks to further leverage privileges.

After the install I have rebooted, the login prompt is on the console, and VNC
is listening just as it was during the installation. From a remote box I connect
as a user with minimal rights. Upon connecting via VNC I must send control alt
del and then login. I now have local access to the machine that I am attempting
to exploit via remote control software. You should note that NO BlackICE warnings
were triggered by the VNC connection. Keep in mind that BlackICE has not been
tweaked beyond its initial configuration either.

Lets see who we are really quick.

F:\Documents and Settings\kf>whoami
NONE\kf

A quick netstat shows us the ports that are currently open.

F:\Documents and Settings\kf>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP none:epmap none:0 LISTENING
TCP none:microsoft-ds none:0 LISTENING
TCP none:1025 none:0 LISTENING
TCP none:1026 none:0 LISTENING
TCP none:3389 none:0 LISTENING
TCP none:netbios-ssn none:0 LISTENING
UDP none:microsoft-ds *:*
UDP none:netbios-ns *:*
UDP none:netbios-dgm *:*

If you look at task manager you will note that blackd.exe is running as SYSTEM.

After some toying with the GUI we discovered a buffer overflow in the packetLog
functionality. The overflow can be triggered with the following .ini options.

[Packet Logging]
packetLog.logging=enabled
packetLog.fileprefix=<aaaaa...b0f here...aaaaa>
packetLog.maxKbytes=2048
packetLog.maxfiles=10

A 217 Character log prefix makes BlackICE blackd crash with the EIP and ECX both
overwritten with user supplied data.

We simply run the BlackICE exploit that we prepared for the above condition.

F:\Documents and Settings\kf> perl BlackICEdefender_ex.pl

Wait a bit for the FileChange Event to trigger, or trigger any alert yourself.
Ssh traffic seemed like a quick and easy alert to trigger in the event the file
changes are not detected immediately.

F:\Program Files\Network ICE\BlackICE>telnet 192.168.1.1 22
Connecting To 192.168.1.1...
SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.2.1
Protocol mismatch.

Check whats listening again. You should note the new port 9191 in the list.

F:\Documents and Settings\kf>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP none:epmap none:0 LISTENING
TCP none:microsoft-ds none:0 LISTENING
TCP none:1025 none:0 LISTENING
TCP none:1026 none:0 LISTENING
TCP none:3389 none:0 LISTENING
TCP none:9191 none:0 LISTENING
TCP none:netbios-ssn none:0 LISTENING
UDP none:microsoft-ds *:*
UDP none:netbios-ns *:*
UDP none:netbios-dgm *:*

F:\Documents and Settings\kf>telnet localhost 9191
Connecting To localhost...

F:\Program Files\Network ICE\BlackICE>whoami
NT AUTHORITY\SYSTEM

At this point we pretty much have the equivalent of root access to this
windows machine.

With out local access to the machine I feel that it is still quite trivial
to trigger this vulnerability. A quick trip to http://die.leox.com/ie_unpatched/
gave me enough to prove the basic point. The following Full-Disclosure post
outlines the attack and its limitations.

http://www.mail-archive.com/full-disclosure () lists netsys com/msg06791.html

Obviously the example requires interaction from a victim. I am sure there is no
shortage on other bugs that could deliver a malicious blackice.ini.

Opening the above html file from within the MyComputer zone would cause the
blackice.ini to be overwritten.

The final note I have to include on this advisory is that the BlackICE Application
Protection DOES work... so use it. When the AP is enabled this attack is not
possible because BlackICE simply will not allow the configfiles to be modified.

Functional PoC can be located in the archives at http://advisories.secnetops.com

Vendor Status : Vendor fixes should be available as of 1/27/04

Bugtraq URL : To be assigned.

Disclaimer
----------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Release of exploit code is done at our
own discretion.
----------------------------------------------------------------------
All content of this advisory is property of Secure Network Operations.
----------------------------------------------------------------------
Secure Network Operations, Inc. || http://www.secnetops.com
"Embracing the future of technology, protecting you."

Current thread:

SRT2004-01-17-0227 - BlackICE allows local users to become SYSTEM KF (Jan 28)