Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(Defcom Labs Provides Additional Information) Re: BlackICE Defender Firewall for Windows Can Be Crashed By Remote Users Sending Large Ping Packets
|
|
SecurityTracker Alert ID: 1003440 |
|
SecurityTracker URL: http://securitytracker.com/id/1003440
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 6 2002
|
Impact:
Denial of service via network
|
Exploit Included: Yes
|
Version(s): 2.9.can, 2.9.cap, 2.9.caq; possibly others
|
Description:
A denial of service vulnerability was reported in Internet Security Systems BlackICE Defender firewall software. A remote user can cause the host running the software to crash.
It is reported that a basic ping flood can cause the host to crash. A remote user can apparently send multiple packets of about 10,000 bytes to cause the receiving host to crash.
Defcom Labs has provided some additional details. Defcom confirms the vulnerability in version 2.9.cap, both with a host running BlackICE Defender on the sending end and the receiving end. The exploit reportedly triggered a kernel-mode exception.
On the sending end, the ping flood will apparently trigger a crash with exception 0x1E in blackdrv.sys. According to the report, this type of exception occurs when a kernel-mode exception is not properly handled and is typical of applications that are not coded properly.
On the receiving end, a STOP 0xD1 exception occurs in blackdrv.sys., which is also indicative of poor coding practices in the application.
Defcom notes that a large amount of bandwidth (greater than 1 Mbps of half-duplex traffic) is required to trigger this flaw and that nothing is logged by BlackICE. Also, it is reported that no exceptions were observed in blackd.exe (the BlackICE service) prior to the kernel-mode crash, further indicating that this is a kernel-mode issue and not a user-mode issue.
|
Impact:
A remote user can cause the host to crash.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.networkice.com/products/blackice_defender.html (Links to External Site)
|
Cause:
Exception handling error
|
Underlying OS:
Windows (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 5 Feb 2002 15:34:30 -0000
Subject: RE: Vulnerability in Black ICE Defender
|
This email contains the results of my preliminary testing on this issue.
This issue has been replicated when either sending or receiving 10,000-byte
ping packets when running Black Ice Defender, latest version (2.9.cap). In
both cases, a kernel-mode exception was triggered, causing a BSOD. The
circumstances differ depending on whether the machine was sending or
receiving the packets.
When the sender of the flood is running BID, the machine quickly suffers a
BSOD, exception 0x1E, in blackdrv.sys. Exception 0x1E occurs when a
kernel-mode exception is not handled, indicating poor coding practice or
insufficient testing within a kernel-mode driver.
When a machine running BID is the recipient of the flood, a different
kernel-mode exception is seen, again in blackd.sys. STOP 0xD1 indicates
that a driver has tried to access pageable or non-existant memory while the
process IRQL was high. In at least one instance, the fault was generated by
an attempted write to address 0x0 - a common error when coding in C++.
Several points to note about this issue:
1) A 10,000-byte PING flood requires a lot of bandwidth. This attack has
not been observed to be successful when using a bandwidth of less than
500kbit/sec (in each direction - that's 1mbit/sec of half-duplex traffic).
This may affect cable modem users, but is unlikely to affect dial-up users.
2) Nothing is logged by Black Ice about the attack.
3) The exceptions generated are kernel-mode, and do not indicate any kind
of buffer overflow. As such, it is extremely unlikely that arbitrary code
can be executed.
4) No exceptions were observed in blackd.exe (the Black Ice service) before
the kernel-mode crash. This is a kernel-mode issue, not a user-mode one.
Again, it is unlikely that this is anything more than a DoS (albeit a fairly
nasty one).
5) As far as I can tell so far, stopping the Black Ice service eliminates
the issue; uninstalling the driver is not necessary.
<personal rant>
The machine used for this testing has been heavily stressed with a range of
applications for several months, and this was the first BSOD it has
suffered. People should not be so quick to criticise Microsoft's coding
practices when it comes to kernel-mode development; this vulnerability alone
shows how a common piece of software can bring any OS to its knees through a
flawed kernel-mode driver. Those who say that Windows is unstable should
learn how to debug a crashdump and find out for themselves what is truly to
blame.
</rant>
Chris
--
Chris Paget
Security Consultant
Defcom Internet Security UK
chris.paget@defcom.com
-----Original Message-----
From: Matt Taylor [mailto:quisit@quest.net]
Sent: 04 February 2002 04:27
To: bugtraq@securityfocus.com
Subject: Vulnerability in Black ICE Defender
The current version of BlackICE Defender (2.9.caq and 2.9.cap) running on a
Windows 2000 machine can be remotely crashed using a very basic ping flood.
This has been tested with Divine Intervention 2 & 3, Sisoft Sandra Network
(LAN) benchmark.
Setting the packet size to about 10,000 bytes causes a Blue Screen of Death
(or immediate system reboot). After extensive correspondence with ISS
support they basically told me they'd "look into it." They have not
responded since 12/21/01 and their newest patch 2.9.caq (released after)
does not address this issue. More details available if requested.
Matt Taylor
|
|
Go to the Top of This SecurityTracker Archive Page
|
