Subject: [NT] BlackICE default configuration does not block Back Orifice
Date: Wed, 21 Jun 2000 18:56:41 +0200

          BlackICE default configuration does not block Back Orifice
--------------------------------------------------------------------------------

SUMMARY

At security level NERVOUS or lower, BlackICE and the host protected by
BlackICE are vulnerable to Back Orifice (BO) 1.2.

BO 1.2 uses UDP as a client-server transport protocol, and the BO server
uses a high UDP port by default. BlackICE configured at NERVOUS security
level or below does not block the high UDP ports.

If a BO 1.2 server infects a host and that BO server runs at a high UDP
port (1024 or higher), then  BlackICE set to security level NERVOUS or
below will not be able to fully protect a host from BO client-transmitted
commands because at least one BO command will get through before the
automated BlackICE protection engine kicks in.  As such, the BO infected
and BlackICE-protected host is vulnerable to almost any commands a BO 1.2
client can issue.

Pre 2.1 versions of BlackICE (where auto-IP address blocking is available,
but auto-port blocking is not available) are vulnerable to being shutdown
by a BO server controlled by a remote BO client if the cracker has access
to two different IP addresses.

DETAILS

Vulnerable systems:
BlackICE Defender 2.1 (by Network ICE Corp.) and older versions configured
at security level NERVOUS or lower.

BlackICE Pro Agent 2.0.23 (by Network ICE Corp.) and older versions
configured at security level NERVOUS or lower.

Immune systems:
BlackICE Defender 2.1 (by Network ICE Corp.) and older versions configured
at security level PARANOID.

BlackICE Pro Agent 2.0.23 (by Network ICE Corp.) and older versions
configured at security level PARANOID.

Reproducing the vulnerability:
To reproduce this vulnerability you need BlackICE on a Windows
95/98/NT/2000 system infected it with a BO 1.2 server.  The BlackICE
security level must be set to Nervous or lower.

>From another machine, run the BO 1.2 client and issue one of the many
commands available to it against the host running BlackICE.  You will
notice that after a few seconds, the BO 1.2 client has been IP
address-blocked by BlackICE (on BlackICE Defender 2.1 or newer, an
auto-port block also kicks in), but the BO command is executed on the
target system and a response transmitted back to the  client.  Note that
BlackICE will detect the Back Orifice response; this is what triggers the
auto blocking countermeasures.

If you are running pre-2.1 BlackICE, then you have the ability to shutdown
the BlackICE engine.  You can do this by issuing a BO command that will
return a process list from the infected host.  Although the first BO
client host will be IP address-blocked by BlackICE, another BO client on a
different IP address can use the returned information collected from the
first BO client to determine the process ID of blackd.exe (the BlackICE
protection and detection engine) and send a kill process command to the BO
server running on the target host.

Solution:
If you don't have an anti-virus software on your machine, and BlackICE
detects a Back Orifice response, then your machine is probably infected by
BO.  Immediately set your protection level to PARANOID.  This will break
any communication between the BO client and server.

Better yet, simply set the BlackICE security level to PARANOID before
BlackICE detects such an event.  The BO client will never be able to go
through the BlackICE firewall.

This solution will work regardless of the version of BlackICE you are
using.

If you are running on Windows NT or 2000, your system will not likely be
infected by BO if you use a non-admin account to do your day to day work
on the system.  This means that you will not expose BlackICE to the
vulnerability presented by BO 1.2.

If you are running on Win 95 or 98, and for some reason you prefer not to
set your security level to PARANOID, then use anti-virus as a measure to
prevent your system and BlackICE from being exposed to this vulnerability.

ADDITIONAL INFORMATION

The information has been provided by: Mike DeMaria.

========================================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.