BlackICE Fails to Defend Against Back Orifice
Reported June 22 by
Mike DeMaria

VERSIONS EFFECTED
  • B
lackICE Defender 2.1 and previous versions
  • BlackICE Agent 2.0.23 and previous versions

    DESCRIPTION

    BlackICE systems configured at security level NERVOUS or lower are vulnerable to Back Orifice 1.2 since UDP ports above 1021 are not blocked by the BlackICE software.

    VENDOR RESPONSE

    From the vendor, NetworkICE:

    Reproducing the vulnerability :

    To reproduce this vulnerability you need BlackICE on a Windows 95/98/NT/2000 system infected it with a BO 1.2 server. The BlackICE security level must be set to Nervous or lower.

    From another machine, run the BO 1.2 client and issue one of the many commands available to it against the host running BlackICE. You will notice that after a few seconds, the BO 1.2 client has been IP address-blocked by BlackICE (on BlackICE Defender 2.1 or newer, an auto-port block also kicks in), but the BO command is executed on the target system and a response transmitted back to the client. Note that BlackICE will detect the Back Orifice response; this is what triggers the auto blocking countermeasures.

    If you are running pre-2.1 BlackICE, then you have the ability to shutdown the BlackICE engine. You can do this by issuing a BO command that will return a process list from the infected host. Although the first BO client host will be IP address-blocked by BlackICE, another BO client on a different IP address can use the returned information collected from the first BO client to determine the process ID of blackd.exe (the BlackICE protection and detection engine) and send a kill process command to the BO server running on the target host.

    Solutions, fixes, work-arounds :

    If you don"t have anti-virus software on your machine, and BlackICE detects a Back Orifice response, then your machine is infected by BO. Immediately set your protection level to PARANOID. This will break any communication between the BO client and server.

    Better yet, simply set the BlackICE security level to PARANOID before BlackICE detects such an event. The BO client will never be able to go through the BlackICE firewall.

    This solution will work regardless of the version of BlackICE you are using.

    If you are running on Windows NT or 2000, your system will not likely be infected by BO if you use a non-admin account to do your day to day work on the system. This means that you will not expose BlackICE to the vulnerability presented by BO 1.2.

    If you are running on Win 95 or 98, and for some reason you prefer not to set your security level to PARANOID, then use anti-virus as a measure to prevent your system and BlackICE from being exposed to this vulnerability.

    CREDITS
    Discovered and reported by Mike DeMaria