nahh .. as far as i understood the exploit works like this :
he builds a connection to the target any sends and icq_header with an origin of udp 4000 so that the target assumes the header comes from a ICQ v5 server wich produces an buffer overflow (with the right shellcode sent) and makes execution of arbitrary code possible ..
so there is no need to scan for port 4000
what the nasl script does is openen the registry of the target by smb ( script_require_ports(139, 445) ) and compares the registry to the black ice string
CODE
if (egrep(string:myread, pattern:"BlackICE Product Version.*(7\.0\.eb[a-h]|3\.6\.e(b[r-z]|c[ab]))")) { # do a warning for smb bug mywarning = string("ISS BlackICE is a personal Firewall/IDS for windows Desktops.
so the only way to scan 4 it is using this nasl script or porting it to another language and write your own scanner
hope this helped ..
vnet576
Mar 28 2004, 06:22 PM
I always install vulnerable progs on my computer to try exploits on them.
Installed this crappy prog..older version:
CODE
ISS.BlackICE.PC.Protection.v3.6.cbx
This exploit does not appear to work. The configuration that I used is default, my OS is XP SP0. So unless someone can prove otherwise this exploit is not legit.
jockel
Mar 28 2004, 06:37 PM
i think you must use icq togother with iss otherwise its not exploitable
mkwento
Mar 28 2004, 06:57 PM
great job thksssssssssssssssss !!!!!!!!
vnet576
Mar 28 2004, 06:58 PM
Hmm..are you sure, I'll try installing icq along with this to verify that. If thats the case then this exploit is a bust since u don't find many cases in the wild where icq and blackice are installed on the same computer.
DaClueless
Mar 28 2004, 06:58 PM
QUOTE (night^man @ Mar 28 2004, 05:26 PM)
witch port i need to scan ?!
You cant scan for UDP.. because it a connectless connection.
x1`
Mar 28 2004, 07:26 PM
bah so why isnt it called blackice/icq needed exploit dam waste of time
night^man
Mar 28 2004, 07:26 PM
so this spoit ..S-U-X
vnet576
Mar 28 2004, 07:55 PM
why do u people react rather than testing it. See I don't understand this..if all of you had installed and tried this exploit locally we would've figured out if this exploit works or not instead of 3 pages of "how do u scan for this" and does this eploit work. I'm gonna try this now and i hope that people with other OS' try it as well..for all I know it might only work on win2k or xp sp1 or 2k3, etc.
vnet576
Mar 28 2004, 08:39 PM
Ok, before I tried this I uninstalled the previous instance of blackice and did system restore to previous day. Afterwards I tried the exploit with both icq and blackice installed and icqlite and blackice installed. Neither one resulted in a succesful exploit. Anybody have any luck with other OS's.
brOmstar
Mar 28 2004, 09:31 PM
in my opinion icq must not be installed..because bice is a firewall which checks incoming packets before the reach the real application.
The vuln seems to be that bice have an error during the check of icq-udp packets. There is an module which calls 'PAM' - Protocol Analysis Module if a packet arrive which source is an udp 4000 port the PAM think it's an icqv5 packet and sends the packet to the function which is vulnerable.
So the bufferOverflow occurs before the packet should be recieved by icq.
expliot--->[sends the modified packet]---->firewall.blackice[bufferO]------>icq(should not be necessary)
regarding to the first post it should works on xp cause u can see a xp shell there =)
here some more info' for the people who use brainv1.1
CODE
Vendor: Internet Security Systems
Systems Affected: RealSecure Network 7.0, XPU 22.11 and before RealSecure Server Sensor 7.0 XPU 22.11 and before RealSecure Server Sensor 6.5 for Windows SR 3.10 and before Proventia A Series XPU 22.11 and before Proventia G Series XPU 22.11 and before Proventia M Series XPU 1.9 and before RealSecure Desktop 7.0 ebl and before RealSecure Desktop 3.6 ecf and before RealSecure Guard 3.6 ecf and before RealSecure Sentry 3.6 ecf and before BlackICE Agent for Server 3.6 ecf and before BlackICE PC Protection 3.6 ccf and before BlackICE Server Protection 3.6 ccf and before
Description:
A critical vulnerability has been discovered in the PAM (Protocol Analysis Module) component used in all current ISS host, server, and network device solutions. A routine within the Protocol Analysis Module (PAM) that monitors ICQ server responses contains a series of stack based buffer overflow vulnerabilities. If the source port of an incoming UDP packet is 4000, it is assumed to be an ICQ v5 server response. Any incoming packet matching this criterion will be forwarded to the vulnerable routine. By delivering a carefully crafted response packet to the broadcast address of a network operating RealSecure/BlackICE agents an attacker can achieve anonymous, remote SYSTEM access across all vulnerable nodes.
Technical Description:
If the PAM ICQ response handling routine receives a SRV_META_USER response the nickname, firstname, lastname, and email address buffers will be assigned a pointer into a general purpose structure. Later in the parent routine each of these buffers will be temporarily copied into a 512 byte stack based buffer without any sanity checking. In order to reach the vulnerable function calls the attacker needs to craft a SRV_MULTI response that contains two embedded response packets, a SRV_USER_ONLINE response and a SRV_META_USER response. If both are supplied then a condition is met and the entire ICQ decoder structure is filled out, and the vulnerable sprintf calls will be followed.
Since UDP is a stateless protocol, most IDS products are incapable of keeping state or record of a concurrent connection. Such a feature would be too costly to the performance of the IDS engine. With this in mind, this flaw can be exploited by sending a single spoofed datagram.
In our test environment we successfully compromised a BlackICE installation with "paranoid" configuration enabled, application protection enabled, file sharing support disabled, and network neighborhood support disabled.
It should be noted that the BlackICE/RealSecure engine listens for packets received on the broadcast interface. This allows the vulnerability to be exploited simultaneously across every vulnerable host within a targeted network by issuing a single, spoofed, UDP datagram.
jockel
Mar 28 2004, 09:42 PM
yeah brOmstar is right .. tested it successfully with a windows 2000 sp2 & ISS.BlackICE.PC.Protection.v3.6 installation ... and got a shell =)
vnet576
Mar 28 2004, 09:45 PM
Really? What was the subversion of blackice that u used. Each blackice has a 3 letter extension after the version (example:.v3.6.cbx).
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
)
