-
February 2nd, 2004 08:38 AM
#1
BlackICE allows local user to become system
If you look at task manager you will note that blackd.exe is running as SYSTEM. After some toying with the GUI we discovered a buffer overflow in the packetLog functionality. The overflow can be triggered with the following .ini options. A 217 Character log prefix makes BlackICE blackd crash with the EIP and ECX both overwritten with user supplied data. We simply run the BlackICE exploit that we prepared for the above condition. Source http://www.secnetops.com/research . I am including a text file in details which you can also get from above mentioned link. But you have to become a member. Enjoy and patch your BlackICE. If possible.
-
February 2nd, 2004 10:15 AM
#2
Nice find but....You'll need admin privileges to gain access to the ini, right? I mean, can a "normal" user account edit this ini file? Someone who already has admin rights can gain SYSTEM in alot more simpler ways.
Maybe the GUI is also vulnerable to a Shatter attack? Then a normal user would be able to gain SYSTEM making it infinitely more dangerous 
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 2nd, 2004 04:43 PM
#3
That's scary, SirDice.......but that's a good question...is the GUI vulnerable to such a shatter attack......
Hmmm......Sounds like a good project....I've been terribly bored lately!
Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.
-
March 7th, 2004 10:04 PM
#4
Member
It depends on the policy on the network SirDice..but to my knowledge all of the networks i've been on i've been able to edit .ini files and write to them.
Hm...
/me goes off to test that shatter attack theory.
Signature image is too tall!
-
March 8th, 2004 10:18 AM
#5
If users have full access..... you're screwed anyway. No need to do any buffer overflow...
But there's a bigger problem with BlackIce. This one's a remote overflow:
http://www.antionline.com/showthread...219#post724599
Oliver's Law:
Experience is something you don't get until just after you need it.
-
March 8th, 2004 11:24 PM
#6
Member
O wow...thats dangerous.....
Signature image is too tall!
-
March 8th, 2004 11:39 PM
#7
ISS and F-Secure have sure been in the 'dog house' lately
Ive seen loads of ISS exploits floating around that affects a lot of there systems, and F-Secure has to have lost half its stock by mass emailing a virus to its customers.
You really need to expect more form these kinds of companies.
Thats why I reccommend the open source snort engine
Source code available and a money back guarantee if your not 100% satisfied
That which does not kill me makes me stronger -- Friedrich Nietzche
-
March 8th, 2004 11:59 PM
#8
Member
Heh, patch your own exploit, right on lol.
Ya thats what i like about Open Source, and I agree. You should expect more of these companies, however, I do follow the notion that there is a vulnerability in about every computer system/program known to man...but they should go through there source beforehand and while there product is out and patch it themselves..
Signature image is too tall!
-
March 13th, 2004 12:30 PM
#9
Junior Member
Sigh, speaking of inis ....
I'm going to have to make this a post, I've been having LOTS of problems lately and I'm sure someone here will know rite off...
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
Forum Rules
|
|
Reply With Quote
Bookmarks