Results 1 to 9 of 9

Thread: BlackICE allows local user to become system

  1. #1
    Senior Member
    Join Date
    Feb 2003
    Posts
    193

    BlackICE allows local user to become system

    If you look at task manager you will note that blackd.exe is running as SYSTEM. After some toying with the GUI we discovered a buffer overflow in the packetLog functionality. The overflow can be triggered with the following .ini options. A 217 Character log prefix makes BlackICE blackd crash with the EIP and ECX both overwritten with user supplied data. We simply run the BlackICE exploit that we prepared for the above condition. Source http://www.secnetops.com/research . I am including a text file in details which you can also get from above mentioned link. But you have to become a member. Enjoy and patch your BlackICE. If possible.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Nice find but....You'll need admin privileges to gain access to the ini, right? I mean, can a "normal" user account edit this ini file? Someone who already has admin rights can gain SYSTEM in alot more simpler ways.

    Maybe the GUI is also vulnerable to a Shatter attack? Then a normal user would be able to gain SYSTEM making it infinitely more dangerous
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    That's scary, SirDice.......but that's a good question...is the GUI vulnerable to such a shatter attack......

    Hmmm......Sounds like a good project....I've been terribly bored lately!
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


  4. #4
    It depends on the policy on the network SirDice..but to my knowledge all of the networks i've been on i've been able to edit .ini files and write to them.

    Hm...

    /me goes off to test that shatter attack theory.
    Signature image is too tall!

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    If users have full access..... you're screwed anyway. No need to do any buffer overflow...

    But there's a bigger problem with BlackIce. This one's a remote overflow:
    http://www.antionline.com/showthread...219#post724599
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    O wow...thats dangerous.....
    Signature image is too tall!

  7. #7
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    ISS and F-Secure have sure been in the 'dog house' lately

    Ive seen loads of ISS exploits floating around that affects a lot of there systems, and F-Secure has to have lost half its stock by mass emailing a virus to its customers.

    You really need to expect more form these kinds of companies.

    Thats why I reccommend the open source snort engine
    Source code available and a money back guarantee if your not 100% satisfied
    That which does not kill me makes me stronger -- Friedrich Nietzche

  8. #8
    Heh, patch your own exploit, right on lol.

    Ya thats what i like about Open Source, and I agree. You should expect more of these companies, however, I do follow the notion that there is a vulnerability in about every computer system/program known to man...but they should go through there source beforehand and while there product is out and patch it themselves..
    Signature image is too tall!

  9. #9
    Junior Member
    Join Date
    Sep 2003
    Posts
    12
    Sigh, speaking of inis ....

    I'm going to have to make this a post, I've been having LOTS of problems lately and I'm sure someone here will know rite off...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •