This email contains the results of my preliminary testing on this issue. This issue has been replicated when either sending or receiving 10,000-byte ping packets when running Black Ice Defender, latest version (2.9.cap). In both cases, a kernel-mode exception was triggered, causing a BSOD. The circumstances differ depending on whether the machine was sending or receiving the packets. When the sender of the flood is running BID, the machine quickly suffers a BSOD, exception 0x1E, in blackdrv.sys. Exception 0x1E occurs when a kernel-mode exception is not handled, indicating poor coding practice or insufficient testing within a kernel-mode driver. When a machine running BID is the recipient of the flood, a different kernel-mode exception is seen, again in blackd.sys. STOP 0xD1 indicates that a driver has tried to access pageable or non-existant memory while the process IRQL was high. In at least one instance, the fault was generated by an attempted write to address 0x0 - a common error when coding in C++. Several points to note about this issue: 1) A 10,000-byte PING flood requires a lot of bandwidth. This attack has not been observed to be successful when using a bandwidth of less than 500kbit/sec (in each direction - that's 1mbit/sec of half-duplex traffic). This may affect cable modem users, but is unlikely to affect dial-up users. 2) Nothing is logged by Black Ice about the attack. 3) The exceptions generated are kernel-mode, and do not indicate any kind of buffer overflow. As such, it is extremely unlikely that arbitrary code can be executed. 4) No exceptions were observed in blackd.exe (the Black Ice service) before the kernel-mode crash. This is a kernel-mode issue, not a user-mode one. Again, it is unlikely that this is anything more than a DoS (albeit a fairly nasty one). 5) As far as I can tell so far, stopping the Black Ice service eliminates the issue; uninstalling the driver is not necessary. <personal rant> The machine used for this testing has been heavily stressed with a range of applications for several months, and this was the first BSOD it has suffered. People should not be so quick to criticise Microsoft's coding practices when it comes to kernel-mode development; this vulnerability alone shows how a common piece of software can bring any OS to its knees through a flawed kernel-mode driver. Those who say that Windows is unstable should learn how to debug a crashdump and find out for themselves what is truly to blame. </rant> Chris -- Chris Paget Security Consultant Defcom Internet Security UK chris.paget@defcom.com -----Original Message----- From: Matt Taylor [mailto:quisit@quest.net] Sent: 04 February 2002 04:27 To: bugtraq@securityfocus.com Subject: Vulnerability in Black ICE Defender The current version of BlackICE Defender (2.9.caq and 2.9.cap) running on a Windows 2000 machine can be remotely crashed using a very basic ping flood. This has been tested with Divine Intervention 2 & 3, Sisoft Sandra Network (LAN) benchmark. Setting the packet size to about 10,000 bytes causes a Blue Screen of Death (or immediate system reboot). After extensive correspondence with ISS support they basically told me they'd "look into it." They have not responded since 12/21/01 and their newest patch 2.9.caq (released after) does not address this issue. More details available if requested. Matt Taylor
