Verified. I set BID (without ICE CAP) to it's paranoid setting, then did the following: root@stonegate:/var/log# ping -f -s 65000 -c 4000 192.168.x.x PING 192.168.x.x (192.168.x.x): 65000 data bytes ............................................................................................................................................ --- 192.168.x.x ping statistics --- 4310 packets transmitted, 4000 packets received, 7% packet loss round-trip min/avg/max = 15.1/22.7/337.7 ms root@stonegate:/var/log# telnet 192.168.x.x 5900 Trying 192.168.x.x... Connected to 192.168.x.x. Escape character is '^]'. RFB 003.003 The system tray icon for BID switched to the blue eyeball shield with the red diagonal slash. Service stopped. I was able to connect to the VNC port. -----Original Message----- From: Stoic forty-four [mailto:stoic44@yahoo.com] Sent: Wednesday, February 06, 2002 12:25 PM To: bugtraq@securityfocus.com Subject: Black ICE Ping Vulnerability Side Note When attempting to replicate the ping vulnerability discovered by Matt Taylor a different outcome was discovered. Rather than the large ping causing the server to blue screen and/or hang the black ice service was actually stopped thus allowing an intruder to gain access to the host. Testing consisted of Black ICE Agent version 3.1eaj generated and deployed by ICE CAP version 3.1. The agent was installed on a Dell 6450 running Windows 2000 SP2 and was running WinVNC 3.3 server in application mode. The Black ICE agent generated was set to use the Paranoid setting in order to prevent any inbound connections. Using VNC viewer from my dektop, I attempted to connect to the VNC server running on the Dell and was blocked. I then issued the command ping -l 65000 -t X.X.X.X, waited 5 seconds, and attempted to connect to the VNC server again and was successful. Upon connecting to the VNC server and gaining access to the desktop, a Black ICE pop up window appeared stating that the Black ICE service has stopped would you like to start it? I chose to start the service again which was successful but did not disconnect my VNC session and as mentioned before did not leave any logs in Black ICE showing anything had occurred. This information would more than likely affect Enterpises that have deployed Black ICE agents and have ICE CAP infrastructure deployed to manage them. I would like to know if anyone else is able to replicate this. Brandon Young __________________________________________________ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com
