mailing list archives
Re: Vulnerability in Black ICE Defender
From: Swift Griggs <ssgriggs () xexil com>
Date: Tue, 5 Feb 2002 01:50:45 -0600 (CST)
On Mon, 4 Feb 2002, advisories wrote:
I verified this vulnerability in BlackICE Defender 2.9.can as well.
The current version of BlackICE Defender (2.9.caq and 2.9.cap) running on a
Windows 2000 machine can be remotely crashed using a very basic ping flood.
During a product demo around June of 2000 (as best I recall) I was
able to crash Black Ice Defender on NT4 with Mixter's "targa3" (and I
might have been using some of the other "targa" tools). It may be somewhat
hard to reproduce though, since targa3 uses a pseudo-random, contrived
packet generator. I believe the machine was also running some kind of
analysis tool called "Ice Cap" which they claimed (at the time) would be
used to send relevant security related data back to some kind of central
repository. We also noticed that the machine would start consuming 98%-99%
of the CPU shortly before it BSoD'd, but perhaps 100Mb Ethernet and my
fast machine could explain the high utilization. Unfortunately, I don't
know the version they were running, and thus I don't know if this problem
still exists. However, it seems relevant in light of these recent posts.
Also, I think (again reaching from memory) their software works with NDIS,
so it might be useful to know what NDIS driver the target boxes were
using. Just a thought.