Subject: Black ICE Ping Vulnerability Side Note From: Stoic forty-four Date: 2002-02-06 17:24:57 Key Information: Vulnerability Discovered: An issue discovered related to Black ICE Ping Vulnerability when attempting to replicate an attack described by Matt Taylor. Outcome: Instead of a large ping causing the server to blue screen or hang the Black ICE service, the service was actually stopped, allowing potential intruder access to the host. Test Configuration: - Black ICE Agent Version: 3.1eaj - ICE CAP Version: 3.1 - Operating System: Windows 2000 SP2 on a Dell 6450 - Other Software: WinVNC 3.3 server in application mode - Black ICE Settings: Paranoid mode to prevent inbound connections Testing Process: - Initial VNC connection attempt was blocked. - Issued command . - After waiting 5 seconds, a successful VNC connection was made. Observations: - Upon connecting via VNC and accessing the desktop, a Black ICE pop-up indicated that the Black ICE service had stopped and asked if the service should be restarted. - Restarting the service was successful but did not disconnect the VNC session. - No logs were left in Black ICE showing the event had occurred. Impact: This vulnerability likely affects enterprises that have deployed Black ICE agents and ICE CAP infrastructure, allowing remote access to the system under certain conditions without logging the event. Author: Brandon Young Note: The author expresses interest in knowing if others can replicate this finding.