Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-Disclosure] ISS BlackIce Server Protect Unprivileged User Attack
From: kf_lists (kf_listssecnetops.com)
Date: Tue Aug 10 2004 - 06:29:25 CDT
The fact that the .ini files are Everyone Full control was pointed out
by us when we released SRT2004-01-17-0227
ISS said something along the lines of Windows is not commonly deployed
as a multi-user system and ... thus it is not a problem... (this of
course was in regards to the local overflow that was able to be
triggered because of the fact that their .ini files were world writable.
I have heard that since then BlackICE now incorperates .ini file
encryption... I am not sure if they ever corrected the permissions though.
Thomas Ryan wrote:
>August 11, 2004
>Internet Security Systems
>BlackIce Server Protect 3.6cno and below
>Remotely Executable from Local and Trusted Networks
>Unpriviledged User Attack
>Unpriviledged User Attack was originally posted Aug 11, 2004. to BugTraq by
>Paul Craig - Pimp Industries.
>On Aug 11, 2004 further analysis by Thomas Ryan found the vulnerability to
>affect blackice.ini, sigs.ini, protect.ini not just firewall.ini as
>originally reported. Furthermore research has shown BlackIce was vulnerable
>from any IP address listed in blackice.ini, not just local attacks.
>exclude.address=192.168.0.1 192.168.0.2 192.168.0.3
>When BlackIce is installed to <drive>:\Program Files\ISS\BlackIce all 4 .ini
>files are installed by default the ACL's of EVERYONE\FULL CONTROL. This
>allows any trusted or local unprivileged user to remove or modify the
>BlackIce firewall rule set.
>Review the Modifiable parameters (Let Your Mind Be Creative)
>events.tab.set=SEVICON TIME EVENT INTRUDER COUNT
>intruders.tab.set=SEVICON BLKSTATE INTRUDER
>exclude.address=192.168.69.1 192.168.0.2 192.168.0.3
>auto-blocking = enabled, 2000, BIgui
>protection.SecurityLevel = nervous, 2000, BIgui
>tunnel.dns = enabled, 0, unknown
>tunnel.ftpserver = enabled, 0, unknown
>protection.SecurityLevel.state = nervous, 4000, auto
>;action, IP/port, name, whenSet, whenExpire, precedence, whoSet
>[MANUAL IP ACCEPT]
>ACCEPT, 192.168.69.1,, 2004-08-11 19:52:13, PERPETUAL, 2000, BIgui
>ACCEPT, 192.168.69.2,, 2004-08-11 19:52:42, PERPETUAL, 2000, BIgui
>[MANUAL ICMP ACCEPT]
>[MANUAL UDP low REJECT]
>REJECT, 0 - 1023, Default UDP low, 2004-08-11 19:53:19, PERPETUAL, 1000,
>ACCEPT, 137, NETBIOS Name Service, 2004-08-11 19:53:19, PERPETUAL, 2000,
>ACCEPT, 138, NETBIOS Datagram Service, 2004-08-11 19:53:19, PERPETUAL, 2000,
>[MANUAL UDP high ACCEPT]
>ACCEPT, 1024 - 65535, Default UDP high, 2004-08-11 19:53:19, PERPETUAL,
>[MANUAL TCP low REJECT]
>REJECT, 0 - 1023, Default TCP low, 2004-08-11 19:53:19, PERPETUAL, 1000,
>ACCEPT, 113, default, 1999-07-19 20:50:26, PERPETUAL, 2000, unknown
>ACCEPT, 139, SMB, 2004-08-11 19:53:19, PERPETUAL, 2000, BIgui
>ACCEPT, 445, SMB, 2004-08-11 19:53:19, PERPETUAL, 2000, BIgui
>[MANUAL TCP high REJECT]
>REJECT, 1024 - 65535, Default TCP high, 2004-08-11 19:53:19, PERPETUAL,
>Remove The Everyone\Full Control ACL from the blackice.ini, firewall.ini,
>protect.ini and sigs.ini files. Before doing so, ensure that Administrators
>and System have FULL CONTROL.
>Another Key Note:
>Backup the blackice.ini, firewall.ini, protect.ini and sigs.ini before each
>After using UpdateBIDServer.exe ALWAYS VALIDATE THE PERMISSIONS, the default
>permissions are ALWAYS RESET.
>Discovered By: Thomas Ryan
>Copyright (c) 2004 Provide Security
>Permission is hereby granted for the redistribution of this alert
>electronically. It is not to be edited in any way without the expressed
>written consent of Provide Security. If you wish to reprint the whole or any
>part of this advisory in any other medium excluding electronic medium,
>please email secalertprovidesecurity.com for permission.
>The information within this paper may change without notice. Use of this
>information constitutes acceptance for use in an AS IS condition. There are
>no warranties, implied or express, with regard to this information. In no
>event shall the author be liable for any direct or indirect damages
>whatsoever arising out of or in connection with the use or spread of this
>information. Any use of this information is at the user's own risk.
>Full-Disclosure - We believe in it.