[Full-Disclosure] BlackICE PC Protection Cross Site Scripting Evasion

From: Marc Ruef (marc.ruef_at_computec.ch)
Date: 06/14/03

  • Next message: Bojan Zdrnja: "RE: [Full-Disclosure] Morning Wood Poll"
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, news@securiteam.com, submissions@packetstormsecurity.org
    Date: Sat, 14 Jun 2003 15:25:29 +0200
    
    

    Hi!

    I'm using BlackICE PC Protection (formerly known as BlackICE Defender)
    for a very long time[1, 2]. It is one of my favorite hostbased intrusion
    detection systems and personal firewall for windows.

    During some tests for a paper on cross site scripting I've seen that
    there is an evasion possibility in BlackICE PC Protection. If I'm
    realizing such an request with a GET or POST method, the cross site
    scripting is possible but I get an alert[3]:

    > [Unauthorized Access Attempt] This signature detects if an HTTP GET
    > request contains a 'script' tag.

    It seems that BlackICE PC Protection doesn't check a HEAD, PUT, DELETE,
    and TRACE request for the <script> pattern. So it is possible to evade
    the successful cross site scripting attempt with a PUT or DELETE
    attempt. That's because these two are the only request methods that let
    me implant an arbitrary script. This is not a really critical issue -
    But good to know.

    I checked this with BlackICE PC Protection 3.6cbd and Apache 1.3.27. If
    I push the "Event Info" button I'll get the page
    http://www.iss.net/security_center/reference/2000640.html. There stands
    that other ISS products have this security check too:

    - BlackICE Agent for Server
    - BlackICE PC Protection
    - BlackICE Server Protection
    - RealSecure Desktop Protector
    - RealSecure Guard
    - RealSecure Network Sensor
    - RealSecure Sentry
    - RealSecure Server Sensor

    I can't say definitively that these products are affected too. It may be
    possible.

    My suggestion is to advance the pattern matching also for the other
    possible HTTP request methods - Especially for PUT and DELETE. For
    example my Snort host is not affected by such an evasion[4]:

    --- cut ---

    debian:/etc/snort/rules# head web-misc.rules
    # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    # All rights reserved.
    # $Id: web-misc.rules,v 1.92.2.2 2003/02/07 22:05:16 cazz Exp $
    #---------------
    # WEB-MISC RULES
    #---------------

    alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
    cross site scripting attempt"; flow:to_server,established;
    content:"<SCRIPT>"; nocase; classtype:web-application-attack; sid:1497;
    rev:6;)
    alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
    cross site scripting \(img src=javascript\) attempt";
    flow:to_server,established; content:"img src=javascript"; nocase;
    classtype:web-application-attack; sid:1667; rev:4;)
    [...]

    --- cut ---

    I informed Internet Security Systems (ISS) about this flaw. I sent my
    suggestion at Sat, 10 May 2003 11:51:07 +0200 to
    support-L1@networkice.com and support@iss.net

    Bye, Marc

    [1] http://www.iss.net
    [2]
    http://www.computec.ch/dokumente/firewalling/desktop-firewalls/desktop-firewalls.html
    [3] http://www.cgisecurity.com/articles/xss-faq.shtml
    [4] http://www.snort.org

    -- 
    Computer, Technik und Security                  http://www.computec.ch/
    "Alle Technik ist ein faustischer Pakt mit dem Teufel."
               Neil Postman, US-amerikanischer Soziologe und Medienkritiker
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Bojan Zdrnja: "RE: [Full-Disclosure] Morning Wood Poll"

    Relevant Pages

    • Re: Spyware eConnect for Computer Fraud passed the Firewall
      ... If IE security is set correctly, it will notify of that download ... BlackIce 3.6 PC Application control stopped li-speed00147.exe from ... I told BlackIce to terminate the execution of li-speed00147.exe. ... The six excellent points about BlackIce 3.6 PC Protection: ...
      (comp.security.misc)
    • Re: Spyware eConnect for Computer Fraud passed the Firewall
      ... If IE security is set correctly, it will notify of that download ... BlackIce 3.6 PC Application control stopped li-speed00147.exe from ... I told BlackIce to terminate the execution of li-speed00147.exe. ... The six excellent points about BlackIce 3.6 PC Protection: ...
      (comp.security.firewalls)
    • Re: ZA vs. BLACK ICE vs.OUTPOST
      ... I ran the baseline again. ... I had continuous contact with support, ... I revert back to an older version prior to application protection. ... > iexplorer.exe got replaced by a newer version, BlackIce is just not going to ...
      (comp.security.firewalls)
    • Re: ZA vs. BLACK ICE vs.OUTPOST
      ... I ran the baseline again. ... I had continuous contact with support, ... I revert back to an older version prior to application protection. ... > iexplorer.exe got replaced by a newer version, BlackIce is just not going to ...
      (comp.security.firewalls)