[NT] BlackIce Server Protect Unprivileged User Attack

From: SecuriTeam (support_at_securiteam.com)
Date: 08/17/04

  • Next message: SecuriTeam: "[NT] Adobe Acrobat/Acrobat Reader ActiveX Control Buffer Overflow Vulnerability" 
    To: list@securiteam.com
Date: 17 Aug 2004 17:37:55 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      BlackIce Server Protect Unprivileged User Attack
    ------------------------------------------------------------------------

    SUMMARY

    " <http://blackice.iss.net/> BlackICE teams a personal firewall with an
    advanced intrusion detection system to constantly watch your Internet
    connection for suspicious behavior. BlackICE responds immediately by
    alerting you to trouble and instantly blocking the threat."

    Due to insecure access control restrictions of the firewall initialization
    files an unprivileged user is able to either subvert the normal operation
    of the firewall or disable it completely.

    DETAILS

    Vulnerable Systems:
     * BlackICE Server Protect version 3.6cno

    When BlackICE is installed there are certain important initialization
    files that are installed which control the behavior of the firewall. The
    files in question are:
    firewall.ini
    blackice.ini
    protect.ini
    sigs.ini

    When BlackICE is installed to :\Program Files\ISS\BlackIce all 4 .ini
    files are installed by default the ACL's of EVERYONE\FULL CONTROL. This
    allows any trusted or local unprivileged user to remove or modify the
    BlackICE firewall rule set. Naturally, the ACL restrictions apply only for
    an NTFS file system. It is also possible to completely disable the
    firewall from running by simply inserting an overly long firewall rule.
    Example:
    REJECT, 138, default, 1999-07-22 20:26:53, AAAAAAAAAAAAAAAAA.... , 2000,
    unknown

    (Approximately 1000 A's)

    This will cause BlackICE to crash when it is next restarted, but no
    message, popup or warning is displayed to the user, even the 'eye' in the
    taskbar will fail to load, giving the user no indication that the firewall
    is not running. The implication is rather straightforward - an
    unprivileged user is able to completely subvert the firewall without
    modification to any rules. This is extremely hard to find because even the
    logs do not contain any entry of the crash.

    Furthermore research has shown BlackICE was vulnerable from any IP address
    listed in blackice.ini, not just local attacks:
    Blackice.ini
    [Exclude Address]
    exclude.address=192.168.0.1 192.168.0.2 192.168.0.3

    Other examples for modification of .ini files can be seen below:
    C:\Program Files\ISS\BlackIce\BlackIce.ini
    \\vuln-server\C$\Program Files\ISS\BlackIce\BlackIce.ini

    [Back Trace]
    backTrace.nbnodestatus=enabled
    [IDS]
    java.parsing=off
    http.postscan=on
    http.urllimits=on
    [Generic]
    report.connections=disabled
    [Settings]
    view.events.threshold=informational
    events.tab.set=SEVICON TIME EVENT INTRUDER COUNT
    intruders.tab.set=SEVICON BLKSTATE INTRUDER
    file.lock=true
    [Exclude Address]
    exclude.address=192.168.69.1 192.168.0.2 192.168.0.3
    [Trusting]
    trust.issue=
    trust.pair=
    [Evidence Logging]
    evidence.logging=disabled
    evidence.fileprefix=evd
    evidence.maxKbytes=1400
    evidence.maxfiles=32

    C:\Program Files\ISS\BlackIce\firewall.ini
    \\vuln-server\C$\Program Files\ISS\BlackIce\firewall.ini

    [PARMS]
    auto-blocking = enabled, 2000, BIgui
    protection.SecurityLevel = nervous, 2000, BIgui
    tunnel.dns = enabled, 0, unknown
    tunnel.ftpserver = enabled, 0, unknown
    protection.SecurityLevel.state = nervous, 4000, auto
    ;action, IP/port, name, whenSet, whenExpire, precedence, whoSet
    [MANUAL IP ACCEPT]
    ACCEPT, 192.168.69.1,, 2004-08-11 19:52:13, PERPETUAL, 2000, BIgui
    ACCEPT, 192.168.69.2,, 2004-08-11 19:52:42, PERPETUAL, 2000, BIgui
    [MANUAL ICMP ACCEPT]
    [MANUAL UDP low REJECT]
    REJECT, 0 - 1023, Default UDP low, 2004-08-11 19:53:19, PERPETUAL, 1000,
    BIgui
    ACCEPT, 137, NETBIOS Name Service, 2004-08-11 19:53:19, PERPETUAL, 2000,
    BIgui
    ACCEPT, 138, NETBIOS Datagram Service, 2004-08-11 19:53:19, PERPETUAL,
    2000, BIgui

    [MANUAL UDP high ACCEPT]
    ACCEPT, 1024 - 65535, Default UDP high, 2004-08-11 19:53:19, PERPETUAL,
    1000, BIgui

    [MANUAL TCP low REJECT]
    REJECT, 0 - 1023, Default TCP low, 2004-08-11 19:53:19, PERPETUAL, 1000,
    BIgui
    ACCEPT, 113, default, 1999-07-19 20:50:26, PERPETUAL, 2000, unknown
    ACCEPT, 139, SMB, 2004-08-11 19:53:19, PERPETUAL, 2000, BIgui
    ACCEPT, 445, SMB, 2004-08-11 19:53:19, PERPETUAL, 2000, BIgui

    [MANUAL TCP high REJECT]
    REJECT, 1024 - 65535, Default TCP high, 2004-08-11 19:53:19, PERPETUAL,
    1000, BIgui

    Workaround
    Remove The Everyone\Full Control ACL from the blackice.ini, firewall.ini,
    protect.ini and sigs.ini files. Before doing so, ensure that
    Administrators and System have FULL CONTROL. Backup the blackice.ini,
    firewall.ini, protect.ini and sigs.ini before each update. After using
    UpdateBIDServer.exe ALWAYS VALIDATE THE PERMISSIONS, the default
    permissions are ALWAYS RESET.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:tommy@providesecurity.com>
    Thomas Ryan.
    The original article can be found at:
    <http://www.providesecurity.com/research/advisories/08112004-1.asp>
    http://www.providesecurity.com/research/advisories/08112004-1.asp

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Adobe Acrobat/Acrobat Reader ActiveX Control Buffer Overflow Vulnerability"

    Relevant Pages