<<< Date Index >>>     <<< Thread Index >>>

BlackICE unprivileged local user attack



                Pimp industries.
   "Its all about the Bling, B^!%@s and Fame!"

     BlackICE PC protection / Server Protection
     Tested on version v3.6.cno
     Unprivileged local user disabling anyone from using BlackICE

           (C) Paul Craig - Pimp Industries 2004


Background
-------------
Blackice is a firewall developed by ISS, Blackice suffers from a local
attack where any user with access to the server can modify firewall.ini
and insert a corrupted firewall rule. Upon restart Blackice (blackice.exe
and blackd.exe) will crash, the applications catch the exception but will
fail to load.
This causes the firewall to be disabled for any user who attempts to run it.

Exploit:
-------------
When Blackice is installed a local file in C:\Program Files\ISS\Blackice
called firewall.ini is installed, however by default the ACL's on this
file are EVERYONE\FULL CONTROL.
This allow's any local unprivileged user to remove or modify the blackice
firewall rules, but if the attacker wanted to be sneakier, they could with
a simple guest account disable the firewall from running by inserting an
overly long firewall rule as seen below.


REJECT, 138, default, 1999-07-22 20:26:53, AAAAAAAAAAAAAAAAA.... , 2000,
unknown

(Aprox 1000 A's)

This will cause Blackice to crash when it is next restarted, but no
message, popup or warning is displayed to the user, even the 'eye' in the
taskbar will fail to load, giving the user no indication that the firewall
is not running.
The victim of this attack would simply think the firewall is 'corrupted',
or some how broken if they attempted to start it by hand, and unless they
were smart enough to edit firewall.ini by hand, they would probably think
to re-install Blackice, if they even noticed it was no longer running to
start with.

Although this is not a major flaw, it does give an unprivileged local user
a sneaky way of disabling the firewall, without obviously removing the
rules. This can be used to then exploit other daemons running on the
desktop or server that the firewall had previously protected. The method
of this crash is hard to diagnose for the average internet user and logs
nothing of the crash in any of the blackice logs by default.

Suggestions/Work Around:
-------------
Change ACL's on firewall.ini to stop EVERYONE having full control.


Company status
---------------
Pimp Industries is a privately owned New Zealand based security research
company.
If you would like to contact Pimp Industries to discuss any nature of
business, please email us at headpimp@xxxxxxxxxxxxxxxxxxxx


Personal Hello's to
-------------------
Pinky, Mark Burnette, Security-Assessment.com and everyone from .nz

Paul Craig
Head Pimp, Security Researcher
Pimp Industries
"Move fast, think faster"