<<< Date Index >>>     <<< Thread Index >>>

ISS BlackIce Server Protect Unprivileged User Attack



Release Date:
August 11, 2004

Severity:
Medium

Vendor:
Internet Security Systems

Software:
BlackIce Server Protect 3.6cno and below

Remote:
Remotely Executable from Local and Trusted Networks

Vulnerabilities:
Unpriviledged User Attack

Technical Details:
Unpriviledged User Attack was originally posted Aug 11, 2004. to BugTraq by
Paul Craig - Pimp Industries.

On Aug 11, 2004 further analysis by Thomas Ryan found the vulnerability to
affect blackice.ini, sigs.ini, protect.ini not just firewall.ini as
originally reported. Furthermore research has shown BlackIce was vulnerable
from any IP address listed in blackice.ini, not just local attacks.

Blackice.ini
[Exclude Address]
exclude.address=192.168.0.1 192.168.0.2 192.168.0.3

When BlackIce is installed to <drive>:\Program Files\ISS\BlackIce all 4 .ini
files are installed by default the ACL's of EVERYONE\FULL CONTROL. This
allows any trusted or local unprivileged user to remove or modify the
BlackIce firewall rule set.

Examples:

Review the Modifiable parameters (Let Your Mind Be Creative)

C:\Program Files\ISS\BlackIce\BlackIce.ini
\\vuln-server\C$\Program Files\ISS\BlackIce\BlackIce.ini

[Back Trace]
backTrace.nbnodestatus=enabled
[IDS]
java.parsing=off
http.postscan=on
http.urllimits=on
[Generic]
report.connections=disabled
[Settings]
view.events.threshold=informational
events.tab.set=SEVICON TIME EVENT INTRUDER COUNT 
intruders.tab.set=SEVICON BLKSTATE INTRUDER 
file.lock=true
[Exclude Address]
exclude.address=192.168.69.1 192.168.0.2 192.168.0.3
[Trusting]
trust.issue=
trust.pair=
[Evidence Logging]
evidence.logging=disabled
evidence.fileprefix=evd
evidence.maxKbytes=1400
evidence.maxfiles=32


C:\Program Files\ISS\BlackIce\firewall.ini
\\vuln-server\C$\Program Files\ISS\BlackIce\firewall.ini

[PARMS]
auto-blocking = enabled, 2000, BIgui
protection.SecurityLevel = nervous, 2000, BIgui
tunnel.dns = enabled, 0, unknown
tunnel.ftpserver = enabled, 0, unknown
protection.SecurityLevel.state = nervous, 4000, auto
;action, IP/port, name, whenSet, whenExpire, precedence, whoSet
[MANUAL IP ACCEPT]
ACCEPT, 192.168.69.1,, 2004-08-11 19:52:13, PERPETUAL, 2000, BIgui
ACCEPT, 192.168.69.2,, 2004-08-11 19:52:42, PERPETUAL, 2000, BIgui
[MANUAL ICMP ACCEPT]
[MANUAL UDP low REJECT]
REJECT, 0 - 1023, Default UDP low, 2004-08-11 19:53:19, PERPETUAL, 1000,
BIgui
ACCEPT, 137, NETBIOS Name Service, 2004-08-11 19:53:19, PERPETUAL, 2000,
BIgui
ACCEPT, 138, NETBIOS Datagram Service, 2004-08-11 19:53:19, PERPETUAL, 2000,
BIgui
[MANUAL UDP high ACCEPT]
ACCEPT, 1024 - 65535, Default UDP high, 2004-08-11 19:53:19, PERPETUAL,
1000, BIgui
[MANUAL TCP low REJECT]
REJECT, 0 - 1023, Default TCP low, 2004-08-11 19:53:19, PERPETUAL, 1000,
BIgui
ACCEPT, 113, default, 1999-07-19 20:50:26, PERPETUAL, 2000, unknown
ACCEPT, 139, SMB, 2004-08-11 19:53:19, PERPETUAL, 2000, BIgui
ACCEPT, 445, SMB, 2004-08-11 19:53:19, PERPETUAL, 2000, BIgui
[MANUAL TCP high REJECT]
REJECT, 1024 - 65535, Default TCP high, 2004-08-11 19:53:19, PERPETUAL,
1000, BIgui


Recommended Fix:
Remove The Everyone\Full Control ACL from the blackice.ini, firewall.ini,
protect.ini and sigs.ini files. Before doing so, ensure that Administrators
and System have FULL CONTROL.

Another Key Note:
Backup the blackice.ini, firewall.ini, protect.ini and sigs.ini before each
update.
After using UpdateBIDServer.exe ALWAYS VALIDATE THE PERMISSIONS, the default
permissions are ALWAYS RESET.

Advisory:
http://www.providesecurity.com/research/advisories/08112004-1.asp


Credit:
Discovered By: Thomas Ryan
Provide Security

Paul Craig
Pimp-Industries


Copyright (c) 2004 Provide Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without the expressed
written consent of Provide Security. If you wish to reprint the whole or any
part of this advisory in any other medium excluding electronic medium,
please email secalert@xxxxxxxxxxxxxxxxxxx for permission.


Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
no warranties, implied or express, with regard to this information. In no
event shall the author be liable for any direct or indirect damages
whatsoever arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.