| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Aug 2004 04:29:25 -0700 From: kf_lists <kf_lists@...netops.com> To: tommy@...videsecurity.com Cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com, vuln-dev@...urityfocus.com Subject: Re: ISS BlackIce Server Protect Unprivileged User Attack The fact that the .ini files are Everyone Full control was pointed out by us when we released SRT2004-01-17-0227 -http://lists.netsys.com/pipermail/full-disclosure/2004-January/016290.html ISS said something along the lines of Windows is not commonly deployed as a multi-user system and ... thus it is not a problem... (this of course was in regards to the local overflow that was able to be triggered because of the fact that their .ini files were world writable. I have heard that since then BlackICE now incorperates .ini file encryption... I am not sure if they ever corrected the permissions though. -KF Thomas Ryan wrote: >Release Date: >August 11, 2004 > >Severity: >Medium > >Vendor: >Internet Security Systems > >Software: >BlackIce Server Protect 3.6cno and below > >Remote: >Remotely Executable from Local and Trusted Networks > >Vulnerabilities: >Unpriviledged User Attack > >Technical Details: >Unpriviledged User Attack was originally posted Aug 11, 2004. to BugTraq by >Paul Craig - Pimp Industries. > >On Aug 11, 2004 further analysis by Thomas Ryan found the vulnerability to >affect blackice.ini, sigs.ini, protect.ini not just firewall.ini as >originally reported. Furthermore research has shown BlackIce was vulnerable >from any IP address listed in blackice.ini, not just local attacks. > >Blackice.ini >[Exclude Address] >exclude.address=192.168.0.1 192.168.0.2 192.168.0.3 > >When BlackIce is installed to <drive>:\Program Files\ISS\BlackIce all 4 .ini >files are installed by default the ACL's of EVERYONE\FULL CONTROL. This >allows any trusted or local unprivileged user to remove or modify the >BlackIce firewall rule set. > >Examples: > >Review the Modifiable parameters (Let Your Mind Be Creative) > >C:\Program Files\ISS\BlackIce\BlackIce.ini >\\vuln-server\C$\Program Files\ISS\BlackIce\BlackIce.ini > >[Back Trace] >backTrace.nbnodestatus=enabled >[IDS] >java.parsing=off >http.postscan=on >http.urllimits=on >[Generic] >report.connections=disabled >[Settings] >view.events.threshold=informational >events.tab.set=SEVICON TIME EVENT INTRUDER COUNT >intruders.tab.set=SEVICON BLKSTATE INTRUDER >file.lock=true >[Exclude Address] >exclude.address=192.168.69.1 192.168.0.2 192.168.0.3 >[Trusting] >trust.issue= >trust.pair= >[Evidence Logging] >evidence.logging=disabled >evidence.fileprefix=evd >evidence.maxKbytes=1400 >evidence.maxfiles=32 > > >C:\Program Files\ISS\BlackIce\firewall.ini >\\vuln-server\C$\Program Files\ISS\BlackIce\firewall.ini > >[PARMS] >auto-blocking = enabled, 2000, BIgui >protection.SecurityLevel = nervous, 2000, BIgui >tunnel.dns = enabled, 0, unknown >tunnel.ftpserver = enabled, 0, unknown >protection.SecurityLevel.state = nervous, 4000, auto >;action, IP/port, name, whenSet, whenExpire, precedence, whoSet >[MANUAL IP ACCEPT] >ACCEPT, 192.168.69.1,, 2004-08-11 19:52:13, PERPETUAL, 2000, BIgui >ACCEPT, 192.168.69.2,, 2004-08-11 19:52:42, PERPETUAL, 2000, BIgui >[MANUAL ICMP ACCEPT] >[MANUAL UDP low REJECT] >REJECT, 0 - 1023, Default UDP low, 2004-08-11 19:53:19, PERPETUAL, 1000, >BIgui >ACCEPT, 137, NETBIOS Name Service, 2004-08-11 19:53:19, PERPETUAL, 2000, >BIgui >ACCEPT, 138, NETBIOS Datagram Service, 2004-08-11 19:53:19, PERPETUAL, 2000, >BIgui >[MANUAL UDP high ACCEPT] >ACCEPT, 1024 - 65535, Default UDP high, 2004-08-11 19:53:19, PERPETUAL, >1000, BIgui >[MANUAL TCP low REJECT] >REJECT, 0 - 1023, Default TCP low, 2004-08-11 19:53:19, PERPETUAL, 1000, >BIgui >ACCEPT, 113, default, 1999-07-19 20:50:26, PERPETUAL, 2000, unknown >ACCEPT, 139, SMB, 2004-08-11 19:53:19, PERPETUAL, 2000, BIgui >ACCEPT, 445, SMB, 2004-08-11 19:53:19, PERPETUAL, 2000, BIgui >[MANUAL TCP high REJECT] >REJECT, 1024 - 65535, Default TCP high, 2004-08-11 19:53:19, PERPETUAL, >1000, BIgui > > >Recommended Fix: >Remove The Everyone\Full Control ACL from the blackice.ini, firewall.ini, >protect.ini and sigs.ini files. Before doing so, ensure that Administrators >and System have FULL CONTROL. > >Another Key Note: >Backup the blackice.ini, firewall.ini, protect.ini and sigs.ini before each >update. >After using UpdateBIDServer.exe ALWAYS VALIDATE THE PERMISSIONS, the default >permissions are ALWAYS RESET. > >Advisory: >http://www.providesecurity.com/research/advisories/08112004-1.asp > > >Credit: >Discovered By: Thomas Ryan >Provide Security > >Paul Craig >Pimp-Industries > > >Copyright (c) 2004 Provide Security >Permission is hereby granted for the redistribution of this alert >electronically. It is not to be edited in any way without the expressed >written consent of Provide Security. If you wish to reprint the whole or any >part of this advisory in any other medium excluding electronic medium, >please email secalert@...videsecurity.com for permission. > > >Disclaimer >The information within this paper may change without notice. Use of this >information constitutes acceptance for use in an AS IS condition. There are >no warranties, implied or express, with regard to this information. In no >event shall the author be liable for any direct or indirect damages >whatsoever arising out of or in connection with the use or spread of this >information. Any use of this information is at the user's own risk. > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists