lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
From: marc.ruef at computec.ch (Marc Ruef)
Subject: BlackICE PC Protection Cross Site Scripting Evasion

Hi!

I'm using BlackICE PC Protection (formerly known as BlackICE Defender)
for a very long time[1, 2]. It is one of my favorite hostbased intrusion
detection systems and personal firewall for windows.

During some tests for a paper on cross site scripting I've seen that
there is an evasion possibility in BlackICE PC Protection. If I'm
realizing such an request with a GET or POST method, the cross site
scripting is possible but I get an alert[3]:

> [Unauthorized Access Attempt] This signature detects if an HTTP GET
> request contains a 'script' tag.

It seems that BlackICE PC Protection doesn't check a HEAD, PUT, DELETE,
and TRACE request for the <script> pattern. So it is possible to evade
the successful cross site scripting attempt with a PUT or DELETE
attempt. That's because these two are the only request methods that let
me implant an arbitrary script. This is not a really critical issue -
But good to know.

I checked this with BlackICE PC Protection 3.6cbd and Apache 1.3.27. If
I push the "Event Info" button I'll get the page
http://www.iss.net/security_center/reference/2000640.html. There stands
that other ISS products have this security check too:

- BlackICE Agent for Server
- BlackICE PC Protection
- BlackICE Server Protection
- RealSecure Desktop Protector
- RealSecure Guard
- RealSecure Network Sensor
- RealSecure Sentry
- RealSecure Server Sensor

I can't say definitively that these products are affected too. It may be
possible.

My suggestion is to advance the pattern matching also for the other
possible HTTP request methods - Especially for PUT and DELETE. For
example my Snort host is not affected by such an evasion[4]:

--- cut ---

debian:/etc/snort/rules# head web-misc.rules
# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id: web-misc.rules,v 1.92.2.2 2003/02/07 22:05:16 cazz Exp $
#---------------
# WEB-MISC RULES
#---------------

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
cross site scripting attempt"; flow:to_server,established;
content:"<SCRIPT>"; nocase; classtype:web-application-attack; sid:1497;
rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
cross site scripting \(img src=javascript\) attempt";
flow:to_server,established; content:"img src=javascript"; nocase;
classtype:web-application-attack; sid:1667; rev:4;)
[...]

--- cut ---

I informed Internet Security Systems (ISS) about this flaw. I sent my
suggestion at Sat, 10 May 2003 11:51:07 +0200 to
support-L1@...workice.com and support@....net

Bye, Marc

[1] http://www.iss.net
[2]
http://www.computec.ch/dokumente/firewalling/desktop-firewalls/desktop-firewalls.html
[3] http://www.cgisecurity.com/articles/xss-faq.shtml
[4] http://www.snort.org

-- 
Computer, Technik und Security                  http://www.computec.ch/

"Alle Technik ist ein faustischer Pakt mit dem Teufel."
           Neil Postman, US-amerikanischer Soziologe und Medienkritiker

Powered by blists - more mailing lists