[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4118B195.6020500@secnetops.com>
Date: Tue, 10 Aug 2004 04:29:25 -0700
From: kf_lists <kf_lists@...netops.com>
To: tommy@...videsecurity.com
Cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com,
vuln-dev@...urityfocus.com
Subject: Re: ISS BlackIce Server Protect Unprivileged User
Attack
The fact that the .ini files are Everyone Full control was pointed out
by us when we released SRT2004-01-17-0227
-http://lists.netsys.com/pipermail/full-disclosure/2004-January/016290.html
ISS said something along the lines of Windows is not commonly deployed
as a multi-user system and ... thus it is not a problem... (this of
course was in regards to the local overflow that was able to be
triggered because of the fact that their .ini files were world writable.
I have heard that since then BlackICE now incorperates .ini file
encryption... I am not sure if they ever corrected the permissions though.
-KF
Thomas Ryan wrote:
>Release Date:
>August 11, 2004
>
>Severity:
>Medium
>
>Vendor:
>Internet Security Systems
>
>Software:
>BlackIce Server Protect 3.6cno and below
>
>Remote:
>Remotely Executable from Local and Trusted Networks
>
>Vulnerabilities:
>Unpriviledged User Attack
>
>Technical Details:
>Unpriviledged User Attack was originally posted Aug 11, 2004. to BugTraq by
>Paul Craig - Pimp Industries.
>
>On Aug 11, 2004 further analysis by Thomas Ryan found the vulnerability to
>affect blackice.ini, sigs.ini, protect.ini not just firewall.ini as
>originally reported. Furthermore research has shown BlackIce was vulnerable
>from any IP address listed in blackice.ini, not just local attacks.
>
>Blackice.ini
>[Exclude Address]
>exclude.address=192.168.0.1 192.168.0.2 192.168.0.3
>
>When BlackIce is installed to <drive>:\Program Files\ISS\BlackIce all 4 .ini
>files are installed by default the ACL's of EVERYONE\FULL CONTROL. This
>allows any trusted or local unprivileged user to remove or modify the
>BlackIce firewall rule set.
>
>Examples:
>
>Review the Modifiable parameters (Let Your Mind Be Creative)
>
>C:\Program Files\ISS\BlackIce\BlackIce.ini
>\\vuln-server\C$\Program Files\ISS\BlackIce\BlackIce.ini
>
>[Back Trace]
>backTrace.nbnodestatus=enabled
>[IDS]
>java.parsing=off
>http.postscan=on
>http.urllimits=on
>[Generic]
>report.connections=disabled
>[Settings]
>view.events.threshold=informational
>events.tab.set=SEVICON TIME EVENT INTRUDER COUNT
>intruders.tab.set=SEVICON BLKSTATE INTRUDER
>file.lock=true
>[Exclude Address]
>exclude.address=192.168.69.1 192.168.0.2 192.168.0.3
>[Trusting]
>trust.issue=
>trust.pair=
>[Evidence Logging]
>evidence.logging=disabled
>evidence.fileprefix=evd
>evidence.maxKbytes=1400
>evidence.maxfiles=32
>
>
>C:\Program Files\ISS\BlackIce\firewall.ini
>\\vuln-server\C$\Program Files\ISS\BlackIce\firewall.ini
>
>[PARMS]
>auto-blocking = enabled, 2000, BIgui
>protection.SecurityLevel = nervous, 2000, BIgui
>tunnel.dns = enabled, 0, unknown
>tunnel.ftpserver = enabled, 0, unknown
>protection.SecurityLevel.state = nervous, 4000, auto
>;action, IP/port, name, whenSet, whenExpire, precedence, whoSet
>[MANUAL IP ACCEPT]
>ACCEPT, 192.168.69.1,, 2004-08-11 19:52:13, PERPETUAL, 2000, BIgui
>ACCEPT, 192.168.69.2,, 2004-08-11 19:52:42, PERPETUAL, 2000, BIgui
>[MANUAL ICMP ACCEPT]
>[MANUAL UDP low REJECT]
>REJECT, 0 - 1023, Default UDP low, 2004-08-11 19:53:19, PERPETUAL, 1000,
>BIgui
>ACCEPT, 137, NETBIOS Name Service, 2004-08-11 19:53:19, PERPETUAL, 2000,
>BIgui
>ACCEPT, 138, NETBIOS Datagram Service, 2004-08-11 19:53:19, PERPETUAL, 2000,
>BIgui
>[MANUAL UDP high ACCEPT]
>ACCEPT, 1024 - 65535, Default UDP high, 2004-08-11 19:53:19, PERPETUAL,
>1000, BIgui
>[MANUAL TCP low REJECT]
>REJECT, 0 - 1023, Default TCP low, 2004-08-11 19:53:19, PERPETUAL, 1000,
>BIgui
>ACCEPT, 113, default, 1999-07-19 20:50:26, PERPETUAL, 2000, unknown
>ACCEPT, 139, SMB, 2004-08-11 19:53:19, PERPETUAL, 2000, BIgui
>ACCEPT, 445, SMB, 2004-08-11 19:53:19, PERPETUAL, 2000, BIgui
>[MANUAL TCP high REJECT]
>REJECT, 1024 - 65535, Default TCP high, 2004-08-11 19:53:19, PERPETUAL,
>1000, BIgui
>
>
>Recommended Fix:
>Remove The Everyone\Full Control ACL from the blackice.ini, firewall.ini,
>protect.ini and sigs.ini files. Before doing so, ensure that Administrators
>and System have FULL CONTROL.
>
>Another Key Note:
>Backup the blackice.ini, firewall.ini, protect.ini and sigs.ini before each
>update.
>After using UpdateBIDServer.exe ALWAYS VALIDATE THE PERMISSIONS, the default
>permissions are ALWAYS RESET.
>
>Advisory:
>http://www.providesecurity.com/research/advisories/08112004-1.asp
>
>
>Credit:
>Discovered By: Thomas Ryan
>Provide Security
>
>Paul Craig
>Pimp-Industries
>
>
>Copyright (c) 2004 Provide Security
>Permission is hereby granted for the redistribution of this alert
>electronically. It is not to be edited in any way without the expressed
>written consent of Provide Security. If you wish to reprint the whole or any
>part of this advisory in any other medium excluding electronic medium,
>please email secalert@...videsecurity.com for permission.
>
>
>Disclaimer
>The information within this paper may change without notice. Use of this
>information constitutes acceptance for use in an AS IS condition. There are
>no warranties, implied or express, with regard to this information. In no
>event shall the author be liable for any direct or indirect damages
>whatsoever arising out of or in connection with the use or spread of this
>information. Any use of this information is at the user's own risk.
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists