lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: kf_lists at (kf_lists)
Subject: ISS BlackIce Server Protect Unprivileged User

The fact that the .ini files are Everyone Full control was pointed out 
by us when we released SRT2004-01-17-0227 

ISS said something along the lines of Windows is not commonly deployed 
as a multi-user system and ... thus it is not a problem... (this of 
course was in regards to the local overflow that was able to be 
triggered because of the fact that their .ini files were world writable.

I have heard that since then BlackICE now incorperates .ini file 
encryption... I am not sure if they ever corrected the permissions though.

Thomas Ryan wrote:

>Release Date:
>August 11, 2004
>Internet Security Systems
>BlackIce Server Protect 3.6cno and below
>Remotely Executable from Local and Trusted Networks
>Unpriviledged User Attack
>Technical Details:
>Unpriviledged User Attack was originally posted Aug 11, 2004. to BugTraq by
>Paul Craig - Pimp Industries.
>On Aug 11, 2004 further analysis by Thomas Ryan found the vulnerability to
>affect blackice.ini, sigs.ini, protect.ini not just firewall.ini as
>originally reported. Furthermore research has shown BlackIce was vulnerable
>from any IP address listed in blackice.ini, not just local attacks.
>[Exclude Address]
>When BlackIce is installed to <drive>:\Program Files\ISS\BlackIce all 4 .ini
>files are installed by default the ACL's of EVERYONE\FULL CONTROL. This
>allows any trusted or local unprivileged user to remove or modify the
>BlackIce firewall rule set.
>Review the Modifiable parameters (Let Your Mind Be Creative)
>C:\Program Files\ISS\BlackIce\BlackIce.ini
>\\vuln-server\C$\Program Files\ISS\BlackIce\BlackIce.ini
>[Back Trace]
>[Exclude Address]
>[Evidence Logging]
>C:\Program Files\ISS\BlackIce\firewall.ini
>\\vuln-server\C$\Program Files\ISS\BlackIce\firewall.ini
>auto-blocking = enabled, 2000, BIgui
>protection.SecurityLevel = nervous, 2000, BIgui
>tunnel.dns = enabled, 0, unknown
>tunnel.ftpserver = enabled, 0, unknown
>protection.SecurityLevel.state = nervous, 4000, auto
>;action, IP/port, name, whenSet, whenExpire, precedence, whoSet
>ACCEPT,,, 2004-08-11 19:52:13, PERPETUAL, 2000, BIgui
>ACCEPT,,, 2004-08-11 19:52:42, PERPETUAL, 2000, BIgui
>REJECT, 0 - 1023, Default UDP low, 2004-08-11 19:53:19, PERPETUAL, 1000,
>ACCEPT, 137, NETBIOS Name Service, 2004-08-11 19:53:19, PERPETUAL, 2000,
>ACCEPT, 138, NETBIOS Datagram Service, 2004-08-11 19:53:19, PERPETUAL, 2000,
>ACCEPT, 1024 - 65535, Default UDP high, 2004-08-11 19:53:19, PERPETUAL,
>1000, BIgui
>REJECT, 0 - 1023, Default TCP low, 2004-08-11 19:53:19, PERPETUAL, 1000,
>ACCEPT, 113, default, 1999-07-19 20:50:26, PERPETUAL, 2000, unknown
>ACCEPT, 139, SMB, 2004-08-11 19:53:19, PERPETUAL, 2000, BIgui
>ACCEPT, 445, SMB, 2004-08-11 19:53:19, PERPETUAL, 2000, BIgui
>REJECT, 1024 - 65535, Default TCP high, 2004-08-11 19:53:19, PERPETUAL,
>1000, BIgui
>Recommended Fix:
>Remove The Everyone\Full Control ACL from the blackice.ini, firewall.ini,
>protect.ini and sigs.ini files. Before doing so, ensure that Administrators
>and System have FULL CONTROL.
>Another Key Note:
>Backup the blackice.ini, firewall.ini, protect.ini and sigs.ini before each
>After using UpdateBIDServer.exe ALWAYS VALIDATE THE PERMISSIONS, the default
>permissions are ALWAYS RESET.
>Discovered By: Thomas Ryan
>Provide Security
>Paul Craig
>Copyright (c) 2004 Provide Security
>Permission is hereby granted for the redistribution of this alert
>electronically. It is not to be edited in any way without the expressed
>written consent of Provide Security. If you wish to reprint the whole or any
>part of this advisory in any other medium excluding electronic medium,
>please email for permission.
>The information within this paper may change without notice. Use of this
>information constitutes acceptance for use in an AS IS condition. There are
>no warranties, implied or express, with regard to this information. In no
>event shall the author be liable for any direct or indirect damages
>whatsoever arising out of or in connection with the use or spread of this
>information. Any use of this information is at the user's own risk.
>Full-Disclosure - We believe in it.

Powered by blists - more mailing lists