The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
BlackIce Server Protect Unprivileged User Attack
------------------------------------------------------------------------
SUMMARY
" <http://blackice.iss.net/> BlackICE teams a personal firewall with an
advanced intrusion detection system to constantly watch your Internet
connection for suspicious behavior. BlackICE responds immediately by
alerting you to trouble and instantly blocking the threat."
Due to insecure access control restrictions of the firewall initialization
files an unprivileged user is able to either subvert the normal operation
of the firewall or disable it completely.
DETAILS
Vulnerable Systems:
* BlackICE Server Protect version 3.6cno
When BlackICE is installed there are certain important initialization
files that are installed which control the behavior of the firewall. The
files in question are:
firewall.ini
blackice.ini
protect.ini
sigs.ini
When BlackICE is installed to :\Program Files\ISS\BlackIce all 4 .ini
files are installed by default the ACL's of EVERYONE\FULL CONTROL. This
allows any trusted or local unprivileged user to remove or modify the
BlackICE firewall rule set. Naturally, the ACL restrictions apply only for
an NTFS file system. It is also possible to completely disable the
firewall from running by simply inserting an overly long firewall rule.
Example:
REJECT, 138, default, 1999-07-22 20:26:53, AAAAAAAAAAAAAAAAA.... , 2000,
unknown
(Approximately 1000 A's)
This will cause BlackICE to crash when it is next restarted, but no
message, popup or warning is displayed to the user, even the 'eye' in the
taskbar will fail to load, giving the user no indication that the firewall
is not running. The implication is rather straightforward - an
unprivileged user is able to completely subvert the firewall without
modification to any rules. This is extremely hard to find because even the
logs do not contain any entry of the crash.
Furthermore research has shown BlackICE was vulnerable from any IP address
listed in blackice.ini, not just local attacks:
Blackice.ini
[Exclude Address]
exclude.address=192.168.0.1 192.168.0.2 192.168.0.3
Other examples for modification of .ini files can be seen below:
C:\Program Files\ISS\BlackIce\BlackIce.ini
\\vuln-server\C$\Program Files\ISS\BlackIce\BlackIce.ini
[Back Trace]
backTrace.nbnodestatus=enabled
[IDS]
java.parsing=off
http.postscan=on
http.urllimits=on
[Generic]
report.connections=disabled
[Settings]
view.events.threshold=informational
events.tab.set=SEVICON TIME EVENT INTRUDER COUNT
intruders.tab.set=SEVICON BLKSTATE INTRUDER
file.lock=true
[Exclude Address]
exclude.address=192.168.69.1 192.168.0.2 192.168.0.3
[Trusting]
trust.issue=
trust.pair=
[Evidence Logging]
evidence.logging=disabled
evidence.fileprefix=evd
evidence.maxKbytes=1400
evidence.maxfiles=32
C:\Program Files\ISS\BlackIce\firewall.ini
\\vuln-server\C$\Program Files\ISS\BlackIce\firewall.ini
[PARMS]
auto-blocking = enabled, 2000, BIgui
protection.SecurityLevel = nervous, 2000, BIgui
tunnel.dns = enabled, 0, unknown
tunnel.ftpserver = enabled, 0, unknown
protection.SecurityLevel.state = nervous, 4000, auto
;action, IP/port, name, whenSet, whenExpire, precedence, whoSet
[MANUAL IP ACCEPT]
ACCEPT, 192.168.69.1,, 2004-08-11 19:52:13, PERPETUAL, 2000, BIgui
ACCEPT, 192.168.69.2,, 2004-08-11 19:52:42, PERPETUAL, 2000, BIgui
[MANUAL ICMP ACCEPT]
[MANUAL UDP low REJECT]
REJECT, 0 - 1023, Default UDP low, 2004-08-11 19:53:19, PERPETUAL, 1000,
BIgui
ACCEPT, 137, NETBIOS Name Service, 2004-08-11 19:53:19, PERPETUAL, 2000,
BIgui
ACCEPT, 138, NETBIOS Datagram Service, 2004-08-11 19:53:19, PERPETUAL,
2000, BIgui
[MANUAL UDP high ACCEPT]
ACCEPT, 1024 - 65535, Default UDP high, 2004-08-11 19:53:19, PERPETUAL,
1000, BIgui
[MANUAL TCP low REJECT]
REJECT, 0 - 1023, Default TCP low, 2004-08-11 19:53:19, PERPETUAL, 1000,
BIgui
ACCEPT, 113, default, 1999-07-19 20:50:26, PERPETUAL, 2000, unknown
ACCEPT, 139, SMB, 2004-08-11 19:53:19, PERPETUAL, 2000, BIgui
ACCEPT, 445, SMB, 2004-08-11 19:53:19, PERPETUAL, 2000, BIgui
[MANUAL TCP high REJECT]
REJECT, 1024 - 65535, Default TCP high, 2004-08-11 19:53:19, PERPETUAL,
1000, BIgui
Workaround
Remove The Everyone\Full Control ACL from the blackice.ini, firewall.ini,
protect.ini and sigs.ini files. Before doing so, ensure that
Administrators and System have FULL CONTROL. Backup the blackice.ini,
firewall.ini, protect.ini and sigs.ini before each update. After using
UpdateBIDServer.exe ALWAYS VALIDATE THE PERMISSIONS, the default
permissions are ALWAYS RESET.
ADDITIONAL INFORMATION
The information has been provided by <mailto:tommy@providesecurity.com>
Thomas Ryan.
The original article can be found at:
<http://www.providesecurity.com/research/advisories/08112004-1.asp>
http://www.providesecurity.com/research/advisories/08112004-1.asp
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
