Vulnerabilities > CVE-2004-2126 - Unspecified vulnerability in ISS Blackice PC Protection
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The upgrade for BlackICE PC Protection 3.6 and earlier sets insecure permissions for .INI files such as (1) blackice.ini, (2) firewall.ini, (3) protect.ini, or (4) sigs.ini, which allows local users to modify BlackICE configuration or possibly execute arbitrary code by exploiting vulnerabilities in the .INI parsers.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 5 |
Nessus
NASL family Windows NASL id BLACKICE_CONFIGS.NASL description ISS BlackICE is a personal Firewall/IDS for windows Desktops. Based on the version number, the remote BlackICE install is vulnerable to a local attack due to incorrect file permissions. *** Nessus based the results of this test on the contents of *** the local BlackICE configuration file. last seen 2020-06-01 modified 2020-06-02 plugin id 14270 published 2004-08-13 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14270 title ISS BlackICE/PC Protection Unprivileged User Local DoS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(14270); script_version("1.21"); script_cvs_date("Date: 2018/11/15 20:50:26"); script_cve_id("CVE-2004-1714", "CVE-2004-2126"); script_bugtraq_id(10915); script_name(english:"ISS BlackICE/PC Protection Unprivileged User Local DoS"); script_summary(english:"ISS BlackICE Vulnerable config file detection"); script_set_attribute(attribute:"synopsis", value: "The firewall running on the remote host has a local buffer overflow vulnerability."); script_set_attribute(attribute:"description", value: "ISS BlackICE is a personal Firewall/IDS for windows Desktops. Based on the version number, the remote BlackICE install is vulnerable to a local attack due to incorrect file permissions. *** Nessus based the results of this test on the contents of *** the local BlackICE configuration file."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Aug/153"); script_set_attribute( attribute:"see_also", value:"https://seclists.org/fulldisclosure/2004/Aug/494" ); script_set_attribute( attribute:"see_also", value:"https://seclists.org/fulldisclosure/2004/Aug/506" ); script_set_attribute(attribute:"solution", value:"Upgrade to the latest version of BlackICE."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/08/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include("smb_func.inc"); include("audit.inc"); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); port = kb_smb_transport(); if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init'); r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$"); if ( r != 1 ) exit(0); hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE); if ( isnull(hklm) ) { NetUseDel(); exit(0); } key_h = RegOpenKey(key:"SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\blackd.exe", handle:hklm, mode:MAXIMUM_ALLOWED); if ( isnull(key_h) ) { RegCloseKey(handle:hklm); NetUseDel(); exit(0); } item = RegQueryValue(handle:key_h, item:"Default"); RegCloseKey(handle:key_h); RegCloseKey(handle:hklm); if ( isnull(item) ) { NetUseDel(); exit(1); } NetUseDel(close:FALSE); myfile = str_replace(find:".exe", replace:".log", string:item[1]); share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:myfile); file = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:myfile); r = NetUseAdd(login:login, password:pass, domain:domain, share:share); if ( r != 1) { NetUseDel(); exit(1); } handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING) ; if ( isnull(handle) ) { NetUseDel(); exit(1); } myread = ReadFile(handle:handle, length:2048, offset:0); CloseFile(handle:handle); if ( isnull(myread) ) { NetUseDel(); exit(1); } NetUseDel(); myread = str_replace(find:raw_string(0), replace:"", string:myread); version = egrep(string:myread, pattern:"BlackICE Product Version"); if ( version ) { set_kb_item(name:"SMB/BlackICE/Version", value:version); if (ereg(string:version, pattern:"BlackICE Product Version.*3\.([0-5]\.cdf|6\.c(b[drz]|c[a-h]|df))")) security_warning(port); }NASL family Windows NASL id BLACKICE_VERSION_CHECKER.NASL description ISS BlackICE is a personal Firewall/IDS for windows Desktops. Several remote holes have been found in the product. An attacker, exploiting these flaws, would be able to either crash the remote firewall/IDS service or execute code on the target machine. According to the remote version number, the remote host is vulnerable to at least one remote overflow. last seen 2020-06-01 modified 2020-06-02 plugin id 12114 published 2004-03-19 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12114 title ISS BlackICE Multiple Remote Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(12114); script_version("1.30"); script_cvs_date("Date: 2018/06/27 18:42:27"); script_cve_id( "CVE-2000-0562", "CVE-2002-0237", "CVE-2002-0956", "CVE-2002-0957", "CVE-2004-0193", "CVE-2004-2125", "CVE-2004-2126" ); script_bugtraq_id(1389, 4025, 4950, 9513, 9514, 9752); script_name(english:"ISS BlackICE Multiple Remote Vulnerabilities"); script_summary(english:"ISS BlackICE Vulnerable version detection"); script_set_attribute(attribute:"synopsis", value: "The firewall running on the remote host has multiple buffer overflow vulnerabilities."); script_set_attribute(attribute:"description", value: "ISS BlackICE is a personal Firewall/IDS for windows Desktops. Several remote holes have been found in the product. An attacker, exploiting these flaws, would be able to either crash the remote firewall/IDS service or execute code on the target machine. According to the remote version number, the remote host is vulnerable to at least one remote overflow."); script_set_attribute(attribute:"see_also", value:"http://www.eeye.com/html/Research/Advisories/AD20040226.html"); script_set_attribute(attribute:"see_also", value:"http://www.eeye.com/html/Research/Advisories/AD20040318.html"); script_set_attribute(attribute:"solution", value:"Upgrade to the latest version of BlackICE."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2000/06/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/03/19"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"patch_publication_date", value:"2004/02/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_dependencies("blackice_configs.nasl"); script_require_keys("SMB/BlackICE/Version"); script_require_ports(139, 445); exit(0); } include("smb_func.inc"); myread = get_kb_item("SMB/BlackICE/Version"); if ( ! myread ) exit(0); # what does the logfile format look like: # ---------- BLACKD.LOG # [25]Fri, 19 Mar 2004 09:58:20: BlackICE Product Version : 7.0.ebf if (strstr(myread, "BlackICE Product Version")) { # all versions 7.0 eba through ebh and 3.6 ebr through ecb if (egrep(string:myread, pattern:"BlackICE Product Version.*(7\.0\.eb[a-h]|3\.6\.e(b[r-z]|c[ab]))")) { # do a warning for smb bug mywarning = string( "According to the remote version number, the remote host is vulnerable to a bug wherein a malformed SMB packet will allow the attacker to execute arbitrary code on the target system."); port = kb_smb_transport(); if (!port) port = 139; security_hole(port:port, extra:mywarning); } # all versions prior to 7.0.ebl and 3.6.ecf if ( (egrep(string:myread, pattern:"BlackICE Product Version.*[0-6]\.[0-9]\.[a-z][a-z][a-z]")) || (egrep(string:myread, pattern:"BlackICE Product Version.*7\.0\.([a-d][a-z][a-z]|e(a[a-z]|b[a-h]))")) ) { mywarning = string( "According to the remote version number, the remote host is vulnerable to a bug wherein a malformed ICQ packet will allow the attacker to execute arbitrary code on the target system."); port = kb_smb_transport(); if (!port) port = 139; security_hole(port:port, extra:mywarning); } # only certain versions which have a default config issue # VULN VERSION: # 7.0 eb[j-m] # 3.6 ec[d-g] # 3.6 cc[d-g] if (egrep(string:myread, pattern:"BlackICE Product Version.*(7\.0\.eb[j-m]|3\.6\.(ec[d-g]|cc[d-g]))")) { #warning for misconfiguration mywarning = string( "Nessus detected a version of BlackICE with insecure default settings."); port = kb_smb_transport(); if (!port) port = 139; security_hole(port:port, extra:mywarning); } }