Vulnerabilities > CVE-2004-2126 - Unspecified vulnerability in ISS Blackice PC Protection

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
iss
nessus

Summary

The upgrade for BlackICE PC Protection 3.6 and earlier sets insecure permissions for .INI files such as (1) blackice.ini, (2) firewall.ini, (3) protect.ini, or (4) sigs.ini, which allows local users to modify BlackICE configuration or possibly execute arbitrary code by exploiting vulnerabilities in the .INI parsers.

Nessus

  • NASL familyWindows
    NASL idBLACKICE_CONFIGS.NASL
    descriptionISS BlackICE is a personal Firewall/IDS for windows Desktops. Based on the version number, the remote BlackICE install is vulnerable to a local attack due to incorrect file permissions. *** Nessus based the results of this test on the contents of *** the local BlackICE configuration file.
    last seen2020-06-01
    modified2020-06-02
    plugin id14270
    published2004-08-13
    reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14270
    titleISS BlackICE/PC Protection Unprivileged User Local DoS
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
     script_id(14270);
     script_version("1.21");
     script_cvs_date("Date: 2018/11/15 20:50:26");
     script_cve_id("CVE-2004-1714", "CVE-2004-2126");
     script_bugtraq_id(10915);
    
     script_name(english:"ISS BlackICE/PC Protection Unprivileged User Local DoS");
     script_summary(english:"ISS BlackICE Vulnerable config file detection");
    
     script_set_attribute(attribute:"synopsis", value:
    "The firewall running on the remote host has a local buffer overflow
    vulnerability.");
     script_set_attribute(attribute:"description", value:
    "ISS BlackICE is a personal Firewall/IDS for windows Desktops. Based on
    the version number, the remote BlackICE install is vulnerable to a
    local attack due to incorrect file permissions.
    
    *** Nessus based the results of this test on the contents of *** the
    local BlackICE configuration file.");
     script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Aug/153");
     script_set_attribute(
       attribute:"see_also",
       value:"https://seclists.org/fulldisclosure/2004/Aug/494"
     );
     script_set_attribute(
       attribute:"see_also",
       value:"https://seclists.org/fulldisclosure/2004/Aug/506"
     );
     script_set_attribute(attribute:"solution", value:"Upgrade to the latest version of BlackICE.");
     script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2004/08/14");
     script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/13");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_family(english:"Windows");
    
     script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
    
     script_dependencies("smb_hotfixes.nasl");
     script_require_keys("SMB/Registry/Enumerated");
     script_require_ports(139, 445);
     exit(0);
    }
    
    include("smb_func.inc");
    include("audit.inc");
    
    login   = kb_smb_login();
    pass    = kb_smb_password();
    domain  = kb_smb_domain();
    port    = kb_smb_transport();
    
    if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
    r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
    if ( r != 1 ) exit(0);
    
    hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
    if ( isnull(hklm) )
    {
     NetUseDel();
     exit(0);
    }
    
    key_h = RegOpenKey(key:"SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\blackd.exe", handle:hklm, mode:MAXIMUM_ALLOWED);
    if ( isnull(key_h) )
    {
     RegCloseKey(handle:hklm);
     NetUseDel();
     exit(0);
    }
    
    item = RegQueryValue(handle:key_h, item:"Default");
    RegCloseKey(handle:key_h);
    RegCloseKey(handle:hklm);
    if ( isnull(item) ) {
    	NetUseDel();
    	exit(1);
    	}
    
    NetUseDel(close:FALSE);
    
    myfile = str_replace(find:".exe", replace:".log", string:item[1]);
    
    share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:myfile);
    file = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:myfile);
    
    r = NetUseAdd(login:login, password:pass, domain:domain, share:share);
    if ( r != 1)
    {
     NetUseDel();
     exit(1);
    }
    
    handle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING) ;
    
    if ( isnull(handle) )
    {
     NetUseDel();
     exit(1);
    }
    
    myread = ReadFile(handle:handle, length:2048, offset:0);
    CloseFile(handle:handle);
    
    if ( isnull(myread) )
    {
     NetUseDel();
     exit(1);
    }
    
    NetUseDel();
    
    myread = str_replace(find:raw_string(0), replace:"", string:myread);
    
    version = egrep(string:myread, pattern:"BlackICE Product Version");
    if ( version )
    {
    	set_kb_item(name:"SMB/BlackICE/Version", value:version);
        	if (ereg(string:version, pattern:"BlackICE Product Version.*3\.([0-5]\.cdf|6\.c(b[drz]|c[a-h]|df))")) security_warning(port);
    }
    
  • NASL familyWindows
    NASL idBLACKICE_VERSION_CHECKER.NASL
    descriptionISS BlackICE is a personal Firewall/IDS for windows Desktops. Several remote holes have been found in the product. An attacker, exploiting these flaws, would be able to either crash the remote firewall/IDS service or execute code on the target machine. According to the remote version number, the remote host is vulnerable to at least one remote overflow.
    last seen2020-06-01
    modified2020-06-02
    plugin id12114
    published2004-03-19
    reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/12114
    titleISS BlackICE Multiple Remote Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(12114);
     script_version("1.30");
     script_cvs_date("Date: 2018/06/27 18:42:27");
    
     script_cve_id(
      "CVE-2000-0562",
      "CVE-2002-0237",
      "CVE-2002-0956",
      "CVE-2002-0957",
      "CVE-2004-0193",
      "CVE-2004-2125",
      "CVE-2004-2126"
     );
     script_bugtraq_id(1389, 4025, 4950, 9513, 9514, 9752);
    
     script_name(english:"ISS BlackICE Multiple Remote Vulnerabilities");
     script_summary(english:"ISS BlackICE Vulnerable version detection");
    
     script_set_attribute(attribute:"synopsis", value:
    "The firewall running on the remote host has multiple buffer overflow
    vulnerabilities.");
     script_set_attribute(attribute:"description", value:
    "ISS BlackICE is a personal Firewall/IDS for windows Desktops. Several
    remote holes have been found in the product. An attacker, exploiting
    these flaws, would be able to either crash the remote firewall/IDS
    service or execute code on the target machine.
    
    According to the remote version number, the remote host is vulnerable
    to at least one remote overflow.");
     script_set_attribute(attribute:"see_also", value:"http://www.eeye.com/html/Research/Advisories/AD20040226.html");
     script_set_attribute(attribute:"see_also", value:"http://www.eeye.com/html/Research/Advisories/AD20040318.html");
     script_set_attribute(attribute:"solution", value:"Upgrade to the latest version of BlackICE.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2000/06/20");
     script_set_attribute(attribute:"plugin_publication_date", value:"2004/03/19");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"patch_publication_date", value:"2004/02/26");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_family(english:"Windows");
    
     script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
    
     script_dependencies("blackice_configs.nasl");
     script_require_keys("SMB/BlackICE/Version");
     script_require_ports(139, 445);
    
     exit(0);
    }
    
    include("smb_func.inc");
    myread = get_kb_item("SMB/BlackICE/Version");
    if ( ! myread ) exit(0);
    
    
    # what does the logfile format look like:
    # ---------- BLACKD.LOG
    # [25]Fri, 19 Mar 2004 09:58:20: BlackICE Product Version :               7.0.ebf
    
    if (strstr(myread, "BlackICE Product Version"))  {
        # all versions 7.0 eba through ebh and 3.6 ebr through ecb
        if (egrep(string:myread, pattern:"BlackICE Product Version.*(7\.0\.eb[a-h]|3\.6\.e(b[r-z]|c[ab]))")) {
            # do a warning for smb bug
            mywarning = string(
    "According to the remote version number, the remote host is vulnerable
    to a bug wherein a malformed SMB packet will allow the attacker to execute
    arbitrary code on the target system.");
        port = kb_smb_transport();
        if (!port) port = 139;
        security_hole(port:port, extra:mywarning);
        }
    
    
        # all versions prior to 7.0.ebl and 3.6.ecf
        if ( (egrep(string:myread, pattern:"BlackICE Product Version.*[0-6]\.[0-9]\.[a-z][a-z][a-z]")) ||
        (egrep(string:myread, pattern:"BlackICE Product Version.*7\.0\.([a-d][a-z][a-z]|e(a[a-z]|b[a-h]))")) ) {
                    mywarning = string(
    "According to the remote version number, the remote host is vulnerable
    to a bug wherein a malformed ICQ packet will allow the attacker to execute
    arbitrary code on the target system.");
        port = kb_smb_transport();
        if (!port) port = 139;
        security_hole(port:port, extra:mywarning);
        }
    
    
        # only certain versions which have a default config issue
        # VULN VERSION:
        # 7.0 eb[j-m]
        # 3.6 ec[d-g]
        # 3.6 cc[d-g]
    
        if (egrep(string:myread, pattern:"BlackICE Product Version.*(7\.0\.eb[j-m]|3\.6\.(ec[d-g]|cc[d-g]))")) {
            #warning for misconfiguration
            mywarning = string(
    "Nessus detected a version of BlackICE with insecure default settings.");
        port = kb_smb_transport();
        if (!port) port = 139;
        security_hole(port:port, extra:mywarning);
        }
    
    }