BlackICE multiple products blackd.exe script buffer overflow
| blackice-blackdexe-bo (14965) |  Low Risk |
Description:
Multiple BlackICE products are vulnerable to a buffer overflow, caused by a vulnerability in the blackd.exe file. BlackIce PC Protection version 3.6 cbd, BlackICE Server Protection 3.6 cbz, RealSecure Desktop 3.6 eca, RealSecure Desktop 7.0 ebg, and BlackICE Agent for Server 3.6 eca running on Microsoft Windows operating systems could allow a local attacker, who is authenticated, to supply a long log file name containing malicious script to the packetLog.fileprefix parameter. The script will be executed when a log entry is generated, allowing the attacker to gain elevated privileges on the system.
Consequences:
Gain Privileges
Remedy:
All BlackICE users are encouraged to enable the Application Protection feature to protect your system from this and related issues.
Upgrade to the following versions to resolve this issue:
BlackICE PC Protection 3.6 ccb or later
BlackICE Server Protection 3.6 ccb or later
RealSecure Desktop 3.6 ecb or later
RealSecure Desktop 7.0 ebh or later
BlackICE Agent for Server 3.6 ecb or later
References:
- BugTraq Mailing List, Wed Jan 28 2004 - 08:32:56 CST: [ISSForum] Third party BlackICE advisory.
- Internet Security Systems Web site: Download Center.
- VulnWatch Mailing List, Tue Jan 27 2004 - 20:36:46 CST: SRT2004-01-17-0227 - BlackICE allows local users to become SYSTEM.
- BID-9513: Internet Security Systems BlackICE PC Protection Upgrade File Permission Vulnerability
- BID-9514: Internet Security Systems BlackICE PC Protection blackd.exe Local Buffer Overrun Vulnerability
- CVE-2004-2125: Buffer overflow in blackd.exe for BlackICE PC Protection 3.6 and other versions before 3.6.ccb, with application protection off, allows local users to gain system privileges by modifying the .INI file to contain a long packetLog.fileprefix value.
- CVE-2004-2126: The upgrade for BlackICE PC Protection 3.6 and earlier sets insecure permissions for .INI files such as (1) blackice.ini, (2) firewall.ini, (3) protect.ini, or (4) sigs.ini, which allows local users to modify BlackICE configuration or possibly execute arbitrary code by exploiting vulnerabilities in the .INI parsers.
- OSVDB ID: 3740: BlackICE PC Protection blackd.exe Local Overflow
- SA10739: BlackICE PC Protection Privilege Escalation Vulnerability
Platforms Affected:
- IBM ISS BlackICE PC Protection 3.6 cbd
- IBM ISS BlackICE Server Protection 3.6 cbz
- IBM ISS RealSecure Desktop 3.6 eca
- IBM ISS RealSecure Desktop 7.0 ebg
- ISS BlackICE Agent for Server 3.6 eca
Reported:
Jan 27, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net