ID CVE-2004-2126 Type cve Reporter NVD Modified 2016-10-17T23:06:43
Description
The upgrade for BlackICE PC Protection 3.6 and earlier sets insecure permissions for .INI files such as (1) blackice.ini, (2) firewall.ini, (3) protect.ini, or (4) sigs.ini, which allows local users to modify BlackICE configuration or possibly execute arbitrary code by exploiting vulnerabilities in the .INI parsers.
{"osvdb": [{"lastseen": "2017-04-28T13:20:03", "bulletinFamily": "software", "description": "## Vulnerability Description\nBlackIce/PC Protection contains a flaw that may allow a local attacker to modify program settings. The issue is due to the several key configuration files being installed with everyone/full access privileges. The firewall.ini, blackice.ini and sigs.ini configuration files each contain critical options and rules that significantly alter the program behavior. By editing these files, an attacker could edit rules that govern system traffic and more.\n## Solution Description\nCurrently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Immediately after installation, change privileges so that only authorized users can modify firewall.ini, blackice.ini and sigs.ini configuration files.\n## Short Description\nBlackIce/PC Protection contains a flaw that may allow a local attacker to modify program settings. The issue is due to the several key configuration files being installed with everyone/full access privileges. The firewall.ini, blackice.ini and sigs.ini configuration files each contain critical options and rules that significantly alter the program behavior. By editing these files, an attacker could edit rules that govern system traffic and more.\n## References:\n[Related OSVDB ID: 8721](https://vulners.com/osvdb/OSVDB:8721)\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0449.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0458.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-08/0150.html\nISS X-Force ID: 16959\n[CVE-2004-2126](https://vulners.com/cve/CVE-2004-2126)\n", "modified": "2004-08-14T05:02:10", "published": "2004-08-14T05:02:10", "href": "https://vulners.com/osvdb/OSVDB:8701", "id": "OSVDB:8701", "type": "osvdb", "title": "BlackICE/PC Protection Configuration File Insecure Permissions", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:08:02", "bulletinFamily": "scanner", "description": "ISS BlackICE is a personal Firewall/IDS for windows Desktops. Based on the version number, the remote BlackICE install is vulnerable to a local attack due to incorrect file permissions.\n\n*** Nessus based the results of this test on the contents of *** the local BlackICE configuration file.", "modified": "2018-11-15T00:00:00", "id": "BLACKICE_CONFIGS.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=14270", "published": "2004-08-13T00:00:00", "title": "ISS BlackICE/PC Protection Unprivileged User Local DoS", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(14270);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n script_cve_id(\"CVE-2004-1714\", \"CVE-2004-2126\");\n script_bugtraq_id(10915);\n\n script_name(english:\"ISS BlackICE/PC Protection Unprivileged User Local DoS\");\n script_summary(english:\"ISS BlackICE Vulnerable config file detection\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The firewall running on the remote host has a local buffer overflow\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"ISS BlackICE is a personal Firewall/IDS for windows Desktops. Based on\nthe version number, the remote BlackICE install is vulnerable to a\nlocal attack due to incorrect file permissions.\n\n*** Nessus based the results of this test on the contents of *** the\nlocal BlackICE configuration file.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2004/Aug/153\");\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://seclists.org/fulldisclosure/2004/Aug/494\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://seclists.org/fulldisclosure/2004/Aug/506\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to the latest version of BlackICE.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/08/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_func.inc\");\ninclude(\"audit.inc\");\n\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\nport = kb_smb_transport();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\nr = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif ( r != 1 ) exit(0);\n\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif ( isnull(hklm) )\n{\n NetUseDel();\n exit(0);\n}\n\nkey_h = RegOpenKey(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\blackd.exe\", handle:hklm, mode:MAXIMUM_ALLOWED);\nif ( isnull(key_h) )\n{\n RegCloseKey(handle:hklm);\n NetUseDel();\n exit(0);\n}\n\nitem = RegQueryValue(handle:key_h, item:\"Default\");\nRegCloseKey(handle:key_h);\nRegCloseKey(handle:hklm);\nif ( isnull(item) ) {\n\tNetUseDel();\n\texit(1);\n\t}\n\nNetUseDel(close:FALSE);\n\nmyfile = str_replace(find:\".exe\", replace:\".log\", string:item[1]);\n\nshare = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:myfile);\nfile = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\", string:myfile);\n\nr = NetUseAdd(login:login, password:pass, domain:domain, share:share);\nif ( r != 1)\n{\n NetUseDel();\n exit(1);\n}\n\nhandle = CreateFile (file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING) ;\n\nif ( isnull(handle) )\n{\n NetUseDel();\n exit(1);\n}\n\nmyread = ReadFile(handle:handle, length:2048, offset:0);\nCloseFile(handle:handle);\n\nif ( isnull(myread) )\n{\n NetUseDel();\n exit(1);\n}\n\nNetUseDel();\n\nmyread = str_replace(find:raw_string(0), replace:\"\", string:myread);\n\nversion = egrep(string:myread, pattern:\"BlackICE Product Version\");\nif ( version )\n{\n\tset_kb_item(name:\"SMB/BlackICE/Version\", value:version);\n \tif (ereg(string:version, pattern:\"BlackICE Product Version.*3\\.([0-5]\\.cdf|6\\.c(b[drz]|c[a-h]|df))\")) security_warning(port);\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:07:51", "bulletinFamily": "scanner", "description": "ISS BlackICE is a personal Firewall/IDS for windows Desktops. Several remote holes have been found in the product. An attacker, exploiting these flaws, would be able to either crash the remote firewall/IDS service or execute code on the target machine.\n\nAccording to the remote version number, the remote host is vulnerable to at least one remote overflow.", "modified": "2018-06-27T00:00:00", "id": "BLACKICE_VERSION_CHECKER.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=12114", "published": "2004-03-19T00:00:00", "title": "ISS BlackICE Multiple Remote Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(12114);\n script_version(\"1.30\");\n script_cvs_date(\"Date: 2018/06/27 18:42:27\");\n\n script_cve_id(\n \"CVE-2000-0562\",\n \"CVE-2002-0237\",\n \"CVE-2002-0956\",\n \"CVE-2002-0957\",\n \"CVE-2004-0193\",\n \"CVE-2004-2125\",\n \"CVE-2004-2126\"\n );\n script_bugtraq_id(1389, 4025, 4950, 9513, 9514, 9752);\n\n script_name(english:\"ISS BlackICE Multiple Remote Vulnerabilities\");\n script_summary(english:\"ISS BlackICE Vulnerable version detection\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The firewall running on the remote host has multiple buffer overflow\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"ISS BlackICE is a personal Firewall/IDS for windows Desktops. Several\nremote holes have been found in the product. An attacker, exploiting\nthese flaws, would be able to either crash the remote firewall/IDS\nservice or execute code on the target machine.\n\nAccording to the remote version number, the remote host is vulnerable\nto at least one remote overflow.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.eeye.com/html/Research/Advisories/AD20040226.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.eeye.com/html/Research/Advisories/AD20040318.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to the latest version of BlackICE.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2000/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/03/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/02/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"blackice_configs.nasl\");\n script_require_keys(\"SMB/BlackICE/Version\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"smb_func.inc\");\nmyread = get_kb_item(\"SMB/BlackICE/Version\");\nif ( ! myread ) exit(0);\n\n\n# what does the logfile format look like:\n# ---------- BLACKD.LOG\n# [25]Fri, 19 Mar 2004 09:58:20: BlackICE Product Version : 7.0.ebf\n\nif (strstr(myread, \"BlackICE Product Version\")) {\n # all versions 7.0 eba through ebh and 3.6 ebr through ecb\n if (egrep(string:myread, pattern:\"BlackICE Product Version.*(7\\.0\\.eb[a-h]|3\\.6\\.e(b[r-z]|c[ab]))\")) {\n # do a warning for smb bug\n mywarning = string(\n\"According to the remote version number, the remote host is vulnerable\nto a bug wherein a malformed SMB packet will allow the attacker to execute\narbitrary code on the target system.\");\n port = kb_smb_transport();\n if (!port) port = 139;\n security_hole(port:port, extra:mywarning);\n }\n\n\n # all versions prior to 7.0.ebl and 3.6.ecf\n if ( (egrep(string:myread, pattern:\"BlackICE Product Version.*[0-6]\\.[0-9]\\.[a-z][a-z][a-z]\")) ||\n (egrep(string:myread, pattern:\"BlackICE Product Version.*7\\.0\\.([a-d][a-z][a-z]|e(a[a-z]|b[a-h]))\")) ) {\n mywarning = string(\n\"According to the remote version number, the remote host is vulnerable\nto a bug wherein a malformed ICQ packet will allow the attacker to execute\narbitrary code on the target system.\");\n port = kb_smb_transport();\n if (!port) port = 139;\n security_hole(port:port, extra:mywarning);\n }\n\n\n # only certain versions which have a default config issue\n # VULN VERSION:\n # 7.0 eb[j-m]\n # 3.6 ec[d-g]\n # 3.6 cc[d-g]\n\n if (egrep(string:myread, pattern:\"BlackICE Product Version.*(7\\.0\\.eb[j-m]|3\\.6\\.(ec[d-g]|cc[d-g]))\")) {\n #warning for misconfiguration\n mywarning = string(\n\"Nessus detected a version of BlackICE with insecure default settings.\");\n port = kb_smb_transport();\n if (!port) port = 139;\n security_hole(port:port, extra:mywarning);\n }\n\n}\n\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}