blackicepro.txt

`Hi!  
  
I'm using BlackICE PC Protection (formerly known as BlackICE Defender)  
for a very long time[1, 2]. It is one of my favorite hostbased intrusion  
detection systems and personal firewall for windows.  
  
During some tests for a paper on cross site scripting I've seen that  
there is an evasion possibility in BlackICE PC Protection. If I'm  
realizing such an request with a GET or POST method, the cross site  
scripting is possible but I get an alert[3]:  
  
> [Unauthorized Access Attempt] This signature detects if an HTTP GET  
> request contains a 'script' tag.  
  
It seems that BlackICE PC Protection doesn't check a HEAD, PUT, DELETE,  
and TRACE request for the <script> pattern. So it is possible to evade  
the successful cross site scripting attempt with a PUT or DELETE  
attempt. That's because these two are the only request methods that let  
me implant an arbitrary script. This is not a really critical issue -  
But good to know.  
  
I checked this with BlackICE PC Protection 3.6cbd and Apache 1.3.27. If  
I push the "Event Info" button I'll get the page  
http://www.iss.net/security_center/reference/2000640.html. There stands  
that other ISS products have this security check too:  
  
- BlackICE Agent for Server  
- BlackICE PC Protection  
- BlackICE Server Protection  
- RealSecure Desktop Protector  
- RealSecure Guard  
- RealSecure Network Sensor  
- RealSecure Sentry  
- RealSecure Server Sensor  
  
I can't say definitively that these products are affected too. It may be  
possible.  
  
My suggestion is to advance the pattern matching also for the other  
possible HTTP request methods - Especially for PUT and DELETE. For  
example my Snort host is not affected by such an evasion[4]:  
  
--- cut ---  
  
debian:/etc/snort/rules# head web-misc.rules  
# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.  
# All rights reserved.  
# $Id: web-misc.rules,v 1.92.2.2 2003/02/07 22:05:16 cazz Exp $  
#---------------  
# WEB-MISC RULES  
#---------------  
  
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC  
cross site scripting attempt"; flow:to_server,established;  
content:"<SCRIPT>"; nocase; classtype:web-application-attack; sid:1497;  
rev:6;)  
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC  
cross site scripting \(img src=javascript\) attempt";  
flow:to_server,established; content:"img src=javascript"; nocase;  
classtype:web-application-attack; sid:1667; rev:4;)  
[...]  
  
--- cut ---  
  
I informed Internet Security Systems (ISS) about this flaw. I sent my  
suggestion at Sat, 10 May 2003 11:51:07 +0200 to  
[email protected] and [email protected]  
  
Bye, Marc  
  
[1] http://www.iss.net  
[2]  
http://www.computec.ch/dokumente/firewalling/desktop-firewalls/desktop-firewalls.html  
[3] http://www.cgisecurity.com/articles/xss-faq.shtml  
[4] http://www.snort.org  
  
--   
Computer, Technik und Security http://www.computec.ch/  
  
"Alle Technik ist ein faustischer Pakt mit dem Teufel."  
Neil Postman, US-amerikanischer Soziologe und Medienkritiker  
`