BlackICE PC protection / Server Protection Tested on version v3.6.cno Unprivileged local user disabling anyone from using BlackICE
Background ------------- Blackice is a firewall developed by ISS, Blackice suffers from a local attack where any user with access to the server can modify firewall.ini and insert a corrupted firewall rule. Upon restart Blackice (blackice.exe and blackd.exe) will crash, the applications catch the exception but will fail to load. This causes the firewall to be disabled for any user who attempts to run it.
Exploit: ------------- When Blackice is installed a local file in C:\Program Files\ISS\Blackice called firewall.ini is installed, however by default the ACL's on this file are EVERYONE\FULL CONTROL. This allow's any local unprivileged user to remove or modify the blackice firewall rules, but if the attacker wanted to be sneakier, they could with a simple guest account disable the firewall from running by inserting an overly long firewall rule as seen below.
This will cause Blackice to crash when it is next restarted, but no message, popup or warning is displayed to the user, even the 'eye' in the taskbar will fail to load, giving the user no indication that the firewall is not running. The victim of this attack would simply think the firewall is 'corrupted', or some how broken if they attempted to start it by hand, and unless they were smart enough to edit firewall.ini by hand, they would probably think to re-install Blackice, if they even noticed it was no longer running to start with.
Although this is not a major flaw, it does give an unprivileged local user a sneaky way of disabling the firewall, without obviously removing the rules. This can be used to then exploit other daemons running on the desktop or server that the firewall had previously protected. The method of this crash is hard to diagnose for the average internet user and logs nothing of the crash in any of the blackice logs by default.
Suggestions/Work Around: ------------- Change ACL's on firewall.ini to stop EVERYONE having full control.
