[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] ISS BlackICE PC Protection Filelock protection bypass Vulnerability
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] ISS BlackICE PC Protection Filelock protection bypass Vulnerability
- From: Matousec - Transparent security Research <research@xxxxxxxxxxxx>
- Date: Sun, 15 Oct 2006 18:42:41 +0200
Hello,
We would like to inform you about a vulnerability in ISS BlackICE PC Protection.
Description:
BlackICE PC Protection protects its files against manipulation by malicious
software. Its critical files like its
database of trusted applications or firewall configuration are protected. The
list of protected files is stored in
filelock.txt in the BlackICE installation directory. If this file is deleted
files mentioned in filelock.txt are not
protected any more and can be changed by malicious applications. The
implemented protection allows malicious
applications to delete this file using native API function ZwDeleteFile. This
can result in a bypass of all BlackICE
protection mechanisms because its internal componenets can be replaced with
fake copies. The situation is even easier
for the attacker because the component control fails to recognize fake
components in BlackICE processes.
Vulnerable software:
* BlackICE PC Protection 3.6.cpu
* BlackICE PC Protection 3.6.cpj
* probably all versions of BlackICE PC Protection 3.6
* possibly older versions of BlackICE PC Protection
More details and a proof of concept including source code is available here:
http://www.matousec.com/info/advisories/BlackICE-Filelock-protection-bypass.php
Regards,
--
Matousec - Transparent security Research
http://www.matousec.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/