Hi! I'm using BlackICE PC Protection (formerly known as BlackICE Defender) for a very long time[1, 2]. It is one of my favorite hostbased intrusion detection systems and personal firewall for windows. During some tests for a paper on cross site scripting I've seen that there is an evasion possibility in BlackICE PC Protection. If I'm realizing such an request with a GET or POST method, the cross site scripting is possible but I get an alert[3]: > [Unauthorized Access Attempt] This signature detects if an HTTP GET > request contains a 'script' tag. It seems that BlackICE PC Protection doesn't check a HEAD, PUT, DELETE, and TRACE request for the <script> pattern. So it is possible to evade the successful cross site scripting attempt with a PUT or DELETE attempt. That's because these two are the only request methods that let me implant an arbitrary script. This is not a really critical issue - But good to know. I checked this with BlackICE PC Protection 3.6cbd and Apache 1.3.27. If I push the "Event Info" button I'll get the page http://www.iss.net/security_center/reference/2000640.html. There stands that other ISS products have this security check too: - BlackICE Agent for Server - BlackICE PC Protection - BlackICE Server Protection - RealSecure Desktop Protector - RealSecure Guard - RealSecure Network Sensor - RealSecure Sentry - RealSecure Server Sensor I can't say definitively that these products are affected too. It may be possible. My suggestion is to advance the pattern matching also for the other possible HTTP request methods - Especially for PUT and DELETE. For example my Snort host is not affected by such an evasion[4]: --- cut --- debian:/etc/snort/rules# head web-misc.rules # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al. # All rights reserved. # $Id: web-misc.rules,v 1.92.2.2 2003/02/07 22:05:16 cazz Exp $ #--------------- # WEB-MISC RULES #--------------- alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting attempt"; flow:to_server,established; content:"<SCRIPT>"; nocase; classtype:web-application-attack; sid:1497; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting \(img src=javascript\) attempt"; flow:to_server,established; content:"img src=javascript"; nocase; classtype:web-application-attack; sid:1667; rev:4;) [...] --- cut --- I informed Internet Security Systems (ISS) about this flaw. I sent my suggestion at Sat, 10 May 2003 11:51:07 +0200 to support-L1at_private and supportat_private Bye, Marc [1] http://www.iss.net [2] http://www.computec.ch/dokumente/firewalling/desktop-firewalls/desktop-firewalls.html [3] http://www.cgisecurity.com/articles/xss-faq.shtml [4] http://www.snort.org -- Computer, Technik und Security http://www.computec.ch/ "Alle Technik ist ein faustischer Pakt mit dem Teufel." Neil Postman, US-amerikanischer Soziologe und Medienkritiker _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Sat Jun 14 2003 - 10:10:53 PDT