ICECap Manager Blank Password and Code Execution

ICECap Manager Blank Password and Code Execution
Reported May 11 by
rain.forest.puppy

VERSIONS EFFECTED
NetworkICE ICECap Manager 2.0.23

DESCRIPTION

According to the bulletin released by the discoverer, "BlackICE IDS uses a management console called ICECap to collect and monitor alerts sent by the various installed BlackICE agents. The ICECap user console sits on port 8081 (included HTTP server), and alerts are pushed to another server listening on port 8082.

The first problem is that the software uses a default login of "iceman", with no password. This means we can log onto the console on port 8081, or push it alerts on port 8082.

The second problem is that the software uses, by default, the Microsoft Jet 3.5 engine to store alerts. If you couple that with the shell VBA problem (CVE: CAN-2000-0325), that means you can push alerts that contain commands to be executed on the ICECap system."

DEMONSTRATION

RFPickAxe code written in PERL.

VENDOR RESPONSE

A new version of ICEcap (2.0.23a) contains the following fixes:

  • As described in KB article q000164, it "scrubs" data before inserting into the database in order to protected against injected data designed to compromise the databaes.
  • It now warns users if non-existent passwords are left on accounts, which can lead to a security weakness as described in q000165.
  • It only accepts encrypted events, fixing an issue whereby events could be injected into the system as described in KB article q000166.

CREDITS
Discovered and reported by rain.forest.puppy

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish