BlackICE does not protect pamversion.dll in its installation directory and because component protection fails to protect BlackICE processes this can be misused to inject a fake DLL into BlackICE service.
91b50a33f2fdb9350d7974f8965ac76e6398400c864849ded4a9489604966256
Advisory 2006-08-01.01
BlackICE DLL faking of run-time linked libraries Vulnerability
Basic information:
Release date: August 01, 2006
Last update: August 15, 2006
Type: Incomplete design implementation bugs
Character: Complete system control
Status: Unpatched bugs
Risk: Critical bugs
Exploitability: Locally exploitable bugs
Discoverability: Medium discoverable bugs
Testing program: BTP00022P003BI.zip
Description:
BlackICE implements application component protection for privileged programs but it fails to protect some of its own processes. Moreover, it does not protect file 'pamversion.dll' in its own installation directory against actions of other processes. It is possible to replace this DLL with a fake library. The main BlackICE service 'blackd.exe' dynamically loads this library into its own process during the initialization of BlackICE after the system start. Hence it is possible to inject the fake library into the BlackICE service and gain a complete control of the protection system.
Vulnerable software:
* BlackICE PC Protection 3.6.cpj
* BlackICE PC Protection 3.6.cpiE
* probably all older versions
Events:
* 2006-08-04: Candidate for inclusion in the CVE list
* 2006-08-04: Vulnerability confirmed by popular information sources
* 2006-08-01: Advisory released
* 2006-08-01: Vendor notification