Atstake Advisory A071502-1 - Norton Personal Internet Firewall 2001 v3.0.4.91 for Windows NT and 2000 contains buffer overflows in the HTTP proxy which allows attackers to overwrite the first 3 bytes of the EDI register, which can lead to remote code execution.
b638be2b6c12ee1233b0973e42fb9455d457e7c5b99317fa57810587b7da13b0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
@stake, Inc.
www.atstake.com
Security Advisory
Advisory Name: Norton Personal Internet Firewall HTTP Proxy
Vulnerability
Release Date: 07/15/2002
Application: AtGuard v3.2
Norton Personal Internet Firewall 2001 v3.0.4.91
Platform: Microsoft Windows NT4 SP6a
Microsoft Windows 2000 SP2
Severity: A buffer overflow occurs potentially allowing the
execution of arbitrary code
Author: Ollie Whitehouse (ollie@atstake.com)
Vendor Status: Informed and patch available
CVE Candidate: CAN-2002-0663
Reference: www.atstake.com/research/advisories/2002/a071502-1.txt
Overview:
Symantec (http://www.symantec.com/) Norton Personal Internet
Firewall is a widely used desktop firewalling application for
Microsoft Windows NT, 98, ME and 2000 platforms. Typically personal
firewalls are deployed upon mobile workstations that leave the
enterprise
and may be deployed upon public networks to enable them to establish
connectivity back to the corporation and thus require protection from
malicious attackers while outside the confines of the enterprise
firewall.
There exists a vulnerability within the NPIF's HTTP proxy that allows an
attacker to overwrite the first three (3) bytes of the EDI register and
Thus potentially execute malicious code.
This vulnerability is exploitable even if the requesting application is
not configured in the firewall permission setting to make outgoing
requests. An example of such a scenario would be a malicious web page
that
contains a disguised link which contains sufficient data to exploit this
vulnerability.
Details:
There is a vulnerability with the way in which the NT kernel
based
HTTP proxy of NPIF deals with a large amount of data, that causes a
buffer
overflow to occur. The test scenario that @stake used to cause this
Exception was as follows:
NPIF configured to allow only Microsoft Internet Explorer out on TCP
port
80 to the public internet. A large outgoing request is then made by a
third
party application (i.e. malicious code). If the exploitation is
unsuccessful a NT kernel exception will be thrown typically overwriting
EDI
with user supplied data. If exploitation is successful an attacker can
run
arbitrary code within the KERNEL.
Vendor Response:
This issue was reported to Symantec on April 18, 2002. Symantec has an
Update that solves this problem. Symantec's advisory regarding this
issue
can be found here (wrapped):
http://securityresponse.symantec.com/avcenter/security/
SymantecAdvisories.html
Recommendations:
Due to the fact that this attack has to occur from the host computer
@stake recommends that there should be a multi-layered approach to
security. This should include anti-virus, user education/awareness as
well as ensuring that vendor patches are deployed for all relevant
software products.
Users should install the update for Norton Personal Internet Firewall
2001.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has
assigned the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2002-0663 Norton Personal Internet Firewall Buffer Overflow
@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/
@stake Advisory Archive:
http://www.atstake.com/research/advisories/
PGP Key:
http://www.atstake.com/research/pgp_key.asc
Copyright 2002 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3
iQA/AwUBPTMXw0e9kNIfAm4yEQJZLACfUzmto6R1y+Usq8x6DR+PLiNZg8kAoJpb
h/TF6PuGpHe3FyLE1ubX/pmk
=BU1O
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In response to @stake's posting,
<advisories@atstake.com>
Sent by: "Chris Wysopal" <cwysopal@atstake.com>
07/15/2002 01:50 PM
To: <vulnwatch@vulnwatch.org>
cc:
Subject: [VulnWatch] Advisory Name: Norton Personal Intern=
et
Firewall HTTP Proxy Vulnerability
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
@stake, Inc.
www.atstake.com
Security Advisory
Advisory Name: Norton Personal Internet Firewall HTTP Proxy
Vulnerability
Release Date: 07/15/2002
Application: AtGuard v3.2
Norton Personal Internet Firewall 2001 v3.0.4.91
Platform: Microsoft Windows NT4 SP6a
Microsoft Windows 2000 SP2
Severity: A buffer overflow occurs potentially allowing the
execution of arbitrary code
Author: Ollie Whitehouse (ollie@atstake.com)
Vendor Status: Informed and patch available
CVE Candidate: CAN-2002-0663
Reference: www.atstake.com/research/advisories/2002/a071502-1.txt
Overview:
Symantec (http://www.symantec.com/) Norton Personal Internet
Firewall is a widely used desktop firewalling application for
Microsoft Windows NT, 98, ME and 2000 platforms. Typically personal
firewalls are deployed upon mobile workstations that leave the
enterprise
- --------------------snip-----------------------snip------------------=
-
- -----------------------------------------------------------------
15 July 2002
Symantec Norton Internet Security 2001 Denial of Service Buffer
Overflow
Risk
low
Overview
@stake notified Symantec of a denial of service problem with outgoing
http request through the http filter component on the Symantec
Norton Internet Security 2001 personal firewall. Certain malformed
requests resulted in a general protection fault (GPF) on the system.
Components Affected
Symantec Norton Internet Security 2001
Symantec Norton Personal Firewall 2001
Description
The security professionals with @stake discovered a buffer overflow
condition in the handling of outgoing http requests by the http
filter on the Symantec Norton Internet Security 2001. During
Symantec's testing this issue was found to impact the Symantec Norton
Personal Firewall 2001 as well. The buffer overflow condition
overwrites the first three bytes of the EDI register causing a kernel
exception, resulting in a GPF on the targeted system and requiring a
reboot.
The GPF is the result of improper error checking in the array
allocated to store the hostname specified in the outgoing connection.
By
supplying an abnormally long hostname in the outgoing http request,
the buffer in the http filter is overrun causing the kernel
exception and the GPF.
This exception occurs whether the firewall rules permit outgoing http
connections or not.
Symantec Response
Symantec engineers verified the buffer overflow condition exists in
Symantec's Norton Internet Security 2001 and Symantec's Norton
Personal Firewall 2001. They have further determined that the GPF
does not occur in the latest release of Symantec's Norton Personal
Firewall 2002, Norton Internet Security 2002 or Norton Internet
Security 2002 Professional Edition.
However, Symantec takes any product issue such as this very
seriously. We are developing a patch for Symantec Norton Internet
Security
2001 and Personal Firewall 2001 to address this issue. The patch
will be available via LiveUpdate when completed. We are further
enhancing the capabilities of future Symantec products to provide
additional protection against these types of issues.
There are some circumstances that greatly mitigate the risk
associated with this issue. The buffer overflow condition identified
by
@stake occurs only in outgoing http requests through the Symantec
Norton Internet Security and Personal Firewall product's http filter.
Any attempt to launch an attack of this nature requires the attacker
to either have or be able to gain local access to the targeted
system in order to initiate the http request or cause the system
user, through a malicious email attachment or by directing the user
to
a malicious web site, to download and execute malicious code on their
system.
Symantec recommends using a multi-layered approach to security.
Users, at a minimum, should run both personal firewall and antivirus
applications with current updates to provide multiple points of
detection and protection to both inbound and outbound threats.
Users should keep vendor-supplied patches for all application
software and operating systems up-to-date.
Users should further be wary of mysterious attachments and
executables delivered via email.
Do not open attachments or executables from unknown sources. Always
err on the side of caution.
Even if the sender is known, be wary of attachments if the sender
does not explain the attachment content in the body of the email. You
do not know the source of the attachment.
If in doubt, contact the sender before opening the attachment. If
still in doubt, delete the attachment without opening it.
Credit:
Symantec takes the security and proper functionality of our products
very seriously. Symantec appreciates the coordination of Ollie
Whitehouse and @stake, Inc. in identifying and providing technical
details of areas of concern as well as working closely with Symantec
so we could properly address the issue. Anyone with information on
security issues with Symantec products should contact
symsecurity@symantec.com
CVE
The Common Vulnerabilities and Exposures (CVE) initiative has
assigned the name CAN-2002-0663 to this issue.
This is a candidate for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security
problems.
Copyright (c) 2002 by Symantec Corp.
Permission to redistribute this alert electronically is granted as
long as it is not edited in any way unless authorized by Symantec
Security Response. Reprinting the whole or parts of this alert in any
medium other than electronically requires permission from
symsecurity@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither
the author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and
SymSecurity are registered trademarks of Symantec Corp. and/or
affiliated
companies in the United States and other countries. All other
registered and unregistered trademarks represented in this document
are
the sole property of their respective companies/owners.
Symantec Security Response
symsecurity@symantec.com
http://securityresponse.symantec.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
iQA/AwUBPTQcPhMwEkwA14VxEQKceACgriQvEvV47iXnuLaUkpkdLq0RnOgAniNu
N2+2aBVp8xV5ZizjqBSlrxbh
=3D3/XI
-----END PGP SIGNATURE-----=