exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Atstake Security Advisory 02-07-15.1

Atstake Security Advisory 02-07-15.1
Posted Jul 17, 2002
Authored by Atstake, Ollie Whitehouse | Site atstake.com

Atstake Advisory A071502-1 - Norton Personal Internet Firewall 2001 v3.0.4.91 for Windows NT and 2000 contains buffer overflows in the HTTP proxy which allows attackers to overwrite the first 3 bytes of the EDI register, which can lead to remote code execution.

tags | remote, web, overflow, code execution
systems | windows
SHA-256 | b638be2b6c12ee1233b0973e42fb9455d457e7c5b99317fa57810587b7da13b0

Atstake Security Advisory 02-07-15.1

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




@stake, Inc.
www.atstake.com
Security Advisory



Advisory Name: Norton Personal Internet Firewall HTTP Proxy
Vulnerability
Release Date: 07/15/2002
Application: AtGuard v3.2
Norton Personal Internet Firewall 2001 v3.0.4.91
Platform: Microsoft Windows NT4 SP6a
Microsoft Windows 2000 SP2
Severity: A buffer overflow occurs potentially allowing the
execution of arbitrary code
Author: Ollie Whitehouse (ollie@atstake.com)
Vendor Status: Informed and patch available
CVE Candidate: CAN-2002-0663
Reference: www.atstake.com/research/advisories/2002/a071502-1.txt



Overview:

Symantec (http://www.symantec.com/) Norton Personal Internet
Firewall is a widely used desktop firewalling application for
Microsoft Windows NT, 98, ME and 2000 platforms. Typically personal
firewalls are deployed upon mobile workstations that leave the
enterprise
and may be deployed upon public networks to enable them to establish
connectivity back to the corporation and thus require protection from
malicious attackers while outside the confines of the enterprise
firewall.

There exists a vulnerability within the NPIF's HTTP proxy that allows an
attacker to overwrite the first three (3) bytes of the EDI register and
Thus potentially execute malicious code.

This vulnerability is exploitable even if the requesting application is
not configured in the firewall permission setting to make outgoing
requests. An example of such a scenario would be a malicious web page
that
contains a disguised link which contains sufficient data to exploit this
vulnerability.


Details:

There is a vulnerability with the way in which the NT kernel
based
HTTP proxy of NPIF deals with a large amount of data, that causes a
buffer
overflow to occur. The test scenario that @stake used to cause this
Exception was as follows:

NPIF configured to allow only Microsoft Internet Explorer out on TCP
port
80 to the public internet. A large outgoing request is then made by a
third
party application (i.e. malicious code). If the exploitation is
unsuccessful a NT kernel exception will be thrown typically overwriting
EDI
with user supplied data. If exploitation is successful an attacker can
run
arbitrary code within the KERNEL.



Vendor Response:

This issue was reported to Symantec on April 18, 2002. Symantec has an
Update that solves this problem. Symantec's advisory regarding this
issue
can be found here (wrapped):
http://securityresponse.symantec.com/avcenter/security/
SymantecAdvisories.html


Recommendations:

Due to the fact that this attack has to occur from the host computer
@stake recommends that there should be a multi-layered approach to
security. This should include anti-virus, user education/awareness as
well as ensuring that vendor patches are deployed for all relevant
software products.

Users should install the update for Norton Personal Internet Firewall
2001.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2002-0663 Norton Personal Internet Firewall Buffer Overflow


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2002 @stake, Inc. All rights reserved.



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3

iQA/AwUBPTMXw0e9kNIfAm4yEQJZLACfUzmto6R1y+Usq8x6DR+PLiNZg8kAoJpb
h/TF6PuGpHe3FyLE1ubX/pmk
=BU1O
-----END PGP SIGNATURE-----




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In response to @stake's posting,

<advisories@atstake.com>
Sent by: "Chris Wysopal" <cwysopal@atstake.com>
07/15/2002 01:50 PM

To: <vulnwatch@vulnwatch.org>
cc:
Subject: [VulnWatch] Advisory Name: Norton Personal Intern=
et
Firewall HTTP Proxy Vulnerability


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




@stake, Inc.
www.atstake.com
Security Advisory



Advisory Name: Norton Personal Internet Firewall HTTP Proxy
Vulnerability
Release Date: 07/15/2002
Application: AtGuard v3.2
Norton Personal Internet Firewall 2001 v3.0.4.91
Platform: Microsoft Windows NT4 SP6a
Microsoft Windows 2000 SP2
Severity: A buffer overflow occurs potentially allowing the
execution of arbitrary code
Author: Ollie Whitehouse (ollie@atstake.com)
Vendor Status: Informed and patch available
CVE Candidate: CAN-2002-0663
Reference: www.atstake.com/research/advisories/2002/a071502-1.txt



Overview:

Symantec (http://www.symantec.com/) Norton Personal Internet
Firewall is a widely used desktop firewalling application for
Microsoft Windows NT, 98, ME and 2000 platforms. Typically personal
firewalls are deployed upon mobile workstations that leave the
enterprise
- --------------------snip-----------------------snip------------------=
-
- -----------------------------------------------------------------


15 July 2002

Symantec Norton Internet Security 2001 Denial of Service Buffer
Overflow

Risk
low

Overview

@stake notified Symantec of a denial of service problem with outgoing
http request through the http filter component on the Symantec
Norton Internet Security 2001 personal firewall. Certain malformed
requests resulted in a general protection fault (GPF) on the system.


Components Affected

Symantec Norton Internet Security 2001
Symantec Norton Personal Firewall 2001

Description

The security professionals with @stake discovered a buffer overflow
condition in the handling of outgoing http requests by the http
filter on the Symantec Norton Internet Security 2001. During
Symantec's testing this issue was found to impact the Symantec Norton
Personal Firewall 2001 as well. The buffer overflow condition
overwrites the first three bytes of the EDI register causing a kernel
exception, resulting in a GPF on the targeted system and requiring a
reboot.

The GPF is the result of improper error checking in the array
allocated to store the hostname specified in the outgoing connection.
By
supplying an abnormally long hostname in the outgoing http request,
the buffer in the http filter is overrun causing the kernel
exception and the GPF.
This exception occurs whether the firewall rules permit outgoing http
connections or not.

Symantec Response

Symantec engineers verified the buffer overflow condition exists in
Symantec's Norton Internet Security 2001 and Symantec's Norton
Personal Firewall 2001. They have further determined that the GPF
does not occur in the latest release of Symantec's Norton Personal
Firewall 2002, Norton Internet Security 2002 or Norton Internet
Security 2002 Professional Edition.

However, Symantec takes any product issue such as this very
seriously. We are developing a patch for Symantec Norton Internet
Security
2001 and Personal Firewall 2001 to address this issue. The patch
will be available via LiveUpdate when completed. We are further
enhancing the capabilities of future Symantec products to provide
additional protection against these types of issues.

There are some circumstances that greatly mitigate the risk
associated with this issue. The buffer overflow condition identified
by
@stake occurs only in outgoing http requests through the Symantec
Norton Internet Security and Personal Firewall product's http filter.


Any attempt to launch an attack of this nature requires the attacker
to either have or be able to gain local access to the targeted
system in order to initiate the http request or cause the system
user, through a malicious email attachment or by directing the user
to
a malicious web site, to download and execute malicious code on their
system.

Symantec recommends using a multi-layered approach to security.
Users, at a minimum, should run both personal firewall and antivirus
applications with current updates to provide multiple points of
detection and protection to both inbound and outbound threats.

Users should keep vendor-supplied patches for all application
software and operating systems up-to-date.
Users should further be wary of mysterious attachments and
executables delivered via email.
Do not open attachments or executables from unknown sources. Always
err on the side of caution.
Even if the sender is known, be wary of attachments if the sender
does not explain the attachment content in the body of the email. You
do not know the source of the attachment.
If in doubt, contact the sender before opening the attachment. If
still in doubt, delete the attachment without opening it.

Credit:

Symantec takes the security and proper functionality of our products
very seriously. Symantec appreciates the coordination of Ollie
Whitehouse and @stake, Inc. in identifying and providing technical
details of areas of concern as well as working closely with Symantec
so we could properly address the issue. Anyone with information on
security issues with Symantec products should contact
symsecurity@symantec.com

CVE

The Common Vulnerabilities and Exposures (CVE) initiative has
assigned the name CAN-2002-0663 to this issue.
This is a candidate for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security
problems.


Copyright (c) 2002 by Symantec Corp.
Permission to redistribute this alert electronically is granted as
long as it is not edited in any way unless authorized by Symantec
Security Response. Reprinting the whole or parts of this alert in any
medium other than electronically requires permission from
symsecurity@symantec.com.

Disclaimer

The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither
the author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and
SymSecurity are registered trademarks of Symantec Corp. and/or
affiliated
companies in the United States and other countries. All other
registered and unregistered trademarks represented in this document
are
the sole property of their respective companies/owners.

Symantec Security Response
symsecurity@symantec.com
http://securityresponse.symantec.com


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBPTQcPhMwEkwA14VxEQKceACgriQvEvV47iXnuLaUkpkdLq0RnOgAniNu
N2+2aBVp8xV5ZizjqBSlrxbh
=3D3/XI
-----END PGP SIGNATURE-----=



Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close