[NT] Norton Personal Internet Firewall HTTP Proxy Vulnerability

From: support@securiteam.com
Date: 07/22/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 22 Jul 2002 22:11:19 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Norton Personal Internet Firewall HTTP Proxy Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://www.symantec.com/> Symantec Norton Personal Internet Firewall is
a widely used desktop firewalling application for Microsoft Windows NT,
98, 2000 platforms and Windows ME. Typically, personal firewalls are
deployed upon mobile workstations that leave the enterprise and may be
deployed upon public networks to enable them to establish connectivity
back to the corporation and thus require protection from malicious
attackers while outside the confines of the enterprise firewall.

There exists a vulnerability within the NPIF's HTTP proxy that allows an
attacker to overwrite the first three (3) bytes of the EDI register and
thus potentially execute malicious code.

This vulnerability is exploitable even if the requesting application is
not configured in the firewall permission setting to make outgoing
requests. An example of such a scenario would be a malicious web page that
contains a disguised link that contains sufficient data to exploit this
vulnerability.

DETAILS

Vulnerable systems:
 * AtGuard version 3.2
 * Norton Personal Internet Firewall 2001 version 3.0.4.91

There is a vulnerability with the way in which the NT kernel based HTTP
proxy of NPIF deals with a large amount of data that causes a buffer
overflow to occur. The test scenario that @stake used to cause this
Exception was as follows:

NPIF configured to allow only Microsoft Internet Explorer out on TCP port
80 to the public internet. A large outgoing request is then made by a
third party application (i.e. malicious code). If the exploitation is
unsuccessful, a NT kernel exception will be thrown typically overwriting
EDI with user supplied data. If exploitation is successful an attacker can
run arbitrary code within the KERNEL.

Vendor response:
This issue was reported to Symantec on April 18, 2002. Symantec has an
Update that solves this problem. Symantec's advisory regarding this issue
can be found here (wrapped):
 
<http://securityresponse.symantec.com/avcenter/security/SymantecAdvisories.html> http://securityresponse.symantec.com/avcenter/security/SymantecAdvisories.html

Recommendations:
Because this attack has to occur from the host computer @stake recommends
that there should be a multi-layered approach to security. This should
include anti-virus, user education/awareness, as well as ensuring that
vendor patches are deployed for all relevant software products.

Users should install the update for Norton Personal Internet Firewall
2001.

ADDITIONAL INFORMATION

The information has been provided by <mailto:ollie@atstake.com> Ollie
Whitehouse.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages