[VulnWatch] Advisory Name: Norton Personal Internet Firewall HTTP Proxy Vulnerability

From: advisories@atstake.com
Date: 07/15/02 

From: <advisories@atstake.com>
To: <vulnwatch@vulnwatch.org>
Date: Mon, 15 Jul 2002 14:50:46 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                              @stake, Inc.
                            www.atstake.com
                           Security Advisory

Advisory Name: Norton Personal Internet Firewall HTTP Proxy
Vulnerability
 Release Date: 07/15/2002
  Application: AtGuard v3.2
               Norton Personal Internet Firewall 2001 v3.0.4.91
     Platform: Microsoft Windows NT4 SP6a
               Microsoft Windows 2000 SP2
     Severity: A buffer overflow occurs potentially allowing the
               execution of arbitrary code
       Author: Ollie Whitehouse (ollie@atstake.com)
Vendor Status: Informed and patch available
CVE Candidate: CAN-2002-0663
    Reference: www.atstake.com/research/advisories/2002/a071502-1.txt

Overview:

        Symantec (http://www.symantec.com/) Norton Personal Internet
Firewall is a widely used desktop firewalling application for
Microsoft Windows NT, 98, ME and 2000 platforms. Typically personal
firewalls are deployed upon mobile workstations that leave the
enterprise
and may be deployed upon public networks to enable them to establish
connectivity back to the corporation and thus require protection from
malicious attackers while outside the confines of the enterprise
firewall.

There exists a vulnerability within the NPIF's HTTP proxy that allows an
attacker to overwrite the first three (3) bytes of the EDI register and
Thus potentially execute malicious code.

This vulnerability is exploitable even if the requesting application is
not configured in the firewall permission setting to make outgoing
requests. An example of such a scenario would be a malicious web page
that
contains a disguised link which contains sufficient data to exploit this
vulnerability.

Details:

        There is a vulnerability with the way in which the NT kernel
based
HTTP proxy of NPIF deals with a large amount of data, that causes a
buffer
overflow to occur. The test scenario that @stake used to cause this
Exception was as follows:

NPIF configured to allow only Microsoft Internet Explorer out on TCP
port
80 to the public internet. A large outgoing request is then made by a
third
party application (i.e. malicious code). If the exploitation is
unsuccessful a NT kernel exception will be thrown typically overwriting
EDI
with user supplied data. If exploitation is successful an attacker can
run
arbitrary code within the KERNEL.

Vendor Response:

This issue was reported to Symantec on April 18, 2002. Symantec has an
Update that solves this problem. Symantec's advisory regarding this
issue
can be found here (wrapped):
http://securityresponse.symantec.com/avcenter/security/
SymantecAdvisories.html

Recommendations:

Due to the fact that this attack has to occur from the host computer
@stake recommends that there should be a multi-layered approach to
security. This should include anti-virus, user education/awareness as
well as ensuring that vendor patches are deployed for all relevant
software products.

Users should install the update for Norton Personal Internet Firewall
2001.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

 CAN-2002-0663 Norton Personal Internet Firewall Buffer Overflow

@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2002 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3

iQA/AwUBPTMXw0e9kNIfAm4yEQJZLACfUzmto6R1y+Usq8x6DR+PLiNZg8kAoJpb
h/TF6PuGpHe3FyLE1ubX/pmk
=BU1O
-----END PGP SIGNATURE-----

Relevant Pages

  • Re: Hacking to Xp box
    ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ...
    (Pen-Test)
  • [NT] Vulnerability in Server Service Could Allow Remote Code Execution (MS06-035)
    ... Vulnerability in Server Service Could Allow Remote Code Execution ... Firewall best practices and standard default firewall configurations ... This port is used to initiate a connection with the affected component. ... Internet to help prevent attacks that may use other ports. ...
    (Securiteam)
  • US-CERT Technical Cyber Security Alert TA04-036A -- HTTP Parsing Vulnerabilities in Check Point Fire
    ... HTTP Parsing Vulnerabilities in Check Point Firewall-1 ... attacks once it has passed through the firewall at the network level. ... vulnerability that is triggered by sending an invalid HTTP request ... attacker is included in the format string for a call to sprintf. ...
    (Cert)
  • US-CERT Technical Cyber Security Alert TA04-036A -- HTTP Parsing Vulnerabilities in Check Point Fire
    ... HTTP Parsing Vulnerabilities in Check Point Firewall-1 ... attacks once it has passed through the firewall at the network level. ... vulnerability that is triggered by sending an invalid HTTP request ... attacker is included in the format string for a call to sprintf. ...
    (Cert)
  • Re: firewall auditing/testing
    ... i have my own question how to test your firewall if its really secured. ... everything from the internet and permit only the basic applications. ... Is there any other tools that can penetrate/test the firewall vulnerability? ... Download FREE whitepaper on how a managed service can ...
    (Pen-Test)