-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                     Symantec Vulnerability Research
                     http://www.symantec.com/research
                           Security Advisory

   Advisory ID: SYMSA-2006-013
Advisory Title: Multiple Vulnerabilities in Mandiant First Response
        Author: Brian Reilly / brian_reilly@symantec.com
  Release Date: 18-12-2006
   Application: Mandiant First Response 1.1
      Platform: Windows 2000/XP/2003
      Severity: Multiple -- Denial of Service, Data Manipulation, Client/Server
                Hijacking
 Vendor status: New Version of product available
    CVE Number: CVE-2006-6475, CVE-2006-6476, CVE-2006-6477
     Reference: http://www.securityfocus.com/bid/21548


Overview:

      Mandiant First Response is an incident response tool to collect system
      information such as running processes, system services, registry
      information, event logs, and file lists from a local or remote host.  The
      First Response agent (FRAgent.exe) can be installed and configured as a
      daemon on target hosts in order to collect information remotely via a
      First Response Command Console.  Multiple vulnerabilities exist that could
      lead to a variety of attack payloads.  Agents running in either HTTP or
      SSL mode are vulnerable to denial of service and server hijacking
      conditions.  The server hijacking vulnerability present in HTTP agents can
      be further leveraged to allow a rogue process to intercept and modify
      legitimate agent/console communication, and force a Command Console to
      download arbitrary content and visit arbitrary URLs.

Details:

      Vulnerability #1: Denial of Service against an SSL agent through malformed
      client requests

      When run in daemon mode, the First Response agent (FRAgent.exe) accepts
      remote connections from a First Response console via HTTP or a modified
      HTTPS implementation.  By sending a series of specially-crafted requests
      to an SSL-enabled agent, it is possible to force the agent to throw an
      exception that is not properly handled.  After this occurs, the agent's
      sockets will enter an indefinite CLOSE_WAIT state and all subsequent
      connection attempts will be refused.  The service then must be restarted
      in order to recover and accept connections again.


      Vulnerability #2:  Denial of Service against an HTTP or SSL agent through
      Agent hijacking

      An FRAgent daemon permits other processes to bind to the same socket
      addresses on which it is already listening.  If FRAgent is bound to a
      0.0.0.0 wildcard address ("all interfaces"), a rogue process can intercept
      client connections by subsequently binding to the same port on a specific
      IP address.  By hijacking an agent with a non-responsive listener, an
      attacker can effectively prevent all legitimate client connections.


       Vulnerability #3:  Command Console and Data Manipulation through HTTP
      Agent Hijacking

      If an HTTP FRAgent daemon is hijacked, the attacker can control the response
      data sent to and processed by a client, as well as other aspects of client
      behavior.  A rogue process can conduct a man-in-the-middle attack to
      redirect and modify all requests and responses between the client and a
      legitimate agent.  The attacker can also send specially-crafted HTTP
      responses that force the client to visit arbitrary URLs and/or download
      arbitrary content.  (NOTE:  The use of HTTPS/SSL is default behavior for First
      Response; using cleartext HTTP requires manual configuration.)


Vendor Response:

   Mandiant has confirmed the reports provided by Symantec and updated
   Mandiant First Response (MFR) to correct these issues.  Version 1.1.1 is now
   available for download from
   http://www.mandiant.com/firstresponse.htm.  Mandiant advises all
   users of MFR to upgrade to 1.1.1 as soon as possible.  Registered
   users of the software have been notified via email of availability
   of the upgrade.

   During the course of our review we noted the following addenda to
   Symantec's analysis:

   Vulnerability 1: The DoS condition was due to a design error where
   the Agent would choose to exit upon receipt of a malformed request.
   The exit was an explicit choice exercised by the code path and not
   caused by a buffer overflow or heap corruption.  Version 1.1.1
   addresses the explicit exit condition and correctly handles
   requests with malformed payloads, allowing the MFR Agent to
   continue operation while correctly rejecting malformed requests.

   Vulnerability 2 and 3: The vulnerabilities are present because the
   MFR Agent opens its listening port in non-exclusive mode.  Version
   1.1.1 correctly opens the port as exclusive, preventing the
   multiple-bind condition.

   Mandiant would like to thank Brian Reilly and Scott King for
   discovering and notifying us of these vulnerabilities, and Symantec
   for their participation in public disclosure.


Recommendation:

   Upgrade to MFR version 1.1.1, available at
   http://www.mandiant.com/firstresponse.htm.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


  CVE-2006-6475, CVE-2006-6476, CVE-2006-6477

- -------Symantec Vulnerability Research Advisory Information-------

For questions about this advisory, or to report an error:
research@symantec.com

For details on Symantec's Vulnerability Reporting Policy: 
http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf

Symantec Vulnerability Research Advisory Archive: 
http://www.symantec.com/research/  

Symantec Vulnerability Research GPG Key:
http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc

- -------------Symantec Product Advisory Information-------------

To Report a Security Vulnerability in a Symantec Product:
secure@symantec.com 

For general information on Symantec's Product Vulnerability 
reporting and response:
http://www.symantec.com/security/

Symantec Product Advisory Archive: 
http://www.symantec.com/avcenter/security/SymantecAdvisories.html

Symantec Product Advisory PGP Key:
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc

- ---------------------------------------------------------------

Copyright (c) 2006 by Symantec Corp.
Permission to redistribute this alert electronically is granted 
as long as it is not edited in any way unless authorized by 
Symantec Consulting Services. Reprinting the whole or part of 
this alert in any medium other than electronically requires 
permission from cs_advisories@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the 
time of publishing based on currently available information. Use 
of the information constitutes acceptance for use in an AS IS 
condition. There are no warranties with regard to this information. 
Neither the author nor the publisher accepts any liability for any 
direct, indirect, or consequential loss or damage arising from use 
of, or reliance on, this information.

Symantec, Symantec products, and Symantec Consulting Services are 
registered trademarks of Symantec Corp. and/or affiliated companies 
in the United States and other countries. All other registered and 
unregistered trademarks represented in this document are the sole 
property of their respective companies/owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFFgaecuk7IIFI45IARAg3oAJ9SwOll1ACKiUVE+bxq4gaBYe5KPQCeMZGJ
d0+CXnzUBbhj51j9rvqGF7k=
=E8pd
-----END PGP SIGNATURE-----