-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: Norton Personal Internet Firewall HTTP Proxy Vulnerability Release Date: 07/15/2002 Application: AtGuard v3.2 Norton Personal Internet Firewall 2001 v3.0.4.91 Platform: Microsoft Windows NT4 SP6a Microsoft Windows 2000 SP2 Severity: A buffer overflow occurs potentially allowing the execution of arbitrary code Author: Ollie Whitehouse (ollie@atstake.com) Vendor Status: Informed and patch available CVE Candidate: CAN-2002-0663 Reference: www.atstake.com/research/advisories/2002/a071502-1.txt Overview: Symantec (http://www.symantec.com/) Norton Personal Internet Firewall is a widely used desktop firewalling application for Microsoft Windows NT, 98, ME and 2000 platforms. Typically personal firewalls are deployed upon mobile workstations that leave the enterprise and may be deployed upon public networks to enable them to establish connectivity back to the corporation and thus require protection from malicious attackers while outside the confines of the enterprise firewall. There exists a vulnerability within the NPIF's HTTP proxy that allows an attacker to overwrite the first three (3) bytes of the EDI register and Thus potentially execute malicious code. This vulnerability is exploitable even if the requesting application is not configured in the firewall permission setting to make outgoing requests. An example of such a scenario would be a malicious web page that contains a disguised link which contains sufficient data to exploit this vulnerability. Details: There is a vulnerability with the way in which the NT kernel based HTTP proxy of NPIF deals with a large amount of data, that causes a buffer overflow to occur. The test scenario that @stake used to cause this Exception was as follows: NPIF configured to allow only Microsoft Internet Explorer out on TCP port 80 to the public internet. A large outgoing request is then made by a third party application (i.e. malicious code). If the exploitation is unsuccessful a NT kernel exception will be thrown typically overwriting EDI with user supplied data. If exploitation is successful an attacker can run arbitrary code within the KERNEL. Vendor Response: This issue was reported to Symantec on April 18, 2002. Symantec has an Update that solves this problem. Symantec's advisory regarding this issue can be found here (wrapped): http://securityresponse.symantec.com/avcenter/security/ SymantecAdvisories.html Recommendations: Due to the fact that this attack has to occur from the host computer @stake recommends that there should be a multi-layered approach to security. This should include anti-virus, user education/awareness as well as ensuring that vendor patches are deployed for all relevant software products. Users should install the update for Norton Personal Internet Firewall 2001. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2002-0663 Norton Personal Internet Firewall Buffer Overflow @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/ @stake Advisory Archive: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2002 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.3 iQA/AwUBPTMXw0e9kNIfAm4yEQJZLACfUzmto6R1y+Usq8x6DR+PLiNZg8kAoJpb h/TF6PuGpHe3FyLE1ubX/pmk =BU1O -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In response to @stake's posting, Sent by: "Chris Wysopal" 07/15/2002 01:50 PM To: cc: Subject: [VulnWatch] Advisory Name: Norton Personal Intern= et Firewall HTTP Proxy Vulnerability - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: Norton Personal Internet Firewall HTTP Proxy Vulnerability Release Date: 07/15/2002 Application: AtGuard v3.2 Norton Personal Internet Firewall 2001 v3.0.4.91 Platform: Microsoft Windows NT4 SP6a Microsoft Windows 2000 SP2 Severity: A buffer overflow occurs potentially allowing the execution of arbitrary code Author: Ollie Whitehouse (ollie@atstake.com) Vendor Status: Informed and patch available CVE Candidate: CAN-2002-0663 Reference: www.atstake.com/research/advisories/2002/a071502-1.txt Overview: Symantec (http://www.symantec.com/) Norton Personal Internet Firewall is a widely used desktop firewalling application for Microsoft Windows NT, 98, ME and 2000 platforms. Typically personal firewalls are deployed upon mobile workstations that leave the enterprise - --------------------snip-----------------------snip------------------= - - ----------------------------------------------------------------- 15 July 2002 Symantec Norton Internet Security 2001 Denial of Service Buffer Overflow Risk low Overview @stake notified Symantec of a denial of service problem with outgoing http request through the http filter component on the Symantec Norton Internet Security 2001 personal firewall. Certain malformed requests resulted in a general protection fault (GPF) on the system. Components Affected Symantec Norton Internet Security 2001 Symantec Norton Personal Firewall 2001 Description The security professionals with @stake discovered a buffer overflow condition in the handling of outgoing http requests by the http filter on the Symantec Norton Internet Security 2001. During Symantec's testing this issue was found to impact the Symantec Norton Personal Firewall 2001 as well. The buffer overflow condition overwrites the first three bytes of the EDI register causing a kernel exception, resulting in a GPF on the targeted system and requiring a reboot. The GPF is the result of improper error checking in the array allocated to store the hostname specified in the outgoing connection. By supplying an abnormally long hostname in the outgoing http request, the buffer in the http filter is overrun causing the kernel exception and the GPF. This exception occurs whether the firewall rules permit outgoing http connections or not. Symantec Response Symantec engineers verified the buffer overflow condition exists in Symantec's Norton Internet Security 2001 and Symantec's Norton Personal Firewall 2001. They have further determined that the GPF does not occur in the latest release of Symantec's Norton Personal Firewall 2002, Norton Internet Security 2002 or Norton Internet Security 2002 Professional Edition. However, Symantec takes any product issue such as this very seriously. We are developing a patch for Symantec Norton Internet Security 2001 and Personal Firewall 2001 to address this issue. The patch will be available via LiveUpdate when completed. We are further enhancing the capabilities of future Symantec products to provide additional protection against these types of issues. There are some circumstances that greatly mitigate the risk associated with this issue. The buffer overflow condition identified by @stake occurs only in outgoing http requests through the Symantec Norton Internet Security and Personal Firewall product's http filter. Any attempt to launch an attack of this nature requires the attacker to either have or be able to gain local access to the targeted system in order to initiate the http request or cause the system user, through a malicious email attachment or by directing the user to a malicious web site, to download and execute malicious code on their system. Symantec recommends using a multi-layered approach to security. Users, at a minimum, should run both personal firewall and antivirus applications with current updates to provide multiple points of detection and protection to both inbound and outbound threats. Users should keep vendor-supplied patches for all application software and operating systems up-to-date. Users should further be wary of mysterious attachments and executables delivered via email. Do not open attachments or executables from unknown sources. Always err on the side of caution. Even if the sender is known, be wary of attachments if the sender does not explain the attachment content in the body of the email. You do not know the source of the attachment. If in doubt, contact the sender before opening the attachment. If still in doubt, delete the attachment without opening it. Credit: Symantec takes the security and proper functionality of our products very seriously. Symantec appreciates the coordination of Ollie Whitehouse and @stake, Inc. in identifying and providing technical details of areas of concern as well as working closely with Symantec so we could properly address the issue. Anyone with information on security issues with Symantec products should contact symsecurity@symantec.com CVE The Common Vulnerabilities and Exposures (CVE) initiative has assigned the name CAN-2002-0663 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Copyright (c) 2002 by Symantec Corp. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or parts of this alert in any medium other than electronically requires permission from symsecurity@symantec.com. Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. Symantec Security Response symsecurity@symantec.com http://securityresponse.symantec.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBPTQcPhMwEkwA14VxEQKceACgriQvEvV47iXnuLaUkpkdLq0RnOgAniNu N2+2aBVp8xV5ZizjqBSlrxbh =3D3/XI -----END PGP SIGNATURE-----=