SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Firewall)  >   Norton Internet Security Vendors:   Symantec
Norton Internet Security Buffer Overflow in HTTP Proxy May Allow Remote Users to Execute Arbitrary Code on the System
SecurityTracker Alert ID:  1004779
SecurityTracker URL:  http://securitytracker.com/id/1004779
CVE Reference:   CAN-2002-0663   (Links to External Site)
Date:  Jul 15 2002
Impact:   Denial of service via local system, Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Norton Internet Security 2001
Description:   A buffer overflow vulnerability was been reported in the Norton Personal Firewall and Norton Internet Security in the HTTP Proxy function. In certain cases, a remote user could cause arbitrary code to be executed on the target user's system or cause denial of service conditions.

@stake reported a buffer overflow in the firewall's HTTP Proxy function that can be triggered from the ostensibly protected host. It is reportedly possible for an application (or malicious code) on the target host to overwrite the first three bytes of the EDI register and cause a kernel exception and resulting crash. A reboot is required to return to normal operations. The bug is due to improper error checking in the array allocated to store the hostname specified in the outgoing connection. A remote user can supply an abnormally long hostname in the outgoing http request to trigger the overflow.

It is apparently not necessary for a host application to be permitted to make outgoing requests from the host for an exploit to occur. This could be exploited via the target user's web browser, triggered by a link on a malicious web page or HTML-based e-mail.

According to @stake, it may be possible to execute arbitrary code via this overflow.

For the original @stake advisory, see:

http://www.atstake.com/research/advisories/2002/a071502-1.txt

According to Symantec, Symantec's Norton Personal Firewall 2002, Norton Internet Security 2002, and Norton Internet Security 2002 Professional Edition are not affected.
Impact:   An application on the target host (such as a web browser) may be able to execute arbitrary code on the system with the privileges of the current user or cause the system to crash.
Solution:   The vendor has reportedly issued an update to correct the problem. See the Symantec security advisory at:

http://securityresponse.symantec.com/avcenter/security/Content/2002.07.15.html
Vendor URL:  securityresponse.symantec.com/avcenter/security/Content/2002.07.15.html (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Mon, 15 Jul 2002 15:42:13 -0400
Subject:  @stake Advisory: Norton Personal Internet Firewall HTTP Proxy Vulnerability


------=_NextPart_000_003F_01C22C16.323DD190
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit


------=_NextPart_000_003F_01C22C16.323DD190
Content-Type: text/plain;
	name="a071502-1.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="a071502-1.txt"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




                              @stake, Inc.
                            www.atstake.com
                           Security Advisory



Advisory Name: Norton Personal Internet Firewall HTTP Proxy Vulnerability
 Release Date: 07/15/2002
  Application: AtGuard v3.2
               Norton Personal Internet Firewall 2001 v3.0.4.91
     Platform: Microsoft Windows NT4 SP6a
               Microsoft Windows 2000 SP2
     Severity: A buffer overflow occurs potentially allowing the
               execution of arbitrary code
       Author: Ollie Whitehouse (ollie@atstake.com)
Vendor Status: Informed and patch available
CVE Candidate: CAN-2002-0663
    Reference: www.atstake.com/research/advisories/2002/a071502-1.txt



Overview:

        Symantec (http://www.symantec.com/) Norton Personal Internet
Firewall is a widely used desktop firewalling application for
Microsoft Windows NT, 98, ME and 2000 platforms. Typically personal
firewalls are deployed upon mobile workstations that leave the enterprise
and may be deployed upon public networks to enable them to establish
connectivity back to the corporation and thus require protection from
malicious attackers while outside the confines of the enterprise firewall.

There exists a vulnerability within the NPIF's HTTP proxy that allows an
attacker to overwrite the first three (3) bytes of the EDI register and
Thus potentially execute malicious code.

This vulnerability is exploitable even if the requesting application is
not configured in the firewall permission setting to make outgoing
requests. An example of such a scenario would be a malicious web page that
contains a disguised link which contains sufficient data to exploit this
vulnerability.


Details:

        There is a vulnerability with the way in which the NT kernel based
HTTP proxy of NPIF deals with a large amount of data, that causes a buffer
overflow to occur. The test scenario that @stake used to cause this
Exception was as follows:

NPIF configured to allow only Microsoft Internet Explorer out on TCP port
80 to the public internet. A large outgoing request is then made by a third
party application (i.e. malicious code). If the exploitation is
unsuccessful a NT kernel exception will be thrown typically overwriting EDI
with user supplied data. If exploitation is successful an attacker can run
arbitrary code within the KERNEL.



Vendor Response:

This issue was reported to Symantec on April 18, 2002. Symantec has an
Update that solves this problem.  Symantec's advisory regarding this issue
can be found here (wrapped):
http://securityresponse.symantec.com/avcenter/security/
SymantecAdvisories.html


Recommendations:

Due to the fact that this attack has to occur from the host computer
@stake recommends that there should be a multi-layered approach to
security. This should include anti-virus, user education/awareness as
well as ensuring that vendor patches are deployed for all relevant
software products.

Users should install the update for Norton Personal Internet Firewall 2001.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

 CAN-2002-0663 Norton Personal Internet Firewall Buffer Overflow


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2002 @stake, Inc. All rights reserved.



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3

iQA/AwUBPTMXw0e9kNIfAm4yEQJZLACfUzmto6R1y+Usq8x6DR+PLiNZg8kAoJpb
h/TF6PuGpHe3FyLE1ubX/pmk
=BU1O
-----END PGP SIGNATURE-----
------=_NextPart_000_003F_01C22C16.323DD190--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC