Norton Personal Internet Firewall HTTP Proxy Vulnerability
Results 1 to 3 of 3

Thread: Norton Personal Internet Firewall HTTP Proxy Vulnerability

  1. #1
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027

    Norton Personal Internet Firewall HTTP Proxy Vulnerability

    From bugtrack:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1




    @stake, Inc.
    www.atstake.com
    Security Advisory



    Advisory Name: Norton Personal Internet Firewall HTTP Proxy Vulnerability
    Release Date: 07/15/2002
    Application: AtGuard v3.2
    Norton Personal Internet Firewall 2001 v3.0.4.91
    Platform: Microsoft Windows NT4 SP6a
    Microsoft Windows 2000 SP2
    Severity: A buffer overflow occurs potentially allowing the
    execution of arbitrary code
    Author: Ollie Whitehouse (ollie@atstake.com)
    Vendor Status: Informed and patch available
    CVE Candidate: CAN-2002-0663
    Reference: http://www.atstake.com/research/advi.../a071502-1.txt



    Overview:

    Symantec (http://www.symantec.com/) Norton Personal Internet
    Firewall is a widely used desktop firewalling application for
    Microsoft Windows NT, 98, ME and 2000 platforms. Typically personal
    firewalls are deployed upon mobile workstations that leave the enterprise
    and may be deployed upon public networks to enable them to establish
    connectivity back to the corporation and thus require protection from
    malicious attackers while outside the confines of the enterprise firewall.

    There exists a vulnerability within the NPIF's HTTP proxy that allows an
    attacker to overwrite the first three (3) bytes of the EDI register and
    Thus potentially execute malicious code.

    This vulnerability is exploitable even if the requesting application is
    not configured in the firewall permission setting to make outgoing
    requests. An example of such a scenario would be a malicious web page that
    contains a disguised link which contains sufficient data to exploit this
    vulnerability.


    Details:

    There is a vulnerability with the way in which the NT kernel based
    HTTP proxy of NPIF deals with a large amount of data, that causes a buffer
    overflow to occur. The test scenario that @stake used to cause this
    Exception was as follows:

    NPIF configured to allow only Microsoft Internet Explorer out on TCP port
    80 to the public internet. A large outgoing request is then made by a third
    party application (i.e. malicious code). If the exploitation is
    unsuccessful a NT kernel exception will be thrown typically overwriting EDI
    with user supplied data. If exploitation is successful an attacker can run
    arbitrary code within the KERNEL.



    Vendor Response:

    This issue was reported to Symantec on April 18, 2002. Symantec has an
    Update that solves this problem. Symantec's advisory regarding this issue
    can be found here (wrapped):
    http://securityresponse.symantec.com/avcenter/security/
    SymantecAdvisories.html


    Recommendations:

    Due to the fact that this attack has to occur from the host computer
    @stake recommends that there should be a multi-layered approach to
    security. This should include anti-virus, user education/awareness as
    well as ensuring that vendor patches are deployed for all relevant
    software products.

    Users should install the update for Norton Personal Internet Firewall 2001.


    Common Vulnerabilities and Exposures (CVE) Information:

    The Common Vulnerabilities and Exposures (CVE) project has
    assigned the following names to these issues. These are candidates for
    inclusion in the CVE list (http://cve.mitre.org), which standardizes
    names for security problems.

    CAN-2002-0663 Norton Personal Internet Firewall Buffer Overflow


    @stake Vulnerability Reporting Policy:
    http://www.atstake.com/research/policy/

    @stake Advisory Archive:
    http://www.atstake.com/research/advisories/

    PGP Key:
    http://www.atstake.com/research/pgp_key.asc

    Copyright 2002 @stake, Inc. All rights reserved.



    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0.3

    iQA/AwUBPTMXw0e9kNIfAm4yEQJZLACfUzmto6R1y+Usq8x6DR+PLiNZg8kAoJpb
    h/TF6PuGpHe3FyLE1ubX/pmk
    =BU1O
    -----END PGP SIGNATURE-----

  2. #2
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    norton and firewall in the same sentence *wince* it hurts to even read.. no one should use norton for their firewall. AV maybe...firewall no.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  3. #3
    Junior Member
    Join Date
    Jul 2002
    Posts
    25
    norton has a decent anti-virus, but i think the cisco ios firewall is better . Has intruder detection n authencation. no-no to norton

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •