Results 1 to 3 of 3

Thread: Vulnreability: Norton PI Firewall HTTP Proxy

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001

    Exclamation Vulnreability: Norton PI Firewall HTTP Proxy

    Symantec (http://www.symantec.com/) Norton Personal Internet Firewall is a widely used desktop firewalling application for Microsoft Windows NT, 98, ME and 2000 platforms. Typically personal firewalls are deployed upon mobile workstations that leave the enterprise and may be deployed upon public networks to enable them to establish connectivity back to the corporation and thus require protection from malicious attackers while outside the confines of the enterprise firewall.

    There exists a vulnerability within the NPIF's HTTP proxy that allows an attacker to overwrite the first three (3) bytes of the EDI register and Thus potentially execute malicious code.

    This vulnerability is exploitable even if the requesting application is not configured in the firewall permission setting to make outgoing requests. An example of such a scenario would be a malicious web page that contains a disguised link which contains sufficient data to exploit this vulnerability.


    There is a vulnerability with the way in which the NT kernel based HTTP proxy of NPIF deals with a large amount of data, that causes a buffer overflow to occur. The test scenario that @stake used to cause this Exception was as follows:

    NPIF configured to allow only Microsoft Internet Explorer out on TCP port 80 to the public internet. A large outgoing request is then made by a third party application (i.e. malicious code). If the exploitation is unsuccessful a NT kernel exception will be thrown typically overwriting EDI with user supplied data. If exploitation is successful an attacker can run arbitrary code within the KERNEL.

    Vendor Response:

    This issue was reported to Symantec on April 18, 2002. Symantec has an Update that solves this problem. Symantec's advisory regarding this issue can be found here (wrapped): http:// securityresponse.symantec.com/avcenter/security/ SymantecAdvisories.html


    Due to the fact that this attack has to occur from the host computer @stake recommends that there should be a multi-layered approach to security. This should include anti-virus, user education/awareness as well as ensuring that vendor patches are deployed for all relevant software products.

    Users should install the update for Norton Personal Internet Firewall 2001.

    Common Vulnerabilities and Exposures (CVE) Information:

    The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

    CAN-2002-0663 Norton Personal Internet Firewall Buffer Overflow

    @stake Vulnerability Reporting Policy:

    @stake Advisory Archive:

    PGP Key:

    Source: http://www.xatrix.org/article1721.html

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Hum, I already posted that advisory two days ago...
    Credit travels up, blame travels down -- The Boss

  3. #3
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    lol damn.. sorry bout that.. ur post didnt show up when i searched for it...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts