-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In response to stake's posting,

      <advisoriesatstake.com>
      Sent by: "Chris Wysopal" <cwysopalatstake.com>
      07/15/2002 01:50 PM

             To: <vulnwatchvulnwatch.org>
             cc:
             Subject: [VulnWatch] Advisory Name: Norton Personal Internet
Firewall HTTP Proxy Vulnerability

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                              stake, Inc.
                            www.atstake.com
                           Security Advisory

Advisory Name: Norton Personal Internet Firewall HTTP Proxy
Vulnerability
 Release Date: 07/15/2002
  Application: AtGuard v3.2
               Norton Personal Internet Firewall 2001 v3.0.4.91
     Platform: Microsoft Windows NT4 SP6a
               Microsoft Windows 2000 SP2
     Severity: A buffer overflow occurs potentially allowing the
               execution of arbitrary code
       Author: Ollie Whitehouse (ollieatstake.com)
Vendor Status: Informed and patch available
CVE Candidate: CAN-2002-0663
    Reference: www.atstake.com/research/advisories/2002/a071502-1.txt

Overview:

        Symantec (http://www.symantec.com/) Norton Personal Internet
Firewall is a widely used desktop firewalling application for
Microsoft Windows NT, 98, ME and 2000 platforms. Typically personal
firewalls are deployed upon mobile workstations that leave the
enterprise
- --------------------snip-----------------------snip-------------------
- -----------------------------------------------------------------

15 July 2002

Symantec Norton Internet Security 2001 Denial of Service Buffer
Overflow

Risk
low

Overview

stake notified Symantec of a denial of service problem with outgoing
http request through the http filter component on the Symantec
Norton Internet Security 2001 personal firewall. Certain malformed
requests resulted in a general protection fault (GPF) on the system.

Components Affected

Symantec Norton Internet Security 2001
Symantec Norton Personal Firewall 2001

Description

The security professionals with stake discovered a buffer overflow
condition in the handling of outgoing http requests by the http
filter on the Symantec Norton Internet Security 2001. During
Symantec's testing this issue was found to impact the Symantec Norton
Personal Firewall 2001 as well. The buffer overflow condition
overwrites the first three bytes of the EDI register causing a kernel
exception, resulting in a GPF on the targeted system and requiring a
reboot.

The GPF is the result of improper error checking in the array
allocated to store the hostname specified in the outgoing connection.
 By
supplying an abnormally long hostname in the outgoing http request,
the buffer in the http filter is overrun causing the kernel
exception and the GPF.
This exception occurs whether the firewall rules permit outgoing http
connections or not.

Symantec Response

Symantec engineers verified the buffer overflow condition exists in
Symantec's Norton Internet Security 2001 and Symantec's Norton
Personal Firewall 2001. They have further determined that the GPF
does not occur in the latest release of Symantec's Norton Personal
Firewall 2002, Norton Internet Security 2002 or Norton Internet
Security 2002 Professional Edition.

However, Symantec takes any product issue such as this very
seriously. We are developing a patch for Symantec Norton Internet
Security
2001 and Personal Firewall 2001 to address this issue. The patch
will be available via LiveUpdate when completed. We are further
enhancing the capabilities of future Symantec products to provide
additional protection against these types of issues.

There are some circumstances that greatly mitigate the risk
associated with this issue. The buffer overflow condition identified
by
stake occurs only in outgoing http requests through the Symantec
Norton Internet Security and Personal Firewall product's http filter.

Any attempt to launch an attack of this nature requires the attacker
to either have or be able to gain local access to the targeted
system in order to initiate the http request or cause the system
user, through a malicious email attachment or by directing the user
to
a malicious web site, to download and execute malicious code on their
system.

Symantec recommends using a multi-layered approach to security.
Users, at a minimum, should run both personal firewall and antivirus
applications with current updates to provide multiple points of
detection and protection to both inbound and outbound threats.

Users should keep vendor-supplied patches for all application
software and operating systems up-to-date.
Users should further be wary of mysterious attachments and
executables delivered via email.
Do not open attachments or executables from unknown sources. Always
err on the side of caution.
Even if the sender is known, be wary of attachments if the sender
does not explain the attachment content in the body of the email. You
do not know the source of the attachment.
If in doubt, contact the sender before opening the attachment. If
still in doubt, delete the attachment without opening it.

Credit:

Symantec takes the security and proper functionality of our products
very seriously. Symantec appreciates the coordination of Ollie
Whitehouse and stake, Inc. in identifying and providing technical
details of areas of concern as well as working closely with Symantec
so we could properly address the issue. Anyone with information on
security issues with Symantec products should contact
symsecuritysymantec.com

CVE

The Common Vulnerabilities and Exposures (CVE) initiative has
assigned the name CAN-2002-0663 to this issue.
This is a candidate for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security
problems.

Copyright (c) 2002 by Symantec Corp.
Permission to redistribute this alert electronically is granted as
long as it is not edited in any way unless authorized by Symantec
Security Response. Reprinting the whole or parts of this alert in any
medium other than electronically requires permission from
symsecuritysymantec.com.

Disclaimer

The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither
the author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and
SymSecurity are registered trademarks of Symantec Corp. and/or
affiliated
companies in the United States and other countries. All other
registered and unregistered trademarks represented in this document
are
the sole property of their respective companies/owners.

Symantec Security Response
symsecuritysymantec.com
http://securityresponse.symantec.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBPTQcPhMwEkwA14VxEQKceACgriQvEvV47iXnuLaUkpkdLq0RnOgAniNu
N2+2aBVp8xV5ZizjqBSlrxbh
=3/XI
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]