[Dshield] "Personal Firewalls" are mostly snake-oil"

Wilson, Jesse (I.T. Dept) WilsonJ at stifel.com
Mon Jul 22 20:12:44 GMT 2002


Since we're on the subject of "Personal Firewalls",


  Norton Personal Internet Firewall HTTP Proxy Vulnerability
------------------------------------------------------------------------


SUMMARY

 <http://www.symantec.com/> Symantec Norton Personal Internet Firewall is 
a widely used desktop firewalling application for Microsoft Windows NT, 
98, 2000 platforms and Windows ME. Typically, personal firewalls are 
deployed upon mobile workstations that leave the enterprise and may be 
deployed upon public networks to enable them to establish connectivity 
back to the corporation and thus require protection from malicious 
attackers while outside the confines of the enterprise firewall.

There exists a vulnerability within the NPIF's HTTP proxy that allows an 
attacker to overwrite the first three (3) bytes of the EDI register and 
thus potentially execute malicious code.

This vulnerability is exploitable even if the requesting application is 
not configured in the firewall permission setting to make outgoing 
requests. An example of such a scenario would be a malicious web page that 
contains a disguised link that contains sufficient data to exploit this 
vulnerability.

DETAILS

Vulnerable systems:
 * AtGuard version 3.2
 * Norton Personal Internet Firewall 2001 version 3.0.4.91

There is a vulnerability with the way in which the NT kernel based HTTP 
proxy of NPIF deals with a large amount of data that causes a buffer 
overflow to occur. The test scenario that @stake used to cause this 
Exception was as follows:

NPIF configured to allow only Microsoft Internet Explorer out on TCP port 
80 to the public internet. A large outgoing request is then made by a 
third party application (i.e. malicious code). If the exploitation is 
unsuccessful, a NT kernel exception will be thrown typically overwriting 
EDI with user supplied data. If exploitation is successful an attacker can 
run arbitrary code within the KERNEL.

Vendor response:
This issue was reported to Symantec on April 18, 2002. Symantec has an 
Update that solves this problem. Symantec's advisory regarding this issue 
can be found here (wrapped):
 
<http://securityresponse.symantec.com/avcenter/security/SymantecAdvisories.h
tml>
http://securityresponse.symantec.com/avcenter/security/SymantecAdvisories.ht
ml

Recommendations:
Because this attack has to occur from the host computer @stake recommends 
that there should be a multi-layered approach to security. This should 
include anti-virus, user education/awareness, as well as ensuring that 
vendor patches are deployed for all relevant software products.

Users should install the update for Norton Personal Internet Firewall 
2001.




More information about the list mailing list