Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] F-Secure Internet Gatekeeper Content Scanning Server DoS

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] F-Secure Internet Gatekeeper Content Scanning Server DoS
Date: 14 Sep 2004 14:24:06 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  F-Secure Internet Gatekeeper Content Scanning Server DoS
------------------------------------------------------------------------


SUMMARY

" <http://www.f-secure.com/products/anti-virus/fsigk/> F-Secure  Internet 
Gatekeeper is a high-performance and fully automated antivirus and content 
filtering solution for protecting corporate e-mail (SMTP) and web traffic 
(HTTP, FTP over HTTP) at the Internet gateway. In addition to virus 
protection, the solution provides spam filtering, content filtering and 
access control."

Remote exploitation of an input validation error in F-Secure's Internet 
Gatekeeper could allow attackers to trigger a denial of service against 
the Content Scanner Server.

DETAILS

Vulnerable Systems:
 * F-Secure Internet Gatekeeper Server version 6.32 and earlier
 * F-Secure Anti-Virus for Microsoft Exchange 6.21 and earlier, 6.01 and 
earlier

Immune Systems:
 * F-Secure Internet Gatekeeper Server version 6.40
 * F-Secure Anti-Virus for Microsoft Exchange 6.30

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0830> 
CAN-2004-0830

The problem can exhibit itself when handling malformed packets received by 
the Content Scanner on port 18,971. A denial of service condition is 
triggered during the parsing of the packet, causing the application to 
fail with an access violation error. The vulnerability does not appear to 
be further exploitable. The main reason behind the crash is a problematic 
handling of exceptions.

Impact
Successful exploitation allows remote attackers to crash the service. Once 
the server has crashed, depending on configuration options, a dialog box 
may appear on the desktop indicating that the FSAVSD.EXE process has 
crashed. Once this has been cleared, or if there is no dialog box, the 
server will automatically restart after approximately 30 to 40 seconds. 
During this time, the server will not respond to any requests made of it. 
It is possible to cause the server to fail repeatedly by sending packets 
at short intervals.

Vendor Status:
The vendor has been contacted and confirmed the existence of the problem 
in their servers. The new server and anti-virus releases are immune to the 
above mentioned issue and the vendor has supplied a hotfix. The hotfix is 
available from  <http://www.f-secure.com/security/fsc-2004-2.shtml> 
http://www.f-secure.com/security/fsc-2004-2.shtml.

In additional, for those users who don't wish to upgrade their versions, a 
simple workaround can be used. The product can be configured so that only 
allowed connections are accepted by the F-Secure Content Scanner Server. 
Configuring CSS to accept connections only from known IP addresses:
 * In F-Secure Policy Manager Console, go to F-Secure Content Scanner 
Server>Settings>Interface and in the "Accept Connections" setting specify 
the comma-separated list of IP addresses the server will accept requests 
from.
 * In the local user interface, a similar setting can be found on the 
Interface tab page under the Server/Interface category.

Disclosure Timeline
08/25/2004 Initial vendor notification
08/25/2004 iDEFENSE clients notified
08/25/2004 Initial vendor response
09/09/2004 Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:idlabs-advisories@idefense.com> iDEFENSE Security Labs.
The original article can be found at:  
<http://www.idefense.com/application/poi/display?id=137&type=vulnerabilities> 
http://www.idefense.com/application/poi/display?id=137&type=vulnerabilities



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] F-Secure Internet Gatekeeper Content Scanning Server DoS, SecuriTeam <=
Previous by Date:  [UNIX] Postnuke Subjects Module SQL Injection Vulnerability, SecuriTeam
Next by Date:  [NT] Halo Off-By-One Bug Can Crash Multiplayer Server, SecuriTeam
Previous by Thread:  [UNIX] Postnuke Subjects Module SQL Injection Vulnerability, SecuriTeam
Next by Thread:  [NT] Halo Off-By-One Bug Can Crash Multiplayer Server, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]