-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Symantec Vulnerability Research
http://www.symantec.com/research
Security Advisory
Advisory ID: SYMSA-2006-013
Advisory Title: Multiple Vulnerabilities in Mandiant First Response
Author: Brian Reilly / brian_reilly (at) symantec (dot) com [email concealed]
Release Date: 18-12-2006
Application: Mandiant First Response 1.1
Platform: Windows 2000/XP/2003
Severity: Multiple -- Denial of Service, Data Manipulation, Client/Server
Hijacking
Vendor status: New Version of product available
CVE Number: CVE-2006-6475, CVE-2006-6476, CVE-2006-6477
Reference: http://www.securityfocus.com/bid/21548
Overview:
Mandiant First Response is an incident response tool to collect system
information such as running processes, system services, registry
information, event logs, and file lists from a local or remote host. The
First Response agent (FRAgent.exe) can be installed and configured as a
daemon on target hosts in order to collect information remotely via a
First Response Command Console. Multiple vulnerabilities exist that could
lead to a variety of attack payloads. Agents running in either HTTP or
SSL mode are vulnerable to denial of service and server hijacking
conditions. The server hijacking vulnerability present in HTTP agents can
be further leveraged to allow a rogue process to intercept and modify
legitimate agent/console communication, and force a Command Console to
download arbitrary content and visit arbitrary URLs.
Details:
Vulnerability #1: Denial of Service against an SSL agent through malformed
client requests
When run in daemon mode, the First Response agent (FRAgent.exe) accepts
remote connections from a First Response console via HTTP or a modified
HTTPS implementation. By sending a series of specially-crafted requests
to an SSL-enabled agent, it is possible to force the agent to throw an
exception that is not properly handled. After this occurs, the agent's
sockets will enter an indefinite CLOSE_WAIT state and all subsequent
connection attempts will be refused. The service then must be restarted
in order to recover and accept connections again.
Vulnerability #2: Denial of Service against an HTTP or SSL agent through
Agent hijacking
An FRAgent daemon permits other processes to bind to the same socket
addresses on which it is already listening. If FRAgent is bound to a
0.0.0.0 wildcard address ("all interfaces"), a rogue process can intercept
client connections by subsequently binding to the same port on a specific
IP address. By hijacking an agent with a non-responsive listener, an
attacker can effectively prevent all legitimate client connections.
Vulnerability #3: Command Console and Data Manipulation through HTTP
Agent Hijacking
If an HTTP FRAgent daemon is hijacked, the attacker can control the response
data sent to and processed by a client, as well as other aspects of client
behavior. A rogue process can conduct a man-in-the-middle attack to
redirect and modify all requests and responses between the client and a
legitimate agent. The attacker can also send specially-crafted HTTP
responses that force the client to visit arbitrary URLs and/or download
arbitrary content. (NOTE: The use of HTTPS/SSL is default behavior for First
Response; using cleartext HTTP requires manual configuration.)
Vendor Response:
Mandiant has confirmed the reports provided by Symantec and updated
Mandiant First Response (MFR) to correct these issues. Version 1.1.1 is now
available for download from
http://www.mandiant.com/firstresponse.htm. Mandiant advises all
users of MFR to upgrade to 1.1.1 as soon as possible. Registered
users of the software have been notified via email of availability
of the upgrade.
During the course of our review we noted the following addenda to
Symantec's analysis:
Vulnerability 1: The DoS condition was due to a design error where
the Agent would choose to exit upon receipt of a malformed request.
The exit was an explicit choice exercised by the code path and not
caused by a buffer overflow or heap corruption. Version 1.1.1
addresses the explicit exit condition and correctly handles
requests with malformed payloads, allowing the MFR Agent to
continue operation while correctly rejecting malformed requests.
Vulnerability 2 and 3: The vulnerabilities are present because the
MFR Agent opens its listening port in non-exclusive mode. Version
1.1.1 correctly opens the port as exclusive, preventing the
multiple-bind condition.
Mandiant would like to thank Brian Reilly and Scott King for
discovering and notifying us of these vulnerabilities, and Symantec
for their participation in public disclosure.
Recommendation:
Upgrade to MFR version 1.1.1, available at
http://www.mandiant.com/firstresponse.htm.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CVE-2006-6475, CVE-2006-6476, CVE-2006-6477
- -------Symantec Vulnerability Research Advisory Information-------
For questions about this advisory, or to report an error:
research (at) symantec (dot) com [email concealed]
For details on Symantec's Vulnerability Reporting Policy:
http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf
Symantec Vulnerability Research Advisory Archive:
http://www.symantec.com/research/
Symantec Vulnerability Research GPG Key:
http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc
- -------------Symantec Product Advisory Information-------------
To Report a Security Vulnerability in a Symantec Product:
secure (at) symantec (dot) com [email concealed]
For general information on Symantec's Product Vulnerability
reporting and response:
http://www.symantec.com/security/
Symantec Product Advisory Archive:
http://www.symantec.com/avcenter/security/SymantecAdvisories.html
Symantec Product Advisory PGP Key:
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.a
sc
- ---------------------------------------------------------------
Copyright (c) 2006 by Symantec Corp.
Permission to redistribute this alert electronically is granted
as long as it is not edited in any way unless authorized by
Symantec Consulting Services. Reprinting the whole or part of
this alert in any medium other than electronically requires
permission from cs_advisories (at) symantec (dot) com. [email concealed]
Disclaimer
The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect, or consequential loss or damage arising from use
of, or reliance on, this information.
Symantec, Symantec products, and Symantec Consulting Services are
registered trademarks of Symantec Corp. and/or affiliated companies
in the United States and other countries. All other registered and
unregistered trademarks represented in this document are the sole
property of their respective companies/owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFFgaecuk7IIFI45IARAg3oAJ9SwOll1ACKiUVE+bxq4gaBYe5KPQCeMZGJ
d0+CXnzUBbhj51j9rvqGF7k=
=E8pd
-----END PGP SIGNATURE-----