Signature Detail

APP: Gauntlet URL Request Buffer Overflow

This signature detects attempts to exploit a known vulnerability against Gauntlet Firewall from Trusted Information Systems (TIS). Attackers can send a request containing a maliciously crafted URL to the service TCP/8999 to execute arbitrary code on the host.

Extended Description

A buffer overflow exists in the version of Mattel's Cyber Patrol software integrated in to Network Associates Gauntlet firewall, versions 4.1, 4.2, 5.0 and 5.5. Due to the manner in which Cyber Patrol was integrated, a vulnerability was introduced which could allow a remote attacker to gain root access on the firewall, or execute arbitrary commands on the firewall. By default, Cyber Patrol is installed on Gauntlet installations, and runs for 30 days. After that period, it is disabled. During this 30 day period, the firewall is susceptible to attack,. Due to the filtering software being externally accessible, users not on the internal network may also be able to exploit the vulnerability. Some versions of SGI IRIX shipped with the Gauntlet Firewall package, and in the past it was a supported SGI product. While it is no longer being supported, SGI IRIX versions 6.5.2, 6.5.3, 6.5.4 and 6.5.5 may be prone to this issue.

Affected Products

• Network Associates Gauntlet Firewall 4.1.0
• Network Associates Gauntlet Firewall 4.2.0
• Network Associates Gauntlet Firewall 5.0.0
• Network Associates Gauntlet Firewall 5.5.0
• Network Associates WebShield E-ppliance 100.0.0
• Network Associates WebShield E-ppliance 300.0.0
• Network Associates WebShield for Solaris 4.0.0
• SGI IRIX 6.5.2
• SGI IRIX 6.5.3
• SGI IRIX 6.5.4
• SGI IRIX 6.5.5

References

• BugTraq: 1234
• CVE: CVE-2000-0437
• URL: http://www.pestpatrol.com/pestinfo/a/animal_c.asp
• URL: http://www.securityfocus.com/advisories/3700