APP: Gauntlet URL Request Buffer Overflow
This signature detects attempts to exploit a known vulnerability against Gauntlet Firewall from Trusted Information Systems (TIS). Attackers can send a request containing a maliciously crafted URL to the service TCP/8999 to execute arbitrary code on the host.
Extended Description
A buffer overflow exists in the version of Mattel's Cyber Patrol software integrated in to Network Associates Gauntlet firewall, versions 4.1, 4.2, 5.0 and 5.5. Due to the manner in which Cyber Patrol was integrated, a vulnerability was introduced which could allow a remote attacker to gain root access on the firewall, or execute arbitrary commands on the firewall. By default, Cyber Patrol is installed on Gauntlet installations, and runs for 30 days. After that period, it is disabled. During this 30 day period, the firewall is susceptible to attack,. Due to the filtering software being externally accessible, users not on the internal network may also be able to exploit the vulnerability. Some versions of SGI IRIX shipped with the Gauntlet Firewall package, and in the past it was a supported SGI product. While it is no longer being supported, SGI IRIX versions 6.5.2, 6.5.3, 6.5.4 and 6.5.5 may be prone to this issue.
Affected Products
Network_associates webshield_e-ppliance,Network_associates gauntlet_firewall
References
BugTraq: 1234
CVE: CVE-2000-0437
URL: http://www.pestpatrol.com/pestinfo/a/animal_c.asp http://www.securityfocus.com/advisories/3700
Short Name
APP:GAUNTLET:GAUNTLET-URL-OF
Severity
Major
Recommended
False
Recommended Action
Drop
Category
APP
Keywords
Buffer CVE-2000-0437 Gauntlet Overflow Request URL bid:1234
Release Date
04/22/2003
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
Port
TCP/8999
False Positive
Unknown
Vendors
Sgi
Network_associates
CVSS Score
10.0