Buffer Overflow Vulnerabilty in Norton Toolbar (running NIS)

Archive
1

Hello everyone,

 

This is mostly directed to Norton employees because I think I found a buffer overflow vulnerability in the Norton Toolbar. I'm using Norton Internet Security. Ok, here's my story:

 

I'm using Firefox 3.0.11 as my primary browser and IE 8 when I have to.

 

I was reading about that Green Dam software (that China will (maybe) be forcing on their citizens) at the University of Michigan: http://www.cse.umich.edu/~jhalderm/pub/gd/ Basically it's parental control software. So this article on umich.edu was talking about a few critical vulnerabilites in the software. I'm not going to get into details because you can just read it; it's interesting. Anyway, they have a link to a demonstration page which will crash your browser if you are running Green Dam:  wolchok.org:8000        

 

 

 (This website (wolchok.org) is website set up by the university for hosting their web apps or something)

 

I clicked on the button and it and it crashed my browser. Here's the thing: I don't have GreenDam or any parental control software. I tried this on IE 8 and it crashed it as well. So naturally I checked for traces of GreenDam in Program Files, Add/Remove, etc. and didn't find anything.

 

Then it occured to me that it might be firefox. I ran it in safe mode and tried the button. It didn't do anything. Then, I tried running firefox in safe mode only enabling one addon at a time. The only time my browser crashed when I clicked the button was when Norton Toolbar was enabled. I ran IE in safe mode and nothing happened when I clicked the button. However, running normally it still crashed.

 

What I think is that some unsafe coding is going on inside Norton Toolbar. For example, it is responsible for checking links (Norton SafeWeb) so I would guess that it can't handle huge links. This demonstration that the University of Michigan set up will only overflow adjacent buffers with random data. (In this case A's). However, someone could probably use it to fill a buffer with malicious code.

 

I thought that I should point this out so this vulnerability could be fixed.

Message Edited by cplaplante on 06-21-2009 11:03 AM
[edit: Disabled potentially harmful link.]
Message Edited by shannons on 06-21-2009 02:28 PM