exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

eEye.symantecDNS2.txt

eEye.symantecDNS2.txt
Posted May 13, 2004
Authored by Barnaby Jack, Karl Lynn, Derek Soeder | Site eeye.com

eEye Security Advisory - eEye Digital Security has discovered a second vulnerability in the Symantec firewall product line that can be remotely exploited to cause a severe denial-of-service condition on systems running a default installation of an affected version of the product. By sending a single malicious DNS (UDP port 53) response packet to a vulnerable host, an attacker can cause the Symantec DNS response validation code to enter an infinite loop within the kernel, amounting to a system freeze that requires the machine to be physically rebooted in order to restore operation. Systems Affected: Symantec Norton Internet Security 2002/2003/2004, Symantec Norton Internet Security Professional 2002/2003/2004, Symantec Norton Personal Firewall 2002/2003/2004, Symantec Client Firewall 5.01/5.1.1, Symantec Client Security 1.0/1.1/2.0(SCF 7.1), and Symantec Norton AntiSpam 2004.

tags | advisory, kernel, udp
SHA-256 | 9586423e4a36c89f9ed7bf1939b4d9b4bc57ec4d8c57dca66ad3372b2230d08b

eEye.symantecDNS2.txt

Change Mirror Download
Symantec Multiple Firewall DNS Response Denial-of-Service

Release Date:
May 12, 2004

Date Reported:
April 19, 2004

Severity:
High (Remote Denial of Service)

Vendor:
Symantec

Systems Affected:
Symantec Norton Internet Security 2002
Symantec Norton Internet Security 2003
Symantec Norton Internet Security 2004
Symantec Norton Internet Security Professional 2002
Symantec Norton Internet Security Professional 2003
Symantec Norton Internet Security Professional 2004
Symantec Norton Personal Firewall 2002
Symantec Norton Personal Firewall 2003
Symantec Norton Personal Firewall 2004
Symantec Client Firewall 5.01, 5.1.1
Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)
Symantec Norton AntiSpam 2004

Description:
eEye Digital Security has discovered a second vulnerability in the
Symantec firewall product line that can be remotely exploited to cause a
severe denial-of-service condition on systems running a default
installation of an affected version of the product. By sending a single
malicious DNS (UDP port 53) response packet to a vulnerable host, an
attacker can cause the Symantec DNS response validation code to enter an
infinite loop within the kernel, amounting to a system freeze that
requires the machine to be physically rebooted in order to restore
operation.

Technical Description:
The SYMDNS.SYS driver included in these products validates each DNS
response packet before allowing it through the firewall, attempting to
reassemble a DNS answer name into a single dotted string as part of this
process. Although not as hot as Barns's and Karl's stack overflow in the
same routine, there is also a denial-of-service vulnerability in the
name component concatention code involving the processing of compressed
name pointers (name component with a length byte >= 40h, as far as
SYMDNS is concerned, followed by the offset of the name component to
substitute in place of the pointer). Specifically, if a compressed name
pointer is constructed that points to itself, this routine will loop
infinitely as it forever follows the compressed name pointer, to the
compressed name pointer, to the compressed name pointer...

The following is a DNS response packet containing such a pointer:

Offset Size Data Description
------- ------- --------------- --------------------------------
0000h WORD xx xx Transaction ID
0002h WORD 80 00 Flags (bit 15: response)
0004h WORD 00 01 Number of questions
0006h WORD 00 01 Number of answer RRs
0008h WORD xx xx Number of authority RRs
000Ah WORD xx xx Number of additional RRs
000Ch WORD C0 0C Compressed name pointer to itself

By sending an attack packet to any open UDP port on a vulnerable system,
from a source port of 53, the vulnerable code will be reached and the
denial-of-service condition will occur.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.

Vendor Status:
Symantec has released a patch for this vulnerability. The patch is
available via the Symantec LiveUpdate service. For more information
please refer to the Symantec security advisory.
https://securityresponse.symantec.com/avcenter/security/Content/2004.05.1
2.html

Credit:
Discovery: Barnaby Jack, Karl Lynn, Derek Soeder

Related Links:
Retina Network Security Scanner - Free 15 Day Trial
https://www.eeye.com/html/Products/Retina/download.html

Greetings:
D12/2, Ink, AiC, "Screenshot guy"(tm), and we would also like to thank
our contact Mike over at Symantec for being patient and cooperative
throughout the reporting process.

Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
https://www.eEye.com
info@eEye.com
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close