Symantec Multiple Firewall DNS Response Denial-of-Service Release Date: May 12, 2004 Date Reported: April 19, 2004 Severity: High (Remote Denial of Service) Vendor: Symantec Systems Affected: Symantec Norton Internet Security 2002 Symantec Norton Internet Security 2003 Symantec Norton Internet Security 2004 Symantec Norton Internet Security Professional 2002 Symantec Norton Internet Security Professional 2003 Symantec Norton Internet Security Professional 2004 Symantec Norton Personal Firewall 2002 Symantec Norton Personal Firewall 2003 Symantec Norton Personal Firewall 2004 Symantec Client Firewall 5.01, 5.1.1 Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1) Symantec Norton AntiSpam 2004 Description: eEye Digital Security has discovered a second vulnerability in the Symantec firewall product line that can be remotely exploited to cause a severe denial-of-service condition on systems running a default installation of an affected version of the product. By sending a single malicious DNS (UDP port 53) response packet to a vulnerable host, an attacker can cause the Symantec DNS response validation code to enter an infinite loop within the kernel, amounting to a system freeze that requires the machine to be physically rebooted in order to restore operation. Technical Description: The SYMDNS.SYS driver included in these products validates each DNS response packet before allowing it through the firewall, attempting to reassemble a DNS answer name into a single dotted string as part of this process. Although not as hot as Barns's and Karl's stack overflow in the same routine, there is also a denial-of-service vulnerability in the name component concatention code involving the processing of compressed name pointers (name component with a length byte >= 40h, as far as SYMDNS is concerned, followed by the offset of the name component to substitute in place of the pointer). Specifically, if a compressed name pointer is constructed that points to itself, this routine will loop infinitely as it forever follows the compressed name pointer, to the compressed name pointer, to the compressed name pointer... The following is a DNS response packet containing such a pointer: Offset Size Data Description ------- ------- --------------- -------------------------------- 0000h WORD xx xx Transaction ID 0002h WORD 80 00 Flags (bit 15: response) 0004h WORD 00 01 Number of questions 0006h WORD 00 01 Number of answer RRs 0008h WORD xx xx Number of authority RRs 000Ah WORD xx xx Number of additional RRs 000Ch WORD C0 0C Compressed name pointer to itself By sending an attack packet to any open UDP port on a vulnerable system, from a source port of 53, the vulnerable code will be reached and the denial-of-service condition will occur. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Vendor Status: Symantec has released a patch for this vulnerability. The patch is available via the Symantec LiveUpdate service. For more information please refer to the Symantec security advisory. http://securityresponse.symantec.com/avcenter/security/Content/2004.05.1 2.html Credit: Discovery: Barnaby Jack, Karl Lynn, Derek Soeder Related Links: Retina Network Security Scanner - Free 15 Day Trial http://www.eeye.com/html/Products/Retina/download.html Greetings: D12/2, Ink, AiC, "Screenshot guy"(tm), and we would also like to thank our contact Mike over at Symantec for being patient and cooperative throughout the reporting process. Copyright (c) 1998-2004 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback Please send suggestions, updates, and comments to: eEye Digital Security http://www.eEye.com info@eEye.com