Full Disclosure mailing list archives
Re: (CLEAN 0069) ..EEYE: Symantec Multiple Firewall DNS Response Denial-of-Service
From: "Jeremy D'Hoinne" <jeremy.dhoinne () netasq com>
Date: Thu, 13 May 2004 08:41:26 +0200
C est pas la fameuse recursion label qu'on bloque ? On Wed, 12 May 2004 16:59:47 -0700 "Marc Maiffret" <mmaiffret () eeye com> wrote: |Symantec Multiple Firewall DNS Response Denial-of-Service | |Release Date: |May 12, 2004 | |Date Reported: |April 19, 2004 | |Severity: |High (Remote Denial of Service) | |Vendor: |Symantec | |Systems Affected: |Symantec Norton Internet Security 2002 |Symantec Norton Internet Security 2003 |Symantec Norton Internet Security 2004 |Symantec Norton Internet Security Professional 2002 |Symantec Norton Internet Security Professional 2003 |Symantec Norton Internet Security Professional 2004 |Symantec Norton Personal Firewall 2002 |Symantec Norton Personal Firewall 2003 |Symantec Norton Personal Firewall 2004 |Symantec Client Firewall 5.01, 5.1.1 |Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1) |Symantec Norton AntiSpam 2004 | |Description: |eEye Digital Security has discovered a second vulnerability in the |Symantec firewall product line that can be remotely exploited to cause a |severe denial-of-service condition on systems running a default |installation of an affected version of the product. By sending a single |malicious DNS (UDP port 53) response packet to a vulnerable host, an |attacker can cause the Symantec DNS response validation code to enter an |infinite loop within the kernel, amounting to a system freeze that |requires the machine to be physically rebooted in order to restore |operation. | |Technical Description: |The SYMDNS.SYS driver included in these products validates each DNS |response packet before allowing it through the firewall, attempting to |reassemble a DNS answer name into a single dotted string as part of this |process. Although not as hot as Barns's and Karl's stack overflow in the |same routine, there is also a denial-of-service vulnerability in the |name component concatention code involving the processing of compressed |name pointers (name component with a length byte >= 40h, as far as |SYMDNS is concerned, followed by the offset of the name component to |substitute in place of the pointer). Specifically, if a compressed name |pointer is constructed that points to itself, this routine will loop |infinitely as it forever follows the compressed name pointer, to the |compressed name pointer, to the compressed name pointer... | |The following is a DNS response packet containing such a pointer: | |Offset Size Data Description |------- ------- --------------- -------------------------------- |0000h WORD xx xx Transaction ID |0002h WORD 80 00 Flags (bit 15: response) |0004h WORD 00 01 Number of questions |0006h WORD 00 01 Number of answer RRs |0008h WORD xx xx Number of authority RRs |000Ah WORD xx xx Number of additional RRs |000Ch WORD C0 0C Compressed name pointer to itself | |By sending an attack packet to any open UDP port on a vulnerable system, |from a source port of 53, the vulnerable code will be reached and the |denial-of-service condition will occur. | |Protection: |Retina Network Security Scanner has been updated to identify this |vulnerability. | |Vendor Status: |Symantec has released a patch for this vulnerability. The patch is |available via the Symantec LiveUpdate service. For more information |please refer to the Symantec security advisory. |http://securityresponse.symantec.com/avcenter/security/Content/2004.05.1 |2.html | |Credit: |Discovery: Barnaby Jack, Karl Lynn, Derek Soeder | |Related Links: |Retina Network Security Scanner - Free 15 Day Trial |http://www.eeye.com/html/Products/Retina/download.html | |Greetings: |D12/2, Ink, AiC, "Screenshot guy"(tm), and we would also like to thank |our contact Mike over at Symantec for being patient and cooperative |throughout the reporting process. | |Copyright (c) 1998-2004 eEye Digital Security |Permission is hereby granted for the redistribution of this alert |electronically. It is not to be edited in any way without express |consent of eEye. If you wish to reprint the whole or any part of this |alert in any other medium excluding electronic medium, please email |alert () eEye com for permission. | |Disclaimer |The information within this paper may change without notice. Use of this |information constitutes acceptance for use in an AS IS condition. There |are no warranties, implied or express, with regard to this information. |In no event shall the author be liable for any direct or indirect |damages whatsoever arising out of or in connection with the use or |spread of this information. Any use of this information is at the user's |own risk. | |Feedback |Please send suggestions, updates, and comments to: | |eEye Digital Security |http://www.eEye.com |info () eEye com | _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- EEYE: Symantec Multiple Firewall DNS Response Denial-of-Service Marc Maiffret (May 12)
- Re: (CLEAN 0069) ..EEYE: Symantec Multiple Firewall DNS Response Denial-of-Service Jeremy D'Hoinne (May 13)
- EEYE: Symantec Multiple Firewall DNS Response Denial-of-Service Jeremy D'Hoinne (May 13)
- Re: (CLEAN 0069) ..EEYE: Symantec Multiple Firewall DNS Response Denial-of-Service Jeremy D'Hoinne (May 13)