lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <856886429C1AD61193F10008C7EBD2E6038C118B@stauning-exch.foa.dk>
From: jcan at FOA.DK (Jens Andersson)
Subject: Symantec Multiple Firewall Remote DNS KERNEL Overflow

Symantec Multiple Firewall Remote DNS KERNEL Overflow

Release Date:
May 12, 2004

Date Reported:
April 19, 2004

Severity:
High (Remote Kernel Access)

Vendor:
Symantec

Systems Affected:
Symantec Norton Internet Security 2002
Symantec Norton Internet Security 2003
Symantec Norton Internet Security 2004
Symantec Norton Internet Security Professional 2002
Symantec Norton Internet Security Professional 2003
Symantec Norton Internet Security Professional 2004
Symantec Norton Personal Firewall 2002
Symantec Norton Personal Firewall 2003
Symantec Norton Personal Firewall 2004 
Symantec Client Firewall 5.01, 5.1.1 
Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)
Symantec Norton AntiSpam 2004

Description:
eEye Digital Security has discovered a critical remote vulnerability within
the Symantec firewall product line. A buffer overflow exists within a core
driver component that handles the processing of DNS (Domain Name Service)
requests and responses. By sending a DNS Resource Record with an overly long
canonical name, a traditional stack-based buffer overflow is triggered.
Successful exploitation of this flaw yields remote KERNEL access to the
system.

With the ability to freely execute code at the Ring 0 privilege level, there
are literally no boundaries for an attacker.

It should also be noted, that due to a separate design flaw in the firewalls
handling of incoming packets, this attack can be successfully performed with
all ports filtered, and all intrusion rules set.

Technical Description:
This specific vulnerability exists within the SYMDNS.SYS driver. The stack
overflow arises due to an implementation flaw in the routine that processes
the CNAME field of incoming Resource Records. A canonical name field is
represented as a series of labels, and is terminated by a label with a zero
byte length. Each string consists of a one byte length specifier, followed
by that number of characters. A typical canonical name field would be of the
following format:

0x03 // length 
www // string component
0x04 // length 
eEye // string component
0x03 // length 
com // string component

Each time the SYMDNS.SYS driver encounters a length field, the field is then
used as a counter to copy the bytes that follow. These bytes are copied
directly into a stack based buffer. Due to poor sanity checking on the total
CNAME field, the routine will accept a large number of length specifiers and
byte sequences. As the routine loops through each field, the bytes are
concatenated, and an exploitable condition in the KERNEL is reached.

A separate design flaw allows this attack to succeed with the firewall
running at it's most locked-down state. The firewall will happily accept any
packet that has a source port of 53, regardless of port filtering.

The fact that this vulnerability is exploitable over UDP adds another
serious layer to an already critical flaw.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.

Vendor Status:
Symantec has released a patch for this vulnerability. The patch is available
via the Symantec LiveUpdate service. For more information please refer to
the Symantec security advisory.
http://securityresponse.symantec.com/avcenter/security/Content/2004.05.12.ht
ml
<http://securityresponse.symantec.com/avcenter/security/Content/2004.05.12.h
tml>  

Credit:
Discovery: Barnaby Jack and Karl Lynn

Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/Products/Retina/download.html
<http://www.eeye.com/html/Products/Retina/download.html> 

Greetings:
R Hassell (aka Gilligan), the NZ crew, Gary Golomb, Rich Walchuck, Jason
Dameron, Sam Stover, Matt Dickerson, and Kelly H.

Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please email alert@...e.com for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
no warranties, implied or express, with regard to this information. In no
event shall the author be liable for any direct or indirect damages
whatsoever arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com <http://www.eEye.com> 
info@...e.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040513/e1fdd94b/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ