lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040513084126.50dc1404@jeremyd>
From: jeremy.dhoinne at netasq.com (Jeremy D'Hoinne)
Subject: (CLEAN 0069) ..EEYE: Symantec Multiple
 Firewall DNS Response Denial-of-Service

	C est pas la fameuse recursion label qu'on bloque ? 


On Wed, 12 May 2004 16:59:47 -0700
"Marc Maiffret" <mmaiffret@...e.com> wrote:

|Symantec Multiple Firewall DNS Response Denial-of-Service
|
|Release Date:
|May 12, 2004
|
|Date Reported:
|April 19, 2004
|
|Severity:
|High (Remote Denial of Service)
|
|Vendor:
|Symantec
|
|Systems Affected:
|Symantec Norton Internet Security 2002
|Symantec Norton Internet Security 2003
|Symantec Norton Internet Security 2004
|Symantec Norton Internet Security Professional 2002
|Symantec Norton Internet Security Professional 2003
|Symantec Norton Internet Security Professional 2004
|Symantec Norton Personal Firewall 2002
|Symantec Norton Personal Firewall 2003
|Symantec Norton Personal Firewall 2004 
|Symantec Client Firewall 5.01, 5.1.1 
|Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)
|Symantec Norton AntiSpam 2004
|
|Description:
|eEye Digital Security has discovered a second vulnerability in the
|Symantec firewall product line that can be remotely exploited to cause a
|severe denial-of-service condition on systems running a default
|installation of an affected version of the product. By sending a single
|malicious DNS (UDP port 53) response packet to a vulnerable host, an
|attacker can cause the Symantec DNS response validation code to enter an
|infinite loop within the kernel, amounting to a system freeze that
|requires the machine to be physically rebooted in order to restore
|operation.
|
|Technical Description:
|The SYMDNS.SYS driver included in these products validates each DNS
|response packet before allowing it through the firewall, attempting to
|reassemble a DNS answer name into a single dotted string as part of this
|process. Although not as hot as Barns's and Karl's stack overflow in the
|same routine, there is also a denial-of-service vulnerability in the
|name component concatention code involving the processing of compressed
|name pointers (name component with a length byte >= 40h, as far as
|SYMDNS is concerned, followed by the offset of the name component to
|substitute in place of the pointer). Specifically, if a compressed name
|pointer is constructed that points to itself, this routine will loop
|infinitely as it forever follows the compressed name pointer, to the
|compressed name pointer, to the compressed name pointer...
|
|The following is a DNS response packet containing such a pointer:
|
|Offset  Size    Data            Description
|------- ------- --------------- --------------------------------
|0000h   WORD    xx xx           Transaction ID
|0002h   WORD    80 00           Flags (bit 15: response)
|0004h   WORD    00 01           Number of questions
|0006h   WORD    00 01           Number of answer RRs
|0008h   WORD    xx xx           Number of authority RRs
|000Ah   WORD    xx xx           Number of additional RRs
|000Ch   WORD    C0 0C           Compressed name pointer to itself
|
|By sending an attack packet to any open UDP port on a vulnerable system,
|from a source port of 53, the vulnerable code will be reached and the
|denial-of-service condition will occur.
|
|Protection:
|Retina Network Security Scanner has been updated to identify this
|vulnerability.
|
|Vendor Status:
|Symantec has released a patch for this vulnerability. The patch is
|available via the Symantec LiveUpdate service. For more information
|please refer to the Symantec security advisory.
|http://securityresponse.symantec.com/avcenter/security/Content/2004.05.1
|2.html 
|
|Credit:
|Discovery: Barnaby Jack, Karl Lynn, Derek Soeder
|
|Related Links:
|Retina Network Security Scanner - Free 15 Day Trial
|http://www.eeye.com/html/Products/Retina/download.html
|
|Greetings:
|D12/2, Ink, AiC, "Screenshot guy"(tm), and we would also like to thank
|our contact Mike over at Symantec for being patient and cooperative
|throughout the reporting process.
|
|Copyright (c) 1998-2004 eEye Digital Security
|Permission is hereby granted for the redistribution of this alert
|electronically. It is not to be edited in any way without express
|consent of eEye. If you wish to reprint the whole or any part of this
|alert in any other medium excluding electronic medium, please email
|alert@...e.com for permission.
|
|Disclaimer
|The information within this paper may change without notice. Use of this
|information constitutes acceptance for use in an AS IS condition. There
|are no warranties, implied or express, with regard to this information.
|In no event shall the author be liable for any direct or indirect
|damages whatsoever arising out of or in connection with the use or
|spread of this information. Any use of this information is at the user's
|own risk.
|
|Feedback
|Please send suggestions, updates, and comments to:
|
|eEye Digital Security
|http://www.eEye.com
|info@...e.com
|


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ