EEYE: Symantec Multiple Firewall Remote DNS KERNEL Overflow

From: Marc Maiffret (
Date: 05/13/04

  • Next message: Marc Maiffret: "EEYE: Symantec Multiple Firewall NBNS Response Remote Heap Corruption"
    Date: Wed, 12 May 2004 17:04:02 -0700

    Symantec Multiple Firewall Remote DNS KERNEL Overflow

    Release Date:
    May 12, 2004

    Date Reported:
    April 19, 2004

    High (Remote Kernel Access)


    Systems Affected:
    Symantec Norton Internet Security 2002
    Symantec Norton Internet Security 2003
    Symantec Norton Internet Security 2004
    Symantec Norton Internet Security Professional 2002
    Symantec Norton Internet Security Professional 2003
    Symantec Norton Internet Security Professional 2004
    Symantec Norton Personal Firewall 2002
    Symantec Norton Personal Firewall 2003
    Symantec Norton Personal Firewall 2004
    Symantec Client Firewall 5.01, 5.1.1
    Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)
    Symantec Norton AntiSpam 2004

    eEye Digital Security has discovered a critical remote vulnerability
    within the Symantec firewall product line. A buffer overflow exists
    within a core driver component that handles the processing of DNS
    (Domain Name Service) requests and responses. By sending a DNS Resource
    Record with an overly long canonical name, a traditional stack-based
    buffer overflow is triggered. Successful exploitation of this flaw
    yields remote KERNEL access to the system.

    With the ability to freely execute code at the Ring 0 privilege level,
    there are literally no boundaries for an attacker.

    It should also be noted, that due to a separate design flaw in the
    firewalls handling of incoming packets, this attack can be successfully
    performed with all ports filtered, and all intrusion rules set.

    Technical Description:
    This specific vulnerability exists within the SYMDNS.SYS driver. The
    stack overflow arises due to an implementation flaw in the routine that
    processes the CNAME field of incoming Resource Records. A canonical name
    field is represented as a series of labels, and is terminated by a label
    with a zero byte length. Each string consists of a one byte length
    specifier, followed by that number of characters. A typical canonical
    name field would be of the following format:

    0x03 // length
    www // string component
    0x04 // length
    eEye // string component
    0x03 // length
    com // string component

    Each time the SYMDNS.SYS driver encounters a length field, the field is
    then used as a counter to copy the bytes that follow. These bytes are
    copied directly into a stack based buffer. Due to poor sanity checking
    on the total CNAME field, the routine will accept a large number of
    length specifiers and byte sequences. As the routine loops through each
    field, the bytes are concatenated, and an exploitable condition in the
    KERNEL is reached.

    A separate design flaw allows this attack to succeed with the firewall
    running at it's most locked-down state. The firewall will happily accept
    any packet that has a source port of 53, regardless of port filtering.

    The fact that this vulnerability is exploitable over UDP adds another
    serious layer to an already critical flaw.

    Retina Network Security Scanner has been updated to identify this

    Vendor Status:
    Symantec has released a patch for this vulnerability. The patch is
    available via the Symantec LiveUpdate service. For more information
    please refer to the Symantec security advisory.

    Discovery: Barnaby Jack and Karl Lynn

    Related Links:
    Retina Network Security Scanner - Free 15 Day Trial

    R Hassell (aka Gilligan), the NZ crew, Gary Golomb, Rich Walchuck, Jason
    Dameron, Sam Stover, Matt Dickerson, and Kelly H.

    Copyright (c) 1998-2004 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert
    electronically. It is not to be edited in any way without express
    consent of eEye. If you wish to reprint the whole or any part of this
    alert in any other medium excluding electronic medium, please email for permission.

    The information within this paper may change without notice. Use of this
    information constitutes acceptance for use in an AS IS condition. There
    are no warranties, implied or express, with regard to this information.
    In no event shall the author be liable for any direct or indirect
    damages whatsoever arising out of or in connection with the use or
    spread of this information. Any use of this information is at the user's
    own risk.

    Please send suggestions, updates, and comments to:

    eEye Digital Security

  • Next message: Marc Maiffret: "EEYE: Symantec Multiple Firewall NBNS Response Remote Heap Corruption"

    Relevant Pages