exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

eEye.symantecNBNS2.txt

eEye.symantecNBNS2.txt
Posted May 13, 2004
Authored by Karl Lynn | Site eeye.com

eEye Security Advisory - eEye Digital Security has discovered a critical remote vulnerability within the Symantec firewall product line. There is a remote heap corruption vulnerability in SYMDNS.SYS, a driver that validates NetBIOS Name Service responses, which can lead to execution of arbitrary code for various Symantec products. Successful exploitation of this flaw yields remote kernel access to the system. Systems Affected: Symantec Norton Internet Security 2002/2003/2004, Symantec Norton Internet Security Professional 2002/2003/2004, Symantec Norton Personal Firewall 2002/2003/2004, Symantec Client Firewall 5.01/5.1.1, Symantec Client Security 1.0/1.1/2.0(SCF 7.1), and Symantec Norton AntiSpam 2004.

tags | advisory, remote, arbitrary, kernel
SHA-256 | bfe54b66a1fa04ed44f2d88c757986016681f5a3533be9a4667bf86c61c22664

eEye.symantecNBNS2.txt

Change Mirror Download
Symantec Multiple Firewall NBNS Response Remote Heap Corruption

Release Date:
May 12, 2004

Date Reported:
April 19, 2004

Severity:
High (Remote Kernel Code Execution)

Vendor:
Symantec

Systems Affected:
Symantec Norton Internet Security 2002
Symantec Norton Internet Security 2003
Symantec Norton Internet Security 2004
Symantec Norton Internet Security Professional 2002
Symantec Norton Internet Security Professional 2003
Symantec Norton Internet Security Professional 2004
Symantec Norton Personal Firewall 2002
Symantec Norton Personal Firewall 2003
Symantec Norton Personal Firewall 2004
Symantec Client Firewall 5.01, 5.1.1
Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)
Symantec Norton AntiSpam 2004

Description:
eEye Digital Security has discovered a critical remote vulnerability
within the Symantec firewall product line. There is a remote heap
corruption vulnerability in SYMDNS.SYS, a driver that validates NetBIOS
Name Service responses, which can lead to execution of arbitrary code
for various Symantec products. Successful exploitation of this flaw
yields remote kernel access to the system.

With the ability to freely execute code at the Ring 0 privilege level,
there are literally no boundaries for an attacker.

Technical Description:
This specific vulnerability exists within the SYMDNS.SYS driver. The
code in SYMDNS.SYS that validates NetBIOS Name Service responses (source
port UDP/137) does not perform proper bounds checking when reading
answer data from the packet. Because the byte order of each answer
resource record's type, class, time-to-live, and data length are
switched in-place within a copy of the packet, it is possible to corrupt
heap memory in such a way that can lead to the execution of arbitrary
code within the kernel.

The following is a sample NetBIOS Name Service response packet:

Offset Size Data Description
------- ------- --------------- --------------------------------
0000h WORD xx xx Transaction ID
0002h WORD 80 00 Flags
0004h WORD 00 00 Number of questions
0006h WORD 00 02 Number of answer RRs
0008h WORD xx xx Number of authority RRs
000Ah WORD xx xx Number of additional RRs
000Ch BYTE 02 Length of name component
000Dh 2 CHARs xx xx First-level encoded name
000Fh BYTE 00 No more name components
0010h* WORD xx xx Answer RR: Type
0012h* WORD xx xx Answer RR: Class
0014h* DWORD xx xx xx xx Answer RR: Time-to-Live
0018h* WORD xx xx Answer RR: Data Length

If the starred (*) fields are omitted from the packet, the vulnerable
code will swap bytes in the adjacent heap block's header. SYMDNS employs
a custom heap implementation which it maintains inside of large
ExAllocatePoolWithTag-allocated blocks of kernel memory, and uses heap
block header structures of the following format:

Offset Size Description
------- ------- --------------------------------
0000h PTR pointer to next free block
0004h PTR pointer to previous free block
0008h PTR pointer to next block
000Ch PTR pointer to previous block
0010h DWORD size of data area of heap block
0014h PTR pointer to heap base address
0018h DWORD reference count (0 = free)
001Ch DWORD tag

With careful heap preparation, some specially-crafted packets, and a
modest amount of luck, it is possible to manipulate these and other heap
pointers in order to write arbitrary data to an arbitrary memory
location, which can then be leveraged in order to execute
attacker-supplied code. Because this is a kernel-mode heap-related
exploit, there will always be sitautions which will cause an
exploitation attempt to result in a blue-screen, but the odds of success
are definitely enough to qualify this as remote code execution, rather
than a remote denial-of-service.

By default, the NetBIOS Name Service is not allowed by the firewall but
is commonly used in a Windows networking environment.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.

Vendor Status:
Symantec has released a patch for this vulnerability. The patch is
available via the Symantec LiveUpdate service. For more information
please refer to the Symantec security advisory.
http://securityresponse.symantec.com/avcenter/security/Content/2004.05.1
2.html

Credit:
Discovery: Karl Lynn

Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/Products/Retina/download.html

Greetings:
Kelly H., Derek "Tex" Soeder, the guys at CORE, and Estelle L.

Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close