UGN Security Forums UGN Security: Underground General Good thing I use a firewall to protect me from hackers!

Symantec Multiple Firewall Remote DNS KERNEL Overflow

Release Date:
May 12, 2004

Date Reported:
April 19, 2004

Severity:
High (Remote Kernel Access)

Vendor:
Symantec

Systems Affected:
Symantec Norton Internet Security 2002
Symantec Norton Internet Security 2003
Symantec Norton Internet Security 2004
Symantec Norton Internet Security Professional 2002
Symantec Norton Internet Security Professional 2003
Symantec Norton Internet Security Professional 2004
Symantec Norton Personal Firewall 2002
Symantec Norton Personal Firewall 2003
Symantec Norton Personal Firewall 2004
Symantec Client Firewall 5.01, 5.1.1
Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)
Symantec Norton AntiSpam 2004

Description:
eEye Digital Security has discovered a critical remote vulnerability
within the Symantec firewall product line. A buffer overflow exists
within a core driver component that handles the processing of DNS
(Domain Name Service) requests and responses. By sending a DNS Resource
Record with an overly long canonical name, a traditional stack-based
buffer overflow is triggered. Successful exploitation of this flaw
yields remote KERNEL access to the system.

With the ability to freely execute code at the Ring 0 privilege level,
there are literally no boundaries for an attacker.

It should also be noted, that due to a separate design flaw in the
firewalls handling of incoming packets, this attack can be successfully
performed with all ports filtered, and all intrusion rules set.