Bugtraq mailing list archives
Re: SNI-12: BIND Vulnerabilities and Solutions (+ more problems)
From: johan () BORG SVENTECH COM (Johannes Erdfelt)
Date: Thu, 24 Apr 1997 01:41:11 -0400
On Wed, 23 Apr 1997, Michael K. Sanders wrote:
In message <Pine.LNX.3.95.970422142917.16221A-100000 () borg sventech com>, Johann es Erdfelt writes:Since SNI has released that paper and stole all of the thunder out of my advisory, I'll post a couple of things in addition to their advisory. There's a couple of things in this post and it's semi long.I don't know that I'd be too concerned about having all your thunder stolen... I'm reminded of the 5th USENIX UNIX Security Symposium.There's a MUCH easier way of caching RR's. As long as the nameserver is older than 4.9.5+P1 which is > 90% of the net. I explained it in a paper I wrote last year I sent it off to Paul Vixie to get a reply (and possibly a patch) to the problem. The problem is basically this: BIND will cache ANYTHING that it gets in the return packet. This advisory was partially leaked to nanog and is known to have been leaked to a number of other people. Here it is from my original advisory (complete with spelling and grammar mistakes):... so how is all of this different from Bellovin's original 1990 paper? <URL:http://penguin.cso.uiuc.edu/~lemson/securitysymp/session7.html> <URL:http://www.usenix.org/publications/library/proceedings/security95/bellovin.html>
Not much other than the fact that it's still present on the internet. I was reminded by Gene Spafford that a student has written a thesis on the subject. All of the vulnerabilities the have been presented in the past 2 days have been known about. The main problem is that a large majority of name servers out there are vulnerable to the problem. SNI's advisory explains different problems, which while known about, are STILL a problem even in the latest revision of BIND. What I really neglected to mention (and forgot to quote) was that all of the problems have been known about. When I first wrote my advisory, I didn't know of the other research that has gone into BIND/DNS. I did find some information, however not nearly as much as has been pointed out to me since I made the original post. When I sent the original email to Paul Vixie, I received a some what luke warm reception. That of which would seem he had known of these problems before hand. On Feb 14, I received this back from Paul Vixie after submitting the initial advisory: thanks for your note. i will have this looked into. After a week, I sent some more email asking for some more information on the problem. If a patch had been developed. When it would be released. This is the reply I received back from Bob Halley (another lead worker on BIND): "Recent releases of BIND (e.g. 4.9.5, the 8.1 test releases) have been doing more consistency and validity checking of the answer and authority sections. In response to your report, I've also added checking for the additional data section. This will eventually go out as a patch to 4.9.5, and will be in the next test release of 8.1. Until the DNS security extensions (e.g. digitally signed zone data using strong cryptography) are available and widely deployed, it is not possible to prevent a sufficiently determined attacker from adding RRs to the cache (at least for zones the server isn't authoritative for). The improvements we've been adding do make it harder. The improvements will also help protect against broken nameservers." I assumed after this a patch would be out soon. After two month's, there is still yet to be a patch. That was the main reason for the original post. For all intensive purposes, DNS on the Internet is run by BIND. Every version of BIND had atleast one serious security problem with it. As time went on, I eventually came up with same conclusions as SNI had and made an even more recent version of my advisory. Warning that most of the Internet was still vulnerable. I waited for the patch that Bob Halley had alluded to, to be released before I mentioned anything to the fact. As you can see by SNI's original post, this has caused a bit of an uproar. Basically, those other papers didn't exist. Although I have already conceded to the fact that my original search for any information was a little less than optimal, the majority of the Internet did not know of this particular vulnerability. As an overview of my rambling, these problems are old, there are known of. Not very many people knew of the problem. I was unaware at first of the problem, SNI was apparentely unware of the second problem I described. Apparentely the workers of BIND were either a) unaware as well or b) didn't think it was necessary to release a patch to fix these problems. I'm not sure which it was, but it was a still problem up until yesterday. JE
Current thread:
- SNI-12: BIND Vulnerabilities and Solutions Oliver Friedrichs (Apr 22)
- Re: SNI-12: BIND Vulnerabilities and Solutions Peter Koch (Apr 23)
- Re: SNI-12: BIND Vulnerabilities and Solutions Paul A Vixie (Apr 23)
- Re: SNI-12: BIND Vulnerabilities and Solutions (+ more problems) Johannes Erdfelt (Apr 23)
- Re: SNI-12: BIND Vulnerabilities and Solutions (+ more problems) Gene Spafford (Apr 23)
- Re: SNI-12: BIND Vulnerabilities and Solutions (+ more problems) Michael K. Sanders (Apr 23)
- Re: SNI-12: BIND Vulnerabilities and Solutions (+ more problems) Johannes Erdfelt (Apr 23)
- Re: SNI-12: BIND Vulnerabilities and Solutions (+ more problems) Yiorgos Adamopoulos (Apr 24)
- firewall-1: old broadcast address hole? Tom Vandepoel (Apr 24)
- CERT Advisory CA-97.10 - Vulnerability in Natural Language Service Aleph One (Apr 24)
- CERT Vendor-Initiated Bulletin VB-97.02 - Guestbook Script Vul Aleph One (Apr 24)
- [linux-security] Linux squake security hole (provides root if Aleph One (Apr 24)
- Re: SNI-12: BIND Vulnerabilities and Solutions Peter Koch (Apr 23)
- <Possible follow-ups>
- Re: SNI-12: BIND Vulnerabilities and Solutions David Wagner (Apr 22)
- Re: SNI-12: BIND Vulnerabilities and Solutions Theo de Raadt (Apr 22)
- ANUNCIO: Nueva lista sobre seguridad, en espanol Ivan Arce,CORE (Apr 22)
- Re: ANUNCIO: Nueva lista sobre seguridad, en espanol The CyberFish (Apr 23)
- Re: SNI-12: BIND Vulnerabilities and Solutions David Wagner (Apr 23)