Security Incidents mailing list archives
Re: DNS Bind
From: "jeremy () hq newdream net" <jeremy () HQ NEWDREAM NET>
Date: Wed, 31 Jan 2001 17:35:49 -0800
Here's a bit from the Covert Labs announcement: As you can see, it specifically states that it is "not dependent upon configuraion options". o Synopsis BIND 8 contains a buffer overflow that allows a remote attacker to execute arbitrary code. The overflow is in the initial processing of a DNS request and therefore does not require an attacker to control an authoritative DNS server. In addition, the vulnerability is not dependent upon configuration options and affects both recursive and non-recursive servers. This vulnerability has been designated as CVE candidate CAN-2001-10. gabriel rosenkoetter wrote:
On Wed, Jan 31, 2001 at 02:57:59PM -0700, Somaini, Justin wrote:Not that I'm aware of. DNS is not really my strongest suite so I have to rely upon our DNS guys. I believe that there needs to be an upgrade to fix the problem. If anyone disagrees please correct me.I also don't know of anything to put in named.conf to make it ignore TSIG queries entirely (and, anyway, wouldn't this bug be tickled in the act of parsing the query before recognizing it as a TSIG and tossing it?). Anyway, you wouldn't want to... just because a query comes in signed and you don't bother paying attention doesn't mean you should drop the query (maybe someone else *insists* on using their signature... screwing this up would be akin dumping every PGP-signed piece of mail because your mailer doesn't know what to do with the signature). Really, everybody needs to upgrade (and, considering the fact that BIND8 isn't being audited, but just patched as more and more of these buffer overflows appear, everybody ought to upgrade to BIND9 now and be done with it), but if you keep named in a chroot, you're a bit better off (not much an intruder can do beyond access your plausibly private zones without so much as a compiler and no efficient way to transfer things into the chroot from outside).One thing to do is to change the version posting in the named.conf file. The scanner looking for sub 9.1 could be tricked. Actual attack failing of course.Hrm. One more reason we should all have version "Surely, you must be joking."; in our options block... That's really not much help, though. The especially stupid script kiddies will just try this on every named they find running, BIND or otherwise. :^> ~ g r @ eclipsed.net
Current thread:
- Re: DNS Bind jeremy () hq newdream net (Jan 31)
- <Possible follow-ups>
- Re: DNS Bind Mark Teicher (Feb 01)
- Re: DNS Bind Paul Doom (Feb 01)