Vulnerability Development mailing list archives
Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe
From: Pasquale Mauro Minervini <j3rus4lem () USERS SOURCEFORGE NET>
Date: Sun, 25 Mar 2001 07:20:48 -0000
Hi, I have a bind. This BIND is a 8.2.2-P5 version which announces itself as being a V4 BIND. This BIND runs under a non privileged account. Regularly, attackers send a Iquery (as report by Snort signature) probe on it that crashes it. It the first curiosity : V8 BIND is not sensitive to Iquery attack as far as I know ! Well, an automatic procedure detects this crash and relaunches it just after. By now, sorry, but I was not able to dump the full trace (snort refuses t Today, the scenario was different : BIND crashes as always just after the Iquery but somebody relaunches it just after the crash. AND this WITHOUT arguments -u and -g. That is to say, BIND was relaunched under the non-privileged account it uses to run under : according to the log, it was unable to bind to port 53 ! Conclusion : I think it's possible to get a shell under BIND 8.2.2-P5 and with a Iquery probe. Do someone be aware of such a vulnerability ? db
The latest 8.2.x secure release seems to be 8.2.3-REL, by the way nobody grants you that your box cannot be compromised. All the 8.x versions, i've read, are afflicted by a denial of service vulnerability that allows a 'malicious user' to fill your server's cache. This doesn't seems to be fixed in the 9.x versions, 'cause the daemon when there isn't no enough memory for the cache only stop to write on it. Anyway, prolly, there's a vulnerability discovered by one of my friends (a developer of the FreeBSD kernel) that affects currently all the 8.x and 9.x bind versions and i think something about that will be released in the next weeks/months.
Current thread:
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Pasquale Mauro Minervini (Mar 25)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Ryan Sweat (Mar 25)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe Lord Soth (Mar 28)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe Ryan Sweat (Mar 28)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIqueryprobe Lord Soth (Mar 28)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe olle (Mar 28)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe warning3 (Mar 29)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe Lord Soth (Mar 28)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Ryan Sweat (Mar 25)