Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe

[Pasquale Mauro Minervini <j3rus4lem () USERS SOURCEFORGE NET>]

> Hi,
>
> I have a bind. This BIND is a 8.2.2-P5 version which announces itself as being a V4 BIND.
> This BIND runs under a non privileged account.
>
> Regularly, attackers send a Iquery (as report by Snort signature) probe on it that crashes it.
>
> It the first curiosity : V8 BIND is not sensitive to Iquery attack as far as I know !
>
> Well, an automatic procedure detects this crash and relaunches it just after.
>
>
> By now, sorry, but I was not able to dump the full trace (snort refuses t
>
>
> Today, the scenario was different :
>       BIND crashes as always just after the Iquery but
>       somebody relaunches it just after the crash.
>       AND this WITHOUT arguments -u and -g.
>       That is to say, BIND was relaunched under the non-privileged account it         uses to run under :
>       according to the log, it was unable to bind to port 53 !
>
> Conclusion : I think it's possible to get a shell under BIND 8.2.2-P5 and with a Iquery probe.
>
> Do someone be aware of such a vulnerability ?
>
> db
The latest 8.2.x secure release seems to be 8.2.3-REL, by the way nobody grants you that your box cannot be 
compromised. All the 8.x versions, i've read, are afflicted by a denial of service vulnerability that allows a 
'malicious user' to fill your server's cache. This doesn't seems to be fixed in the 9.x versions, 'cause the daemon 
when there isn't no enough memory for the cache only stop to write on it. Anyway, prolly, there's a vulnerability 
discovered by one of my friends (a developer of the FreeBSD kernel) that affects currently all the 8.x and 9.x bind 
versions and i think something about that will be released in the next weeks/months.