Re: BIND 8.2.2-P5 Possible DOS

["L. Adrian Griffis" <dt26453 () dstsystems com>]

On Wed, 8 Nov 2000, Jeroen Ruigrok/Asmodai wrote:

> -On [20001108 19:01], Fabio Pietrosanti (naif) (fabio () TELEMAIL IT) wrote:
> > playing with bind and ZXFR feature ( zone transfer compressed with a
> > possible insecure execlp("gzip", "gzip", NULL); ), i discovered a
> > Denial Of Service against Bind 8.2.2-P5 .
>
> Data points:
>
> FreeBSD 4-STABLE and 5-CURRENT with BIND 8.2.3-T5B and T6B plus aa_patch
> and the described `DoS/exploit' will not work.  The logs show that it
> got a zonetransfer type which was unsupported, but the named just keeps
> on ticking.
>
> Solaris with BIND 8.2.2-p5 has no problems as well.  And I am betting
> money on it that BIND 8.2.2-p5 will not fail under FreeBSD as well.
>
> Personally I think it will not cause problems on a lot of systems, aside
> from spurious log entries.

I urge you not to read too much into these data (specifically the systems
that did not crash).  Another message mentions that sometimes the daemon
operates normally for a while before it crashes.  This is very normal for
failures to check the validity of returned pointers and programming
errors that leads to overruns of allocated memory.  It may be that on the
systems that didn't crash, some damage has still been done, but the layout
of memory is such that it is less likely in this case to terminate the
program.  More importantly, this leaves open the possibility that an
exploitable bug exists, even on those platforms for which bind didn't
crash.

Adrian