Bugtraq mailing list archives
fingerprinting BIND 9.1.0
From: Max Vision <vision () WHITEHATS COM>
Date: Mon, 29 Jan 2001 15:50:31 -0800
Hi, The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded chaos record called "authors". So now even if an admin changes or suppresses their version reply string, a remote user can still determine whether the server is running BIND 9.x. With the recent discovery of the tsig bug in BIND there will probably be a huge rise in version queries. Some attackers may remove ambiguity by skipping servers that reply to authors.bind (inferring that it's bind 9.1.0 and not vulnerable). % dig @ns.example.com authors.bind chaos txt or % nslookup -q=txt -class=CHAOS authors.bind. ns.example.com Server: ns.example.com Address: 23.23.23.23 authors.bind text = "Bob Halley" authors.bind text = "Mark Andrews" authors.bind text = "James Brister" authors.bind text = "Michael Graff" authors.bind text = "David Lawrence" authors.bind text = "Michael Sawyer" authors.bind text = "Brian Wellington" authors.bind text = "Andreas Gustafsson" The following Snort signature will detect these probes: alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS480/named-probe-authors"; content: "|07|authors|04|bind"; depth: 32; offset: 12; nocase;) http://whitehats.com/info/IDS480 Max
Current thread:
- fingerprinting BIND 9.1.0 Max Vision (Jan 30)
- Re: fingerprinting BIND 9.1.0 Eric Limpens (Jan 30)
- <Possible follow-ups>
- Re: fingerprinting BIND 9.1.0 buglist (Jan 30)
- Re: fingerprinting BIND 9.1.0 William D. Colburn (aka Schlake) (Jan 31)
- Re: fingerprinting BIND 9.1.0 Lucas Holt (Jan 31)
- Re: fingerprinting BIND 9.1.0 William D. Colburn (aka Schlake) (Jan 31)