Full Disclosure mailing list archives

Re: bind-9.8.1 remote code exec exploit?

From: Fabian Wenk <fabian () wenks ch>
Date: Sat, 29 Oct 2011 16:05:58 +0200

Hello

On 29.10.2011 15:34, nix () myproxylists com wrote:

I've source compile of BIND 9.8.1 on the server.


Is this bind server used as authoritative server for some DNS 
domains? Or does your configuration allow to be queried from the 
whole internet for resolving?

I've been investigating weird iptables messages as follows:

Oct 29 14:53:13 NIX kernel: IN= OUT=eth0 SRC=MY_SERVER_IP DST=62.80.128.29
LEN=114 TOS=0x00 PREC=0x00 TTL=64 ID=31795 PROTO=UDP SPT=53 DPT=5060
LEN=94

I received a message from my ISP abuse that my server is scanning SIP port
5060 and I set the firewall rule to deny/log all UDP connections out of
the box to port 5060 to get timestamps for further investigation. This
happened before I set the firewall rule.


For me this above log messages looks like a regular answer from 
your DNS server to the client (or a resolving DNS server) running 
on the destination IP address.

A DNS request runs like this:
A client (or resolving DNS server) does a query through UDP from 
his source port 5060 (could be any other random port) to the 
server on port 53. As UDP is connectionless, the server is 
sending the answer back from his UDP port 53 to the destination 
port 5060.


bye
Fabian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

bind-9.8.1 remote code exec exploit? nix (Oct 29)
- Re: bind-9.8.1 remote code exec exploit? Fabian Wenk (Oct 29)
- Re: bind-9.8.1 remote code exec exploit? Alan J. Wylie (Oct 29)
  - Re: bind-9.8.1 remote code exec exploit? xD 0x41 (Oct 29)
- Re: bind-9.8.1 remote code exec exploit? Mark Andrews (Oct 31)
  - Re: bind-9.8.1 remote code exec exploit? nix (Oct 30)