Security Incidents mailing list archives
Re: Bind 9.2.X exploit???
From: Patrick Andry <pandry () wolverinefreight ca>
Date: Thu, 25 Jul 2002 07:11:00 -0400
Probably an exploit based on this: (from http://www.isc.org/products/BIND/bind-security.html ) Name: "libbind buffer overflow"Versions affected: All versions of the stub resolver library from BIND 4 prior to 4.9.9.
All versions of the stub resolver library from BIND 8 prior to 8.2.6. The stub resolver library from BIND version 8.3.0, 8.3.1, 8.3.2.The BIND 8 compatibility stub resolver library (NOT the lwres library) from BIND versions 9.2.0, 9.2.1. (Disabled by default in BIND 9, enabled if you added --enable-libbind to the configure statement)
Severity: SERIOUS Exploitable: Remotely Type: Potential for execution of arbitrary code via buffer overflow.I don't think that you're seeing a 0-day exploit, but maybe someone at the ISC would want a copy of it to check it out.
ilker güvercin wrote:
I found a tool on my compramised machine called bind9 and the source code is still there. its made by team teso bind9 Exploit by by scut of teso [http://teso.scene.at/]...Usage: ./bind remote_addr domainname target_id Targets: 0 - Linux RedHat 6.0 (9.2.x) 1 - Linux RedHat 6.2 (9.2.x) 2 - Linux RedHat 7.2 (9.2.x) 3 - Linux Slackware 8.0 (9.2.x) 4 - Linux Debian (all) (9.2.x) 5 - FreeBSD 3.4 (8.2.x) 6 - FreeBSD 3.5 (8.2.x) 7 - FreeBSD 4.x (8.2.x) Example usage: $ host -t ns domain.com domain.com name server dns1.domain.com $ ./bind9 dns1.domain.com domain.com 0 [..expl output..] I didnt test it; its workin or not.Anybody have knowlegde about this.Sorry for my poor english:)if anyone wanna test it I can send the source code. holy () linuxmail org ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Bind 9.2.X exploit??? güvercin (Jul 24)
- Re: Bind 9.2.X exploit??? Patrick Andry (Jul 25)
- Re: Bind 9.2.X exploit??? David Conrad (Jul 25)
- Re: Bind 9.2.X exploit??? Jim Clausing (Jul 25)
- Re: Bind 9.2.X exploit??? David Conrad (Jul 25)
- Surge of attacks on ports 61127 & 61134 Joseph (Jul 25)
- Re: Bind 9.2.X exploit??? Patrick Andry (Jul 25)
- Re: Bind 9.2.X exploit??? Alexandru Balan (Jul 26)
- Re: Bind 9.2.X exploit??? David Carmean (Jul 26)
- <Possible follow-ups>
- Re: Bind 9.2.X exploit??? Muhammad Faisal Rauf Danka (Jul 25)
- Re: Bind 9.2.X exploit??? Sebastian (Jul 25)