Security Incidents mailing list archives
Re: Bind 9.2.X exploit???
From: Jim Clausing <clausing () ieee org>
Date: Thu, 25 Jul 2002 13:22:23 -0400 (EDT)
Actually after analyzing this over on the handlers list, this
looks like the same TSIG exploit/NAI DoS from Jan 2001 with a few strings
modified in the source code. The exploit does not, in fact, actually work
against bind-9.2.1.
---Jim
On or about Thu, 25 Jul 2002, Patrick Andry pontificated thusly:
Probably an exploit based on this: (from http://www.isc.org/products/BIND/bind-security.html ) Name: "libbind buffer overflow" Versions affected: All versions of the stub resolver library from BIND 4 prior to 4.9.9. All versions of the stub resolver library from BIND 8 prior to 8.2.6. The stub resolver library from BIND version 8.3.0, 8.3.1, 8.3.2. The BIND 8 compatibility stub resolver library (NOT the lwres library) from BIND versions 9.2.0, 9.2.1. (Disabled by default in BIND 9, enabled if you added --enable-libbind to the configure statement) Severity: SERIOUS Exploitable: Remotely Type: Potential for execution of arbitrary code via buffer overflow. I don't think that you're seeing a 0-day exploit, but maybe someone at the ISC would want a copy of it to check it out. ilker g?vercin wrote:I found a tool on my compramised machine called bind9 and the source code is still there. its made by team teso bind9 Exploit by by scut of teso [http://teso.scene.at/]... Usage: ./bind remote_addr domainname target_id Targets: 0 - Linux RedHat 6.0 (9.2.x) 1 - Linux RedHat 6.2 (9.2.x) 2 - Linux RedHat 7.2 (9.2.x) 3 - Linux Slackware 8.0 (9.2.x) 4 - Linux Debian (all) (9.2.x) 5 - FreeBSD 3.4 (8.2.x) 6 - FreeBSD 3.5 (8.2.x) 7 - FreeBSD 4.x (8.2.x) Example usage: $ host -t ns domain.com domain.com name server dns1.domain.com $ ./bind9 dns1.domain.com domain.com 0 [..expl output..] I didnt test it; its workin or not. Anybody have knowlegde about this.Sorry for my poor english:) if anyone wanna test it I can send the source code. holy () linuxmail org ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Bind 9.2.X exploit??? güvercin (Jul 24)
- Re: Bind 9.2.X exploit??? Patrick Andry (Jul 25)
- Re: Bind 9.2.X exploit??? David Conrad (Jul 25)
- Re: Bind 9.2.X exploit??? Jim Clausing (Jul 25)
- Re: Bind 9.2.X exploit??? David Conrad (Jul 25)
- Surge of attacks on ports 61127 & 61134 Joseph (Jul 25)
- Re: Bind 9.2.X exploit??? Patrick Andry (Jul 25)
- Re: Bind 9.2.X exploit??? Alexandru Balan (Jul 26)
- Re: Bind 9.2.X exploit??? David Carmean (Jul 26)
- <Possible follow-ups>
- Re: Bind 9.2.X exploit??? Muhammad Faisal Rauf Danka (Jul 25)
- Re: Bind 9.2.X exploit??? Sebastian (Jul 25)