RE: BIND 9.2.1 crashes

[Benjamin Franz <snowhare () nihongo org>]

On Mon, 6 Oct 2003, LordInfidel wrote:

> not to sound like a broken record or ask a silly question.
>
> But what kernel version are you running.....?

The RH7.3 box is running RH 2.4.20-20.7bigmem (RedHat's most recent kernel
release). It had FTP, HTTP/HTTPS, SMTP and DNS exposed to the outside and
SSH exposed internally.

The RH7.2 box is running RH 2.4.9-13enterprise (Yes it is very old, but I
have 'issues' that have kept me from upgrading it and no one but admins
here has shell access on it. It has ports 53, 80 and 443 exposed to the
general world and port 22 exposed only to our own networks.  Those are
enforced by an aggressive border router/FW.

>  And do you have iptables/chains running on that box protecting the OS?

The RH7.3 system is behind a simple packet filtering FW (with plans for a
box level iptables based FW). The RH7.2 system is behind a seperate
heavily paranoid iptables based firewall/router machine.

> The attack venue may not have been bind but something else.  Bind
> ceasing could of have just been a side effect.

It is quite possible the attack vector only used DNS as an 'end-point'.  
Both have other network-facing services that can cause DNS queries. My
personal working theory at the moment is that something caused them to
make DNS queries that got _answers_ that were problematic.

-- 
Benjamin Franz

> JMO
>
> LordInfidel
>
> -----Original Message-----
> From: Benjamin Franz [mailto:snowhare () nihongo org]
> Sent: Monday, October 06, 2003 1:18 PM
> To: incidents () securityfocus com
> Cc: Keith Bergen
> Subject: Re: BIND 9.2.1 crashes
>
>
> On Mon, 6 Oct 2003, Keith Bergen wrote:
>
> > Benjamin,
> >
> > My paranoia always assumes a buffer overflow and comprimise. 
> > BIND 9.2.1 appears to be vulnerable to a buffer overflow. I 
> > would recommend updating it. Typically the attackers will 
> > exploit the overflow, and then install their rootkits. Then 
> > they will disable the DNS so that you have to reboot the 
> > machine, thus permanently installing their root kits.
> >
> > Check out this page:
> > http://www.isc.org/products/BIND/bind-security.html
>
> Thanks. RedHat backpatches fixes and the current version of 9.2.1
> distributed by them is not vulnerable to the items listed there AFAIK. I
> am, and have been, running the latest version of BIND distributed by RH.
>
> This is not to say that a _new_ vulnerability may not have been found.  
> This is why I posted this to Incidents - it feels like it could be a new 0
> day.
>
> > Next, download the Root Kit Checker and compile and run it:
> > http://www.chkrootkit.org/
>
> Done. Both machines checked out as clean according to it.

-- 
Jerry

Gauss's law is always true, but it is not always useful.
    -- David J. Griffiths, "Introduction to Electrodynamics"



---------------------------------------------------------------------------
----------------------------------------------------------------------------