Vulnerability Development mailing list archives
Re: Possible DOS in Bind 8.2.2-P5
From: fire-eyes <sgtphou () FIRE-EYES YI ORG>
Date: Fri, 10 Nov 2000 19:17:04 -0500
"Fabio Pietrosanti (naif)" wrote:
Hi, playing with bind and ZXFR feature ( zone transfer compressed with a possible insecure execlp("gzip", "gzip", NULL); ), i discovered a Denial Of Service against Bind 8.2.2-P5 . By default Bind 8.2.2-P5 it's not compiled with ZXFR support unless you define it with #define BIND_ZXFR so it will refuse any ZXFR transfer, because it doesn't support it. But now what appens? Look here... ################################ zone to transfer: zone.pippo.com dns server: dns.pippo.com 192.168.1.1 me: naif.gatesux.com 10.10.10.10 I send a Zone Trasnfer request using "-Z" switch with means that i wish to use ZXFR. dns.pippo.com does'nt support ZXFR and have "allow-transfer{}" not configured, so everyone could ask him for *.zone.pippo.com ... <naif@naif> [~/bind/src822p5/bin/named-xfer] $ ./named-xfer -z zone.pippo.com -d 9 -f pics -Z dns.pippo.com named-xfer[29297]: send AXFR query 0 to 192.168.1.1 named-xfer[29297]: premature EOF, fetching "zone.pippo.com" On the server's log: Nov 7 11:19:09 dns.pippo.com: named[188510]: approved ZXFR from [10.10.10.10].2284 for "zone.pippo.com" Nov 7 11:19:09 dns.pippo.com: named[188510]: unsupported XFR (type ZXFR) of "zone.pippo.com" (IN) to [10.10.10.10].2284 Then the server "*** CRASHED ***" . I should assume that bind 8.2.2-P5 it's vulnerable ( Please someone test and confirm this kind of dos) and bind-9.0.0 has no support for ZXFR . <naif@naif> [~/bind] $ find src822p5/ -type f -exec grep -i zxfr \{\} ';' | wc -l 234 <naif@naif> [~/bind] $ find bind-9.0.0/ -type f -exec grep -i zxfr \{\} ';' | wc -l 0 A lot of DNS Server are misconfigured, and allow zone-transfer to any, so they are dossable... naif naif () itapac net
I tried this on my bind 8.2.2-P5 on slackware linux 7.0.0 kernel 2.2.17 Intel p200 128M ram. I tried this in two situations: a) named started as 'named -u nobody' 1> This results in named being run as user nobody b) named started as 'ndc start' 1> This results in named running as root, of course. In neither of these situations did I find any problems after 10 minutes. If you have other ways you would like me to try running the daemon, let me know. Also, I am rather new at bind. How might I go about denying *XFR's from all but approved hosts? Thank You Joseph
Current thread:
- Possible DOS in Bind 8.2.2-P5 Fabio Pietrosanti (naif) (Nov 08)
- Re: Possible DOS in Bind 8.2.2-P5 Przemyslaw Frasunek (Nov 08)
- Re: Possible DOS in Bind 8.2.2-P5 Fabio Pietrosanti (naif) (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Tomasz Grabowski (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Guy Cohen (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Mariusz Marcinkiewicz (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 (my fault, sorry) Mariusz Marcinkiewicz (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 Olaf Kirch (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 Paul A Vixie (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 Daniel Roesen (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 fire-eyes (Nov 14)
- <Possible follow-ups>
- Re: Possible DOS in Bind 8.2.2-P5 Fernando Cardoso (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Luke Dudney (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 Jonatan Sarba (Nov 14)
- Re: Possible DOS in Bind 8.2.2-P5 Peter Pentchev (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Johnson, Jeremiah (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Matt Zimmerman (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Peter Pentchev (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Paul Pot (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Chris Tobkin (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Przemyslaw Frasunek (Nov 08)