Vulnerability Development mailing list archives
Re: Possible DOS in Bind 8.2.2-P5
From: Chris Tobkin <tobkin () INTERSEC COM>
Date: Tue, 14 Nov 2000 13:36:37 -0600
Shameless Plug: Links to two good articles at SecurityPortal are available at: http://www.interactiveinfosec.com/?openMenus=-1+10+60&selectedIndex=63 The links directly are: SecurityPortal, Jay Beale Foiling DNS Attacks (Nov. 2000) http://www.SecurityPortal.com/cover/coverstory20001113.html SecurityPortal, Sean Boran Hardening the BIND DNS Server (Oct. 2000) http://securityportal.com/cover/coverstory20001002.html // Chris tobkin () intersec com -----Original Message----- From: fire-eyes [mailto:sgtphou () FIRE-EYES YI ORG] Sent: Friday, November 10, 2000 6:17 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Possible DOS in Bind 8.2.2-P5 "Fabio Pietrosanti (naif)" wrote:
Hi, playing with bind and ZXFR feature ( zone transfer compressed with a
possible insecure
execlp("gzip", "gzip", NULL); ), i discovered a Denial Of Service against
Bind 8.2.2-P5 .
By default Bind 8.2.2-P5 it's not compiled with ZXFR support unless you
define it with #define BIND_ZXFR
so it will refuse any ZXFR transfer, because it doesn't support it. But now what appens? Look here... ################################ zone to transfer: zone.pippo.com dns server: dns.pippo.com 192.168.1.1 me: naif.gatesux.com 10.10.10.10 I send a Zone Trasnfer request using "-Z" switch with means that i wish to
use ZXFR.
dns.pippo.com does'nt support ZXFR and have "allow-transfer{}" not
configured, so everyone
could ask him for *.zone.pippo.com ... <naif@naif> [~/bind/src822p5/bin/named-xfer] $ ./named-xfer -z
zone.pippo.com -d 9 -f pics -Z dns.pippo.com
named-xfer[29297]: send AXFR query 0 to 192.168.1.1 named-xfer[29297]: premature EOF, fetching "zone.pippo.com" On the server's log: Nov 7 11:19:09 dns.pippo.com: named[188510]: approved ZXFR from
[10.10.10.10].2284 for "zone.pippo.com"
Nov 7 11:19:09 dns.pippo.com: named[188510]: unsupported XFR (type ZXFR)
of "zone.pippo.com" (IN) to [10.10.10.10].2284
Then the server "*** CRASHED ***" . I should assume that bind 8.2.2-P5 it's vulnerable ( Please someone test
and confirm this kind of dos)
and bind-9.0.0 has no support for ZXFR .
<naif@naif> [~/bind] $ find src822p5/ -type f -exec grep -i zxfr \{\} ';'
| wc -l
234
<naif@naif> [~/bind] $ find bind-9.0.0/ -type f -exec grep -i zxfr \{\}
';' | wc -l
0 A lot of DNS Server are misconfigured, and allow zone-transfer to any, so
they are dossable...
naif naif () itapac net
I tried this on my bind 8.2.2-P5 on slackware linux 7.0.0 kernel 2.2.17
Intel p200 128M ram.
I tried this in two situations:
a) named started as 'named -u nobody'
1> This results in named being run as user nobody
b) named started as 'ndc start'
1> This results in named running as root, of course.
In neither of these situations did I find any problems after 10 minutes.
If you have other ways you would like me to try running the daemon, let
me know.
Also, I am rather new at bind. How might I go about denying *XFR's from
all but approved hosts?
Thank You
Joseph
Current thread:
- Re: Possible DOS in Bind 8.2.2-P5, (continued)
- Re: Possible DOS in Bind 8.2.2-P5 Paul A Vixie (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 Daniel Roesen (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 fire-eyes (Nov 14)
- Re: Possible DOS in Bind 8.2.2-P5 Fernando Cardoso (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Luke Dudney (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 Jonatan Sarba (Nov 14)
- Re: Possible DOS in Bind 8.2.2-P5 Peter Pentchev (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Johnson, Jeremiah (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Matt Zimmerman (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Peter Pentchev (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Paul Pot (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Chris Tobkin (Nov 15)