Vulnerability Development mailing list archives
Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe
From: "David R. Conrad" <david.conrad () NOMINUM COM>
Date: Mon, 12 Mar 2001 10:52:51 -0800
Hi, As has been discussed on pretty much every security mailing list around and even in the conventional press, BIND 8.2.2-P5 is not secure. BIND 8.2, 8.2.1, and 8.2.2 (all patchlevels) are vulnerable to a buffer overflow exploit due to improper handling of an error condition within (ironically enough) the DNSSEC code contributed to ISC by Network Associates. All versions of BIND except 4.9.8, 8.2.3, and 9.* are vulnerable to an information leak bug that permits the dumping of a stack frame via a mis-formed IQUERY request. As pointed out by Network Associates' COVERT Labs, the IQUERY information leak bug can provide information that helps in the implementation of the buffer overflow. There are scripts available at various underground sites that automate the attack. If you need to run BIND, it would probably be a good idea to upgrade to BIND 9 (which shares no code with BIND 8) or BIND 8.2.3 at your earliest opportunity. Rgds, -drc At 08:21 PM 3/9/2001 +0100, ml wrote:
Hi,
I have a bind. This BIND is a 8.2.2-P5 version which announces itself as
being a V4 BIND.
This BIND runs under a non privileged account.
Regularly, attackers send a Iquery (as report by Snort signature) probe on
it that crashes it.
It the first curiosity : V8 BIND is not sensitive to Iquery attack as far
as I know !
Well, an automatic procedure detects this crash and relaunches it just after.
By now, sorry, but I was not able to dump the full trace (snort refuses t
Today, the scenario was different :
BIND crashes as always just after the Iquery but
somebody relaunches it just after the crash.
AND this WITHOUT arguments -u and -g.
That is to say, BIND was relaunched under the non-privileged
account it uses to run under :
according to the log, it was unable to bind to port 53 !
Conclusion : I think it's possible to get a shell under BIND 8.2.2-P5 and
with a Iquery probe.
Do someone be aware of such a vulnerability ?
db
Current thread:
- BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe ml (Mar 09)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Gossi The Dog (Mar 10)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe David R. Conrad (Mar 12)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Daniel Roesen (Mar 13)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe David R. Conrad (Mar 13)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Daniel Roesen (Mar 14)
- Cross site scripting with SAP Aurélien Cabezon [iSecureLabs] (Mar 14)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Daniel Roesen (Mar 13)