Vulnerability Development mailing list archives
Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe
From: Ryan Sweat <h3xm3 () SWBELL NET>
Date: Sun, 25 Mar 2001 15:11:37 -0600
When bind 8.2.x < 8.2.3 is exploited, with the exploits I have seen, the port (53) remains open even after the attacker logs off the box. He may have attempted to restart your named, but it couldn't bind to port 53 because it was still "in use". I suspect you are compromised. -ryan ----- Original Message ----- From: "Pasquale Mauro Minervini" <j3rus4lem () USERS SOURCEFORGE NET> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Sunday, March 25, 2001 1:20 AM Subject: Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe
Hi, I have a bind. This BIND is a 8.2.2-P5 version which announces itself as
being a V4 BIND.
This BIND runs under a non privileged account. Regularly, attackers send a Iquery (as report by Snort signature) probe
on it that crashes it.
It the first curiosity : V8 BIND is not sensitive to Iquery attack as
far as I know !
Well, an automatic procedure detects this crash and relaunches it just
after.
By now, sorry, but I was not able to dump the full trace (snort refuses
t
Today, the scenario was different : BIND crashes as always just after the Iquery but somebody relaunches it just after the crash. AND this WITHOUT arguments -u and -g. That is to say, BIND was relaunched under the non-privileged account it
uses to run under :
according to the log, it was unable to bind to port 53 ! Conclusion : I think it's possible to get a shell under BIND 8.2.2-P5
and with a Iquery probe.
Do someone be aware of such a vulnerability ? dbThe latest 8.2.x secure release seems to be 8.2.3-REL, by the way nobody
grants you that your box cannot be compromised. All the 8.x versions, i've read, are afflicted by a denial of service vulnerability that allows a 'malicious user' to fill your server's cache. This doesn't seems to be fixed in the 9.x versions, 'cause the daemon when there isn't no enough memory for the cache only stop to write on it. Anyway, prolly, there's a vulnerability discovered by one of my friends (a developer of the FreeBSD kernel) that affects currently all the 8.x and 9.x bind versions and i think something about that will be released in the next weeks/months.
Current thread:
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Pasquale Mauro Minervini (Mar 25)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Ryan Sweat (Mar 25)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe Lord Soth (Mar 28)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe Ryan Sweat (Mar 28)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIqueryprobe Lord Soth (Mar 28)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe olle (Mar 28)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe warning3 (Mar 29)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe Lord Soth (Mar 28)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Ryan Sweat (Mar 25)