Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe

[Lord Soth <hydrax () NETVISION NET IL>]

I don't think I understood what you just said.
AFAIK, when a daemon wants to bind a port that is already in use, it
can use the SO_REUSEADDR socket option to bind the port, even
if the port is still open.
Coudn't it be that named wasn't able to bind the port because it was
being run as nonprivileged ? After all, port 53 is a reserved port.
Either that, or I'm totally confused and way off :-)

LS

Ryan Sweat wrote:

>      When bind 8.2.x < 8.2.3 is exploited, with the exploits I have seen,
> the port (53) remains open even after the attacker logs off the box.  He may
> have attempted to restart  your named, but it couldn't bind to port 53
> because it was still "in use".  I suspect you are compromised.
>
> -ryan
>
> ----- Original Message -----
> From: "Pasquale Mauro Minervini" <j3rus4lem () USERS SOURCEFORGE NET>
> To: <VULN-DEV () SECURITYFOCUS COM>
> Sent: Sunday, March 25, 2001 1:20 AM
> Subject: Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery
> probe
>
> > > Hi,
> > >
> > > I have a bind. This BIND is a 8.2.2-P5 version which announces itself as
> being a V4 BIND.
> > > This BIND runs under a non privileged account.
> > >
> > > Regularly, attackers send a Iquery (as report by Snort signature) probe
> on it that crashes it.
> > > It the first curiosity : V8 BIND is not sensitive to Iquery attack as
> far as I know !
> > > Well, an automatic procedure detects this crash and relaunches it just
> after.
> > > By now, sorry, but I was not able to dump the full trace (snort refuses
> t
> > > Today, the scenario was different :
> > > BIND crashes as always just after the Iquery but
> > > somebody relaunches it just after the crash.
> > > AND this WITHOUT arguments -u and -g.
> > > That is to say, BIND was relaunched under the non-privileged account it
> uses to run under :
> > > according to the log, it was unable to bind to port 53 !
> > >
> > > Conclusion : I think it's possible to get a shell under BIND 8.2.2-P5
> and with a Iquery probe.
> > > Do someone be aware of such a vulnerability ?
> > >
> > > db
> > The latest 8.2.x secure release seems to be 8.2.3-REL, by the way nobody
> grants you that your box cannot be compromised. All the 8.x versions, i've
> read, are afflicted by a denial of service vulnerability that allows a
> 'malicious user' to fill your server's cache. This doesn't seems to be fixed
> in the 9.x versions, 'cause the daemon when there isn't no enough memory for
> the cache only stop to write on it. Anyway, prolly, there's a vulnerability
> discovered by one of my friends (a developer of the FreeBSD kernel) that
> affects currently all the 8.x and 9.x bind versions and i think something
> about that will be released in the next weeks/months.