Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery probe

[Ryan Sweat <h3xm3 () SWBELL NET>]

     I'm not sure of the technicalities of it, but I have seen it.  Let me
correct myself here.  When named is exploited, and a user starts a
background process while in the "exploit terminal",  after logging out port
53 will remain open and lsof shows it being owned by the corresponding
background process.  When named is attempted to restart, it will give an
error stating that the "Port is in use" and the interface gets deleted
(named ceases to listen on that port). I cannot explain this behaviour,
maybe somone else on the list has more experience.

-Ryan

----- Original Message -----
From: "Lord Soth" <hydrax () netvision net il>
To: "Ryan Sweat" <h3xm3 () SWBELL NET>
Cc: <VULN-DEV () securityfocus com>
Sent: Monday, March 26, 2001 4:35 PM
Subject: Re: BEWARE : Possible compromission under BIND 8.2.2-P5 withIquery
probe


> I don't think I understood what you just said.
> AFAIK, when a daemon wants to bind a port that is already in use, it
> can use the SO_REUSEADDR socket option to bind the port, even
> if the port is still open.
> Coudn't it be that named wasn't able to bind the port because it was
> being run as nonprivileged ? After all, port 53 is a reserved port.
> Either that, or I'm totally confused and way off :-)
>
> LS
>
> Ryan Sweat wrote:
>
> >      When bind 8.2.x < 8.2.3 is exploited, with the exploits I have
seen,
> > the port (53) remains open even after the attacker logs off the box.  He
may
> > have attempted to restart  your named, but it couldn't bind to port 53
> > because it was still "in use".  I suspect you are compromised.
> >
> > -ryan
> >
> > ----- Original Message -----
> > From: "Pasquale Mauro Minervini" <j3rus4lem () USERS SOURCEFORGE NET>
> > To: <VULN-DEV () SECURITYFOCUS COM>
> > Sent: Sunday, March 25, 2001 1:20 AM
> > Subject: Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with
Iquery
> > probe
> >
> > > > Hi,
> > > >
> > > > I have a bind. This BIND is a 8.2.2-P5 version which announces
itself as
> > being a V4 BIND.
> > > > This BIND runs under a non privileged account.
> > > >
> > > > Regularly, attackers send a Iquery (as report by Snort signature)
probe
> > on it that crashes it.
> > > > It the first curiosity : V8 BIND is not sensitive to Iquery attack
as
> > far as I know !
> > > > Well, an automatic procedure detects this crash and relaunches it
just
> > after.
> > > > By now, sorry, but I was not able to dump the full trace (snort
refuses
> > t
> > > > Today, the scenario was different :
> > > > BIND crashes as always just after the Iquery but
> > > > somebody relaunches it just after the crash.
> > > > AND this WITHOUT arguments -u and -g.
> > > > That is to say, BIND was relaunched under the non-privileged account
it
> > uses to run under :
> > > > according to the log, it was unable to bind to port 53 !
> > > >
> > > > Conclusion : I think it's possible to get a shell under BIND
8.2.2-P5
> > and with a Iquery probe.
> > > > Do someone be aware of such a vulnerability ?
> > > >
> > > > db
> > > The latest 8.2.x secure release seems to be 8.2.3-REL, by the way
nobody
> > grants you that your box cannot be compromised. All the 8.x versions,
i've
> > read, are afflicted by a denial of service vulnerability that allows a
> > 'malicious user' to fill your server's cache. This doesn't seems to be
fixed
> > in the 9.x versions, 'cause the daemon when there isn't no enough memory
for
> > the cache only stop to write on it. Anyway, prolly, there's a
vulnerability
> > discovered by one of my friends (a developer of the FreeBSD kernel) that
> > affects currently all the 8.x and 9.x bind versions and i think
something
> > about that will be released in the next weeks/months.