5699488 2000-11-07 13:40 +0100 /45 rader/ Fabio Pietrosanti (naif) <fabio@TELEMAIL.IT>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-08 18:47 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: naif@inet.it
Mottagare: Bugtraq (import) <13646>
Ärende: BIND 8.2.2-P5 Possible DOS
------------------------------------------------------------
From: "Fabio Pietrosanti (naif)" <fabio@TELEMAIL.IT>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.30.0011071339510.29294-100000@naif.inet.it>
Hi, playing with bind and ZXFR feature ( zone transfer compressed
with a possible insecure execlp("gzip", "gzip", NULL); ), i
discovered a Denial Of Service against Bind 8.2.2-P5 .
By default Bind 8.2.2-P5 it's not compiled with ZXFR support unless
you define it with #define BIND_ZXFR so it will refuse any ZXFR
transfer, because it doesn't support it. But now what appens? Look
here...
################################
zone to transfer: zone.pippo.com
dns server: dns.pippo.com 192.168.1.1
me: naif.gatesux.com 10.10.10.10
I send a Zone Trasnfer request using "-Z" switch with means that i wish to use ZXFR.
dns.pippo.com does'nt support ZXFR and have "allow-transfer{}" not configured, so everyone
could ask him for *.zone.pippo.com ...
<naif@naif> [~/bind/src822p5/bin/named-xfer] $ ./named-xfer -z zone.pippo.com -d 9 -f pics -Z dns.pippo.com
named-xfer[29297]: send AXFR query 0 to 192.168.1.1
named-xfer[29297]: premature EOF, fetching "zone.pippo.com"
On the server's log: Nov 7 11:19:09 dns.pippo.com: named[188510]:
approved ZXFR from [10.10.10.10].2284 for "zone.pippo.com" Nov 7
11:19:09 dns.pippo.com: named[188510]: unsupported XFR (type ZXFR) of
"zone.pippo.com" (IN) to [10.10.10.10].2284
Then the server "*** CRASHED ***" .
I should assume that bind 8.2.2-P5 it's vulnerable ( Please someone
test and confirm this kind of dos) and bind-9.0.0 has no support for
ZXFR .
<naif@naif> [~/bind] $ find src822p5/ -type f -exec grep -i zxfr \{\} ';' | wc -l
234
<naif@naif> [~/bind] $ find bind-9.0.0/ -type f -exec grep -i zxfr \{\} ';' | wc -l
0
A lot of DNS Server are misconfigured, and allow zone-transfer to
any, so they are dossable...
naif
naif@itapac.net
(5699488) --------------------------------(Ombruten)
Kommentar i text 5701181 av Martin McFlySr <Martin@MCFLYSR.KURGAN.RU>
Kommentar i text 5701197 av Greg A. Woods <woods@WEIRD.COM>
Kommentar i text 5701313 av Jeroen Ruigrok/Asmodai <asmodai@FREEBSD.ORG>
Kommentar i text 5701327 av Akatosh <akatosh@RAINS.NET>
Kommentar i text 5701647 av Walter Hop <walter@SKYDANCER.NL>
Kommentar i text 5701763 av Daniel Roesen <droesen@ENTIRE-SYSTEMS.COM>
Kommentar i text 5701785 av Darron Froese <darron@FROESE.ORG>
5701181 2000-11-09 01:00 +0300 /31 rader/ Martin McFlySr <Martin@MCFLYSR.KURGAN.RU>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-09 07:37 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: Martin@McFlySr.Kurgan.Ru
Mottagare: Bugtraq (import) <13658>
Kommentar till text 5699488 av Fabio Pietrosanti (naif) <fabio@TELEMAIL.IT>
Ärende: Re: BIND 8.2.2-P5 Possible DOS
------------------------------------------------------------
From: Martin McFlySr <Martin@MCFLYSR.KURGAN.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <5229790120.20001109010001@McFlySr.Kurgan.Ru>
Hello Fabio Pietrosanti (naif),
Tuesday, November 07, 2000, 15:40:49, you wrote:
FPn> Then the server "*** CRASHED ***" . FPn> I should assume
that bind 8.2.2-P5 it's vulnerable ( Please someone FPn> test and
confirm this kind of dos) ... FPn> A lot of DNS Server are
misconfigured, and allow zone-transfer to any, FPn> so they are
dossable... Yes, 8.2.2 is vulnerable. With "allow-transfer" or
without it.
If 8.2.2 havent a "allow-tranfer", request from any host can crash
bind.
If 8.2.2 have a "allow-tranfer", request from any host (from
"allow-tranfer" list can crash bind.
--
Thursday, November 09, 2000,
00:49
Best regards from future,
Martin McFlySr, HillDale.
(5701181) --------------------------------(Ombruten)
5701197 2000-11-08 14:38 -0500 /27 rader/ Greg A. Woods <woods@WEIRD.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-09 07:52 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: woods@weird.com
Mottagare: Bugtraq (import) <13660>
Kommentar till text 5699488 av Fabio Pietrosanti (naif) <fabio@TELEMAIL.IT>
Ärende: Re: BIND 8.2.2-P5 Possible DOS
------------------------------------------------------------
From: "Greg A. Woods" <woods@WEIRD.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20001108193827.403514@proven.weird.com>
[ On Tuesday, November 7, 2000 at 13:40:49 (+0100), Fabio Pietrosanti (naif) wrote: ]
> Subject: BIND 8.2.2-P5 Possible DOS
>
> Then the server "*** CRASHED ***" .
>
> I should assume that bind 8.2.2-P5 it's vulnerable ( Please someone
> test and confirm this kind of dos)
I can always crash any of my remaining 8.2.2-P3 instances this way but
only some of the 8.2.2-P5 instances I've tried so far will crash on
demand.... (The busiest ones....)
:-(
I'll be searching the bug out with gdb before you read this.... :-)
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
(5701197) ------------------------------------------
5701313 2000-11-08 21:59 +0100 /40 rader/ Jeroen Ruigrok/Asmodai <asmodai@FREEBSD.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-09 08:30 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: asmodai@FREEBSD.ORG
Mottagare: Bugtraq (import) <13661>
Kommentar till text 5699488 av Fabio Pietrosanti (naif) <fabio@TELEMAIL.IT>
Ärende: Re: BIND 8.2.2-P5 Possible DOS
------------------------------------------------------------
From: Jeroen Ruigrok/Asmodai <asmodai@FREEBSD.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20001108215951.A53141@daemon.ninth-circle.org>
-On [20001108 19:01], Fabio Pietrosanti (naif) (fabio@TELEMAIL.IT) wrote:
>playing with bind and ZXFR feature ( zone transfer compressed with a
>possible insecure execlp("gzip", "gzip", NULL); ), i discovered a
>Denial Of Service against Bind 8.2.2-P5 .
Data points:
FreeBSD 4-STABLE and 5-CURRENT with BIND 8.2.3-T5B and T6B plus
aa_patch and the described `DoS/exploit' will not work. The logs
show that it got a zonetransfer type which was unsupported, but the
named just keeps on ticking.
Solaris with BIND 8.2.2-p5 has no problems as well. And I am betting
money on it that BIND 8.2.2-p5 will not fail under FreeBSD as well.
Personally I think it will not cause problems on a lot of systems,
aside from spurious log entries.
However, there is always a chance of DoS'ing a nameserver with
zonetransfers. But that falls outside the reported scope of the
mentioned special DoS/exploit using ZXFR's in conjunction with BIND.
--
Jeroen Ruigrok vd Werven/Asmodai asmodai@[wxs.nl|bart.nl|freebsd.org]
Documentation nutter/C-rated Coder BSD: Technical excellence at its best
The BSD Programmer's Documentation Project <http://home.wxs.nl/~asmodai>
The fragrance always stays in the hand that gives the rose...
--
Please respect the privacy of this mailing list.
To UNSUBSCRIBE, email to debian-private-request@lists.debian.org with
a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
(5701313) --------------------------------(Ombruten)
5701327 2000-11-08 17:29 -0500 /22 rader/ Akatosh <akatosh@RAINS.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-09 08:34 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: akatosh@RAINS.NET
Mottagare: Bugtraq (import) <13663>
Kommentar till text 5699488 av Fabio Pietrosanti (naif) <fabio@TELEMAIL.IT>
Ärende: Re: BIND 8.2.2-P5 Possible DOS
------------------------------------------------------------
>
> I should assume that bind 8.2.2-P5 it's vulnerable ( Please someone test and confirm this kind of dos)
> and bind-9.0.0 has no support for ZXFR .
>
> <naif@naif> [~/bind] $ find src822p5/ -type f -exec grep -i zxfr \{\} ';' | wc -l
>
HMM
yep
my bind crashed
attatched is my half-assed patch
-----------
Akatosh
akatosh@rains.net
DC2.DfGmL--WT--SksCre+\Cvi+BflN^MH++$-Fj~R+Ac+++!J+S+U-I--#V++[sumobj]Q+Tc++
GCSd-s:-a---C++++UL++++P---L++++E-W++N+o?K-w---O-M--V-PS+PE?YPGPt+5++XR*!tvb++(+++)DI++D++Geh+r--z-
(5701327) ------------------------------------------
Bilaga (text/plain) i text 5701328
5701328 2000-11-08 17:29 -0500 /27 rader/ Akatosh <akatosh@RAINS.NET>
Bilagans filnamn: "ns_xfr.c.patch"
Importerad: 2000-11-09 08:34 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: akatosh@RAINS.NET
Mottagare: Bugtraq (import) <13664>
Bilaga (text/plain) till text 5701327
Ärende: Bilaga (ns_xfr.c.patch) till: Re: BIND 8.2.2-P5 Possible DOS
------------------------------------------------------------
--- src/bin/named/ns_xfr.c Wed Oct 13 12:39:13 1999
+++ src.new/bin/named/ns_xfr.c Wed Nov 8 16:53:38 2000
@@ -97,7 +97,8 @@
"unsupported XFR (type %s) of \"%s\" (%s) to %s",
p_type(type), zones[zone].z_origin, p_class(class),
sin_ntoa(qsp->s_from));
- goto abort;
+ (void) shutdown(qsp->s_rfd, 2);
+ goto abort2;
}
#ifdef SO_SNDBUF
@@ -195,11 +196,13 @@
type = ns_t_axfr;
}
if (sx_pushlev(qsp, znp) < 0) {
+
abort:
(void) shutdown(qsp->s_rfd, 2);
sq_remove(qsp);
return;
}
+ abort2:
if (type != ns_t_ixfr)
(void) sq_writeh(qsp, sx_sendsoa);
else
(5701328) ------------------------------------------
5701647 2000-11-08 21:05 +0100 /33 rader/ Walter Hop <walter@SKYDANCER.NL>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-09 09:31 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: walter@SKYDANCER.NL
Mottagare: Bugtraq (import) <13668>
Kommentar till text 5699488 av Fabio Pietrosanti (naif) <fabio@TELEMAIL.IT>
Ärende: Re: BIND 8.2.2-P5 Possible DOS
------------------------------------------------------------
From: Walter Hop <walter@SKYDANCER.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <153031338.20001108210527@skydancer.nl>
[in reply to fabio@TELEMAIL.IT, 07-11-2000]
> <naif@naif> [~/bind/src822p5/bin/named-xfer] $ ./named-xfer -z zone.pippo.com -d 9 -f pics -Z dns.pippo.com
> named-xfer[29297]: send AXFR query 0 to 192.168.1.1
> named-xfer[29297]: premature EOF, fetching "zone.pippo.com"
>
> Then the server "*** CRASHED ***" .
> I should assume that bind 8.2.2-P5 it's vulnerable ( Please someone test
> and confirm this kind of dos)
Yes; I got BIND-8.2.2-P5 on a RH5.2/Linux 2.0.38 box to die using the
above command. These were the last log messages:
Nov 8 20:36:06 cascade named[396]: unsupported XFR (type ZXFR) of
"xxx.nl" (IN) to [xxx.xxx.xxx.xxx].4174
Nov 8 20:36:55 cascade named[396]: db_freedata: DB_F_FREE set
Nov 8 20:36:55 cascade named[396]: db_freedata: DB_F_FREE set
I haven't been able to reproduce this on:
BIND-8.2.2-P5 on RH6.1, Linux 2.2.12-20smp
BIND-8.2.2-P5-NOESW on FreeBSD 3.4-RELEASE
BIND-8.2.3-T5B on FreeBSD 4.1-RELEASE
--
Walter Hop <walter@skydancer.nl> | +31 6 24290808 | PGP: 0xD4DD8DEB
Mail agreement-request@skydancer.nl to retrieve the email agreement.
(5701647) --------------------------------(Ombruten)
Kommentar i text 5701358 av Walter Hop <walter@SKYDANCER.NL>
5701358 2000-11-08 21:25 +0100 /31 rader/ Walter Hop <walter@SKYDANCER.NL>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-09 08:40 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: walter@SKYDANCER.NL
Mottagare: Bugtraq (import) <13666>
Kommentar till text 5701647 av Walter Hop <walter@SKYDANCER.NL>
Sänt: 2000-11-09 09:31
Ärende: Re: BIND 8.2.2-P5 Possible DOS
------------------------------------------------------------
From: Walter Hop <walter@SKYDANCER.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <1254214870.20001108212511@skydancer.nl>
[in reply to walter@skydancer.nl, 08-11-2000]
>> <naif@naif> [~/bind/src822p5/bin/named-xfer] $ ./named-xfer -z zone.pippo.com -d 9 -f pics -Z dns.pippo.com
> Yes; I got BIND-8.2.2-P5 on a RH5.2/Linux 2.0.38 box to die using the above
> command. These were the last log messages:
>
> Nov 8 20:36:06 cascade named[396]: unsupported XFR (type ZXFR) of
> "xxx.nl" (IN) to [xxx.xxx.xxx.xxx].4174
> Nov 8 20:36:55 cascade named[396]: db_freedata: DB_F_FREE set
> Nov 8 20:36:55 cascade named[396]: db_freedata: DB_F_FREE set
Now "BIND-8.2.2-P5-NOESW" on FreeBSD 3.4-RELEASE crashed too, with the
following log messages:
Nov 8 21:05:09 unity named[147]: db_freedata: d_rcnt != 0 Nov 8
21:05:09 unity /kernel: pid 147 (named), uid 53: exited on signal 6
Nov 8 21:05:09 unity named[147]: db_freedata: d_rcnt != 0
Strangely, this happens a few minutes _AFTER_ the evil named-xfer! In
the timespan between the DoS command and the crash, named functions
as normal...
--
Walter Hop <walter@skydancer.nl> | +31 6 24290808 | PGP: 0xD4DD8DEB
Mail agreement-request@skydancer.nl to retrieve the email agreement.
(5701358) --------------------------------(Ombruten)
5701763 2000-11-09 01:12 +0100 /21 rader/ Daniel Roesen <droesen@ENTIRE-SYSTEMS.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-09 10:03 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: droesen@ENTIRE-SYSTEMS.COM
Mottagare: Bugtraq (import) <13670>
Kommentar till text 5699488 av Fabio Pietrosanti (naif) <fabio@TELEMAIL.IT>
Ärende: Re: BIND 8.2.2-P5 Possible DOS
------------------------------------------------------------
On Tue, Nov 07, 2000 at 01:40:49PM +0100, Fabio Pietrosanti (naif) wrote:
> I should assume that bind 8.2.2-P5 it's vulnerable ( Please someone
> test and confirm this kind of dos)
Confirmed. I played around a bit and have following reproducable test:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=20546
Best regards,
Daniel
--
----------------------------------------------------------------------
entire systems GmbH | droesen@entire-systems.com
Internet Services | Phone: +49 2624 9550-55
Ferbachstrasse 12 | Fax: +49 2624 9550-20
D-56203 Hoehr-Grenzhausen | http://www.entire-systems.com/
----------------------------------------------------------------------
(5701763) ------------------------------------------
Bilaga (application/pgp-signature) i text 5701764
5701764 2000-11-09 01:12 +0100 /10 rader/ Daniel Roesen <droesen@ENTIRE-SYSTEMS.COM>
Importerad: 2000-11-09 10:03 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: droesen@ENTIRE-SYSTEMS.COM
Mottagare: Bugtraq (import) <13671>
Bilaga (text/plain) till text 5701763
Ärende: Bilaga till: Re: BIND 8.2.2-P5 Possible DOS
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6CewG92z7ZHglglwRAiqjAKCzPe5OAG3w7B5uvfM7lLcJv/xPDACg6/OT
ObIWJKX744BZP1tdVq7CBgk=
=V9MZ
-----END PGP SIGNATURE-----
(5701764) ------------------------------------------
5701785 2000-11-08 11:43 -0700 /70 rader/ Darron Froese <darron@FROESE.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-09 10:13 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: darron@FROESE.ORG
Mottagare: Bugtraq (import) <13672>
Kommentar till text 5699488 av Fabio Pietrosanti (naif) <fabio@TELEMAIL.IT>
Ärende: Re: BIND 8.2.2-P5 Possible DOS
------------------------------------------------------------
From: Darron Froese <darron@FROESE.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <B62EECD7.4417%darron@froese.org>
On 11/7/00 5:40 AM, "Fabio Pietrosanti (naif)" <fabio@TELEMAIL.IT>
wrote:
> <naif@naif> [~/bind/src822p5/bin/named-xfer] $ ./named-xfer -z zone.pippo.com
> -d 9 -f pics -Z dns.pippo.com
> named-xfer[29297]: send AXFR query 0 to 192.168.1.1
> named-xfer[29297]: premature EOF, fetching "zone.pippo.com"
>
> On the server's log:
> Nov 7 11:19:09 dns.pippo.com: named[188510]: approved ZXFR from
> [10.10.10.10].2284 for "zone.pippo.com"
> Nov 7 11:19:09 dns.pippo.com: named[188510]: unsupported XFR (type ZXFR) of
> "zone.pippo.com" (IN) to [10.10.10.10].2284
>
> Then the server "*** CRASHED ***" .
>
> I should assume that bind 8.2.2-P5 it's vulnerable ( Please someone test and
> confirm this kind of dos)
I can confirm this on one of my Mandrake 7.1 boxes (8.2.2-P5 running
chrooted and as uid/gid named) - this is what happened:
[root@gateway darron]# named-xfer -z domain.com -d 9 -f zone -Z
ns1.domain.com
named-xfer[20193]: send ZXFR query 0 to 192.168.1.100
named-xfer[20193]: premature EOF, fetching "domain.com"
08-Nov-2000 11:23:54.243 security: info: approved ZXFR from
[192.168.1.1].3577 for "domain.com" 08-Nov-2000 11:23:54.244
xfer-out: warning: unsupported XFR (type ZXFR) of "domain.com" (IN)
to [192.168.1.1].3577
A couple minutes later in the logs:
08-Nov-2000 11:26:52.040 default: critical: db_freedata: DB_F_FREE set
Then named was gone. Dead and gone.
I tried it again and attempted 3 zone transfers from an ip that had
access to transfer zones from that dns server - it died almost
immediately and this was in the logs:
08-Nov-2000 11:30:02.279 default: critical: db_freedata: d_rcnt != 0
It doesn't seem to be consistent in the amount of times it takes to
kill it
- but it does end up dead.
NOTE and WORKAROUND: If you have secured your named daemon from zone
transfers from unauthorized locations, it appears that requesting a
zone transfer in this manner (which fails because of the security
restrictions) doesn't have the same DoS potential. I couldn't get the
server to crash if an acl restricted the zone transfer.
It seems to work and crash the server if:
1. You have zone transfers open to the entire universe. (The logic of
which is debatable and almost certainly stupid.)
2. A zone transfer is being requested from a location that's already
allowed to do zone transfers. Authorized zone transfers can crash the
server at will.
--
Darron
darron@froese.org
(5701785) --------------------------------(Ombruten)
5705022 2000-11-09 09:40 -0600 /38 rader/ L. Adrian Griffis <dt26453@DSTSYSTEMS.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-09 22:07 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: agriffis@dstsystems.com
Mottagare: Bugtraq (import) <13678>
Kommentar till text 5701313 av Jeroen Ruigrok/Asmodai <asmodai@FREEBSD.ORG>
Ärende: Re: BIND 8.2.2-P5 Possible DOS
------------------------------------------------------------
From: "L. Adrian Griffis" <dt26453@DSTSYSTEMS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.21.0011090932530.1322-100000@dt26453.dstsystems.com>
On Wed, 8 Nov 2000, Jeroen Ruigrok/Asmodai wrote:
> -On [20001108 19:01], Fabio Pietrosanti (naif) (fabio@TELEMAIL.IT) wrote:
> >playing with bind and ZXFR feature ( zone transfer compressed with a
> >possible insecure execlp("gzip", "gzip", NULL); ), i discovered a
> >Denial Of Service against Bind 8.2.2-P5 .
>
> Data points:
>
> FreeBSD 4-STABLE and 5-CURRENT with BIND 8.2.3-T5B and T6B plus aa_patch
> and the described `DoS/exploit' will not work. The logs show that it
> got a zonetransfer type which was unsupported, but the named just keeps
> on ticking.
>
> Solaris with BIND 8.2.2-p5 has no problems as well. And I am betting
> money on it that BIND 8.2.2-p5 will not fail under FreeBSD as well.
>
> Personally I think it will not cause problems on a lot of systems, aside
> from spurious log entries.
I urge you not to read too much into these data (specifically the
systems that did not crash). Another message mentions that sometimes
the daemon operates normally for a while before it crashes. This is
very normal for failures to check the validity of returned pointers
and programming errors that leads to overruns of allocated memory.
It may be that on the systems that didn't crash, some damage has
still been done, but the layout of memory is such that it is less
likely in this case to terminate the program. More importantly, this
leaves open the possibility that an exploitable bug exists, even on
those platforms for which bind didn't crash.
Adrian
(5705022) --------------------------------(Ombruten)
5711114 2000-11-09 16:23 -0500 /45 rader/ Greg A. Woods <woods@WEIRD.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-10 21:23 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: woods@weird.com
Mottagare: Bugtraq (import) <13689>
Kommentar till text 5701327 av Akatosh <akatosh@RAINS.NET>
Ärende: Re: BIND 8.2.2-P5 Possible DOS
------------------------------------------------------------
From: "Greg A. Woods" <woods@WEIRD.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20001109212308.AF9214@proven.weird.com>
[ On Wednesday, November 8, 2000 at 17:29:15 (-0500), Akatosh wrote: ]
> Subject: Re: BIND 8.2.2-P5 Possible DOS
>
> attatched is my half-assed patch
I think this is all that's really necessary. It's working so far for
me anyway....
Index: src/bin/named/ns_xfr.c
===================================================================
RCS file: /cvs/misc/bind8/src/bin/named/ns_xfr.c,v
retrieving revision 1.1.1.3
diff -c -r1.1.1.3 ns_xfr.c
*** src/bin/named/ns_xfr.c 1999/11/11 06:06:09 1.1.1.3
--- src/bin/named/ns_xfr.c 2000/11/09 20:49:45
***************
*** 97,103 ****
"unsupported XFR (type %s) of \"%s\" (%s) to %s",
p_type(type), zones[zone].z_origin, p_class(class),
sin_ntoa(qsp->s_from));
! goto abort;
}
#ifdef SO_SNDBUF
--- 97,104 ----
"unsupported XFR (type %s) of \"%s\" (%s) to %s",
p_type(type), zones[zone].z_origin, p_class(class),
sin_ntoa(qsp->s_from));
! (void) shutdown(qsp->s_rfd, 2);
! return;
}
#ifdef SO_SNDBUF
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
(5711114) --------------------------------(Ombruten)
5711475 2000-11-10 13:50 -0500 /15 rader/ Greg A. Woods <woods@WEIRD.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-10 23:28 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: woods@weird.com
Mottagare: Bugtraq (import) <13695>
Kommentar till text 5701327 av Akatosh <akatosh@RAINS.NET>
Ärende: Re: BIND 8.2.2-P5 Possible DOS
------------------------------------------------------------
From: "Greg A. Woods" <woods@WEIRD.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20001110185010.969AC4@proven.weird.com>
In case you didn't know yet (I still don't know officially, except
that I went looking on the FTP server), but BIND-8.2.2-P7 has been
made available and it does fix the bug, albiet in a totally different
way!
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
(5711475) --------------------------------(Ombruten)
5716631 2000-11-11 09:33 +1100 /57 rader/ <Mark.Andrews@NOMINUM.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-12 21:26 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: Mark.Andrews@NOMINUM.COM
Mottagare: Bugtraq (import) <13706>
Kommentar till text 5711114 av Greg A. Woods <woods@WEIRD.COM>
Ärende: Re: BIND 8.2.2-P5 Possible DOS
------------------------------------------------------------
From: Mark.Andrews@NOMINUM.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200011102233.eAAMXSq45378@drugs.dv.isc.org>
BIND 8.2.2-P7 is now released and addresses this issue.
http://www.isc.org/products/BIND/bind-security.html
has also been updated to reflect this.
Mark
> [ On Wednesday, November 8, 2000 at 17:29:15 (-0500), Akatosh wrote: ]
> > Subject: Re: BIND 8.2.2-P5 Possible DOS
> >
> > attatched is my half-assed patch
>
> I think this is all that's really necessary. It's working so far for me
> anyway....
>
> Index: src/bin/named/ns_xfr.c
> ===================================================================
> RCS file: /cvs/misc/bind8/src/bin/named/ns_xfr.c,v
> retrieving revision 1.1.1.3
> diff -c -r1.1.1.3 ns_xfr.c
> *** src/bin/named/ns_xfr.c 1999/11/11 06:06:09 1.1.1.3
> --- src/bin/named/ns_xfr.c 2000/11/09 20:49:45
> ***************
> *** 97,103 ****
> "unsupported XFR (type %s) of \"%s\" (%s) to %s",
> p_type(type), zones[zone].z_origin, p_class(class),
> sin_ntoa(qsp->s_from));
> ! goto abort;
> }
>
> #ifdef SO_SNDBUF
> --- 97,104 ----
> "unsupported XFR (type %s) of \"%s\" (%s) to %s",
> p_type(type), zones[zone].z_origin, p_class(class),
> sin_ntoa(qsp->s_from));
> ! (void) shutdown(qsp->s_rfd, 2);
> ! return;
> }
>
> #ifdef SO_SNDBUF
>
> --
> Greg A. Woods
>
> +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods>
> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com
(5716631) ------------------------------------------