Bind TSIG exploit
From: Christopher Farley (chris@northernbrewer.com)
Date: 02/22/01
- Next message: Kris Kennaway: "Re: Bind problems"
- Previous message: Crist J. Clark: "Re: Bind problems"
- Next in thread: Kris Kennaway: "Re: Bind TSIG exploit"
- Reply: Kris Kennaway: "Re: Bind TSIG exploit"
- Reply: Robert Watson: "Re: Bind TSIG exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 22 Feb 2001 02:32:33 -0600 From: Christopher Farley <chris@northernbrewer.com> To: freebsd-security@freebsd.org
This is what I get for not subscribing to freebsd-security (until
now):
On Feb 7, named dumped core (running bind 8.2.3 beta). I didn't catch it
until recently. While searching the archives, I came across information
on the well-known bind vulnerabilities.
My non-technical armchair analysis of the core dump indicates the
TSIG exploit (based on the presence of ';; TSIG invalid (%s)' at the
top of the core file -- how's that for non-technial?).
Is there any way to analyze the core dump to find out what 'arbitrary
code' may have been executed? I've taken the usual steps to detect
a root compromise, but found nothing obvious. I've upgraded named
to 8.2.3-REL, but I'm guessing I should decommission and rebuild
the server as a precaution... unless I can be convinced this not
necessary.
There have been a couple of messages in recent days on -questions about
named dumping core, so I suspect this vulnerability is being widely
exploited at present. Congratulations if you patched the hole two or
three weeks ago, you escaped...
-----------------
I don't know if this is interesting or not:
# strings - named.core | head -45
FreeBSD
FreeBSD
833333
FreeBSD
named
named
/home
/home
/var/mail
/dev
/var/spool
/usr/tmp
/tmp
/var/log/lastlog
/var/log/wtmp
/var/log/messages
/dev/random
mtime->tv_usec >= 0 && mtime->tv_usec < 1000000
/usr/src/lib/libbind/../../contrib/bind/lib/dst/prandom.c
/proc/
$Id: res_update.c,v 1.24 1999/10/15 19:49:12 vixie Exp $
res_findzonecut failed (%d)
malloc failed
res_mkupdrec failed
res_mkupdate -> %d
res_nsend: send error, n=%d (%s)
;; res_nupdate:
HMAC-MD5.SIG-ALG.REG.INT
;; TSIG invalid (%s)
;; TSIG ok
;; res_query(%s, %d, %d)
;; res_query: mkquery failed
;; res_query: send error
;; rcode = %d, ancount=%d
<Nil>
;; res_nquerydomain(%s, %s, %d, %d)
%s.%s
HOSTALIASES
/etc/networks
/etc/hosts
getservent
getservbyname %s %s
getservbyport %d %s
setservent
setservent failed: %s
-- Christopher Farley www.northernbrewer.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
- Next message: Kris Kennaway: "Re: Bind problems"
- Previous message: Crist J. Clark: "Re: Bind problems"
- Next in thread: Kris Kennaway: "Re: Bind TSIG exploit"
- Reply: Kris Kennaway: "Re: Bind TSIG exploit"
- Reply: Robert Watson: "Re: Bind TSIG exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
