Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv

From: Mark.Andrews@isc.org
Date: 06/27/02


To: Brett Glass <brett@lariat.org>
From: Mark.Andrews@isc.org
Date: Thu, 27 Jun 2002 10:12:08 +1000


> Aaargh. This will affect not only more recent systems but
> the older 3.x and embedded systems I maintain for people.
> There's no patch for these, and in the case of the embedded
> systems that use BSD I can't upgrade.
>
> Any word on whether one can detect and block such attacks
> upstream via an IDS or a proxy at the firewall?
>
> --Brett Glass

        Provided you are behind a nameserver you trust that reconstructs
        the answer you should be fine.

        BIND 9 reconstucts all answers (excluding forwarded UPDATES).
        BIND 8 forwards some and reconstructs others.

        Mark
>
> At 01:08 PM 6/26/2002, FreeBSD Security Advisories wrote:
>
> >-----BEGIN PGP SIGNED MESSAGE-----
> >
> >============================================================================
> =
> >FreeBSD-SA-02:28.resolv Security Advisor
> y
> > The FreeBSD Projec
> t
> >
> >Topic: buffer overflow in resolver
> >
> >Category: core
> >Module: libc
> >Announced: 2002-06-26
> >Credits: Joost Pol <joost@pine.nl>
> >Affects: All releases prior to and including 4.6-RELEASE
> >Corrected: 2002-06-26 06:34:18 UTC (RELENG_4)
> > 2002-06-26 08:44:24 UTC (RELENG_4_6)
> > 2002-06-26 18:53:20 UTC (RELENG_4_5)
> >FreeBSD only: NO
> >
> >I. Background
> >
> >The resolver implements functions for making, sending and interpreting
> >query and reply messages with Internet domain name servers.
> >Hostnames, IP addresses, and other information are queried using the
> >resolver.
> >
> >II. Problem Description
> >
> >DNS messages have specific byte alignment requirements, resulting in
> >padding in messages. In a few instances in the resolver code, this
> >padding is not taken into account when computing available buffer
> >space. As a result, the parsing of a DNS message may result in a
> >buffer overrun of up to a few bytes for each record included in the
> >message.
> >
> >III. Impact
> >
> >An attacker (either a malicious domain name server or an agent that
> >can spoof DNS messages) may produce a specially crafted DNS message
> >that will exploit this bug when parsed by an application using the
> >resolver. It may be possible for such an exploit to result in the
> >execution of arbitrary code with the privileges of the resolver-using
> >application. Though no exploits are known to exist today, since
> >practically all Internet applications utilize the resolver, the
> >severity of this issue is high.
> >
> >IV. Workaround
> >
> >There is currently no workaround.
> >
> >V. Solution
> >
> >Do one of the following:
> >
> >1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6
> >or RELENG_4_5 security branch dated after the correction date
> >(4.6-RELEASE-p1 or 4.5-RELEASE-p7).
> >
> >2) To patch your present system:
> >
> >The following patch has been verified to apply to FreeBSD 4.5 and
> >FreeBSD 4.6 systems.
> >
> >a) Download the relevant patch from the location below, and verify the
> >detached PGP signature using your PGP utility.
> >
> ># fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch
> ># fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch
> .asc
> >
> >b) Execute the following commands as root:
> >
> ># cd /usr/src
> ># patch < /path/to/patch
> >
> >c) Recompile the operating systems as described in
> ><URL:http://www.freebsd.org/doc/handbook/makeworld.html>.
> >
> >Note that any statically linked applications that are not part of
> >the base system (i.e. from the Ports Collection or other 3rd-party
> >sources) must be recompiled.
> >
> >VI. Correction details
> >
> >The following list contains the revision numbers of each file that was
> >corrected in FreeBSD.
> >
> >Path Revision
> > Branch
> >- -------------------------------------------------------------------------
> >src/lib/libc/net/gethostbydns.c
> > RELENG_4 1.27.2.2
> > RELENG_4_6 1.27.10.1
> > RELENG_4_5 1.27.8.1
> >src/lib/libc/net/getnetbydns.c
> > RELENG_4 1.13.2.2
> > RELENG_4_6 1.13.2.1.8.1
> > RELENG_4_5 1.13.2.1.6.1
> >src/lib/libc/net/name6.c
> > RELENG_4 1.6.2.6
> > RELENG_4_6 1.6.2.5.8.1
> > RELENG_4_5 1.6.2.5.6.1
> >src/sys/conf/newvers.sh
> > RELENG_4_6 1.44.2.23.2.2
> > RELENG_4_5 1.44.2.20.2.8
> >- -------------------------------------------------------------------------
> >
> >VII. References
> >
> ><URL:http://www.pine.nl/advisories/pine-cert-20020601.html>
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v1.0.7 (FreeBSD)
> >
> >iQCVAwUBPRoQOVUuHi5z0oilAQG3cAP/d7Gb2rdkSjZKCR0NI+QzMibgySVTXOtF
> >sdoJrYka/XnIpFMVAyXl36bibtRKbwfCyv/rEX39YSas7tqReizwAABoaRF956Qb
> >qlek1ONvvd+Tj6+WpEEueX/VdPqGQuqMk0BoguIbOgwAya6ZFYJ9ZKAHHSN9YqO8
> >ZGTC8pmqfGI=
> >=s76v
> >-----END PGP SIGNATURE-----
> >
> >This is the moderated mailing list freebsd-announce.
> >The list contains announcements of new FreeBSD capabilities,
> >important events and project milestones.
> >See also the FreeBSD Web pages at http://www.freebsd.org
> >
> >
> >To Unsubscribe: send mail to majordomo@FreeBSD.org
> >with "unsubscribe freebsd-announce" in the body of the message
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@isc.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv
    ... Anyone know if we can just recompile kernel after patch? ... >FreeBSD only: NO ... >The resolver implements functions for making, ... >can spoof DNS messages) may produce a specially crafted DNS message ...
    (FreeBSD-Security)
  • [Full-Disclosure] FreeBSD Security Advisory FreeBSD-SA-02:42.resolv
    ... FreeBSD only: NO ... The resolver implements functions for making, ... security branch dated after the correction date. ... To patch your present system: ...
    (Full-Disclosure)
  • Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv
    ... There's no patch for these, and in the case of the embedded ... >FreeBSD only: NO ... >The resolver implements functions for making, ... >can spoof DNS messages) may produce a specially crafted DNS message ...
    (FreeBSD-Security)
  • Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv
    ... Subject: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv ... Anyone know if we can just recompile kernel after patch? ... >The resolver implements functions for making, ... >can spoof DNS messages) may produce a specially crafted DNS message ...
    (FreeBSD-Security)
  • FreeBSD Security Advisory FreeBSD-SA-02:28.resolv
    ... The resolver implements functions for making, ... query and reply messages with Internet domain name servers. ... can spoof DNS messages) may produce a specially crafted DNS message ... To patch your present system: ...
    (FreeBSD-Security)