Re: [Full-disclosure] bind dos info?



Nope...I haven't seen anything yet either. Maybe someone else can
enlighten us? ;)
On Nov 16, 2011 9:05 PM, "Larry W. Cashdollar" <bugs@xxxxxxxxxxx> wrote:

Thanks Michael!
I guess 'ISC is working on determining the ultimate cause by which a
record with this particular inconsistency is cached' is the part I'm
interested in reading about and there are no details yet..

http://www.isc.org/software/bind/advisories/cve-2011-4313
On Nov 16, 2011 8:53 PM, "Larry W. Cashdollar" <bugs@xxxxxxxxxxx> wrote:

Hello list,
I am wondering if anyone has more details on the bind9 DoS that just
came
out? (CVE-2011-4313) from what I can tell it appears a negative cached
DNS
object with a valid RR response associated with it(which shouldn't
exist)
will cause a vulnerabile bind9 server to crash.

See lines 1890 - 1896 of query.c
1890 if (result == DNS_R_NCACHENXRRSET) {
1891 dns_rdataset_disassociate(rdataset);
1892 /*
1893 * Negative cache entries don't have sigrdatasets.
1894 */
1895 INSIST(! dns_rdataset_isassociated(sigrdataset));
1896 }


Since allowing recursive queries must be enabled for this to work the
attacker must force a vulnerable dns server to query a malicous DNS
server by asking it to look up an NXrecord for a domain the attacker
controls dns for. Sending a response of NXdomain but having actual DNS
results in the response.

I am wondering if someone has seen a good write up out there?

Thanks
-- Larry C$


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • [NEWS] Cisco Content Service Switch 11000 Series DNS Negative Cache of Information Denial-of-Service
    ... respond to certain Domain Name Service (DNS) name server record requests ... Global Server Load Balancing. ... This vulnerability in CSS is documented as Cisco Bug IDs CSCdz62499 and ... formulate a response for the client. ...
    (Securiteam)
  • Re: VPN generates Internal Network logon problem
    ... I am sorry for the delayed response due to weekend. ... However there are 4004 and 4015 DNS errors in the event log. ... 825763 How to configure Internet access in Windows Small Business Server ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: DNS drops out Windows 2003 Sever
    ... Thanks for your response. ... A correction to my initial post...all DNS queries are affected, ... > 830381 - Server Responsiveness Degrades and Queries Time Out When You Run ...
    (microsoft.public.windows.server.dns)
  • Re: How to disable the "implicit mx record" in Exchange
    ... the host with the A record for the actual domain. ... So when Exchange gets a DNS timeout looking up an MX record, ... our ISP's DNS and perhaps slow response from the recipient domain's ... their own Exchange or other type of mail server under their own domain name, ...
    (microsoft.public.exchange.admin)
  • Re: Netdiag DNS error
    ... see my response to your identical post in the win2000.dns newsgroup. ... DNS is on each ... :: DNS server '192.168.5.10 ... :: List of NetBt transports currently bound to the Redir ...
    (microsoft.public.windows.server.dns)