Re: Bind 9.2.X exploit???

From: Patrick Andry (pandry@wolverinefreight.ca)
Date: 07/25/02 

Date: Thu, 25 Jul 2002 07:11:00 -0400
From: Patrick Andry <pandry@wolverinefreight.ca>
To: ilker güvercin <holy@linuxmail.org>

Probably an exploit based on this:
(from http://www.isc.org/products/BIND/bind-security.html )

Name: "libbind buffer overflow"
Versions affected: All versions of the stub resolver library from BIND 4
prior to 4.9.9.
All versions of the stub resolver library from BIND 8 prior to 8.2.6.
The stub resolver library from BIND version 8.3.0, 8.3.1, 8.3.2.
The BIND 8 compatibility stub resolver library (NOT the lwres library) from BIND
versions 9.2.0, 9.2.1.
(Disabled by default in BIND 9, enabled if you added --enable-libbind to the
configure statement)
Severity: SERIOUS
Exploitable: Remotely
Type: Potential for execution of arbitrary code via buffer overflow.

I don't think that you're seeing a 0-day exploit, but maybe someone at the ISC
would want a copy of it to check it out.

ilker güvercin wrote:
>
> I found a tool on my compramised machine called
> bind9 and the source code is still there.
> its made by team teso bind9 Exploit by by scut of
> teso [http://teso.scene.at/]...
> Usage: ./bind remote_addr domainname target_id
> Targets:
> 0 - Linux RedHat 6.0 (9.2.x)
> 1 - Linux RedHat 6.2 (9.2.x)
> 2 - Linux RedHat 7.2 (9.2.x)
> 3 - Linux Slackware 8.0 (9.2.x)
> 4 - Linux Debian (all) (9.2.x)
> 5 - FreeBSD 3.4 (8.2.x)
> 6 - FreeBSD 3.5 (8.2.x)
> 7 - FreeBSD 4.x (8.2.x)
>
> Example usage:
> $ host -t ns domain.com
> domain.com name server dns1.domain.com
> $ ./bind9 dns1.domain.com domain.com 0
> [..expl output..]
> I didnt test it; its workin or not.
> Anybody have knowlegde about this.Sorry for my
> poor english:)
> if anyone wanna test it I can send the source code.
> holy@linuxmail.org
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: Bind 9.2.X exploit???
    ... looks like the same TSIG exploit/NAI DoS from Jan 2001 with a few strings ... > All versions of the stub resolver library from BIND 8 prior to 8.2.6. ... >> bind9 and the source code is still there. ... >> For more information on this free incident handling, management ...
    (Incidents)
  • Problem with named/bind 9.3.1 (FC4)(exiting (due to assertion failure))
    ... After receiving this error message on my logfile I found on google that this was a problem with bind versions prior to 9.2.1. ...
    (Fedora)
  • Re: Multiple answers in a form
    ... Prior to Access 2007, it was not possible to bind a ... When I switch to a new record the selected items in the list ... disappear from the previous record. ...
    (microsoft.public.access.forms)
  • Re: postback resetting checkbox state
    ... Don't rebind the data in Page_Load every time. ... Page.IsPostBack Then and only bind then. ... The viewstate is reconstituted ... prior to Page_Load, so you will overwrite every time if you bind there. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Buffer overflow and DoS i BIND
    ... For those running BIND on Windows: ... All versions of BIND 4 from 4.8.1 prior to BIND 4.9.9 are vulnerable. ...
    (NT-Bugtraq)