Re: Bind 9.2.X exploit???
From: Jim Clausing (clausing@ieee.org)Date: 07/25/02
- Previous message: David Conrad: "Re: Bind 9.2.X exploit???"
- In reply to: Patrick Andry: "Re: Bind 9.2.X exploit???"
- Next in thread: David Conrad: "Re: Bind 9.2.X exploit???"
- Reply: David Conrad: "Re: Bind 9.2.X exploit???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Jul 2002 13:22:23 -0400 (EDT) From: Jim Clausing <clausing@ieee.org> To: Patrick Andry <pandry@wolverinefreight.ca>
Actually after analyzing this over on the handlers list, this
looks like the same TSIG exploit/NAI DoS from Jan 2001 with a few strings
modified in the source code. The exploit does not, in fact, actually work
against bind-9.2.1.
---Jim
On or about Thu, 25 Jul 2002, Patrick Andry pontificated thusly:
> Probably an exploit based on this:
> (from http://www.isc.org/products/BIND/bind-security.html )
>
>
> Name: "libbind buffer overflow"
> Versions affected: All versions of the stub resolver library from BIND 4
> prior to 4.9.9.
> All versions of the stub resolver library from BIND 8 prior to 8.2.6.
> The stub resolver library from BIND version 8.3.0, 8.3.1, 8.3.2.
> The BIND 8 compatibility stub resolver library (NOT the lwres library) from BIND
> versions 9.2.0, 9.2.1.
> (Disabled by default in BIND 9, enabled if you added --enable-libbind to the
> configure statement)
> Severity: SERIOUS
> Exploitable: Remotely
> Type: Potential for execution of arbitrary code via buffer overflow.
>
> I don't think that you're seeing a 0-day exploit, but maybe someone at the ISC
> would want a copy of it to check it out.
>
>
>
>
> ilker güvercin wrote:
> >
> > I found a tool on my compramised machine called
> > bind9 and the source code is still there.
> > its made by team teso bind9 Exploit by by scut of
> > teso [http://teso.scene.at/]...
> > Usage: ./bind remote_addr domainname target_id
> > Targets:
> > 0 - Linux RedHat 6.0 (9.2.x)
> > 1 - Linux RedHat 6.2 (9.2.x)
> > 2 - Linux RedHat 7.2 (9.2.x)
> > 3 - Linux Slackware 8.0 (9.2.x)
> > 4 - Linux Debian (all) (9.2.x)
> > 5 - FreeBSD 3.4 (8.2.x)
> > 6 - FreeBSD 3.5 (8.2.x)
> > 7 - FreeBSD 4.x (8.2.x)
> >
> > Example usage:
> > $ host -t ns domain.com
> > domain.com name server dns1.domain.com
> > $ ./bind9 dns1.domain.com domain.com 0
> > [..expl output..]
> > I didnt test it; its workin or not.
> > Anybody have knowlegde about this.Sorry for my
> > poor english:)
> > if anyone wanna test it I can send the source code.
> > holy@linuxmail.org
> >
> > ----------------------------------------------------------------------------
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
>
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: David Conrad: "Re: Bind 9.2.X exploit???"
- In reply to: Patrick Andry: "Re: Bind 9.2.X exploit???"
- Next in thread: David Conrad: "Re: Bind 9.2.X exploit???"
- Reply: David Conrad: "Re: Bind 9.2.X exploit???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
