Re: Bind 9.2.X exploit???

From: David Conrad (david.conrad@nominum.com)
Date: 07/25/02

• Previous message: Jim Clausing: "Re: Bind 9.2.X exploit???"
• In reply to: Jim Clausing: "Re: Bind 9.2.X exploit???"
• Next in thread: Joseph: "Surge of attacks on ports 61127 & 61134"
• Reply: Joseph: "Surge of attacks on ports 61127 & 61134"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 25 Jul 2002 10:56:31 -0700
From: David Conrad <david.conrad@nominum.com>
To: Jim Clausing <clausing@ieee.org>, Patrick Andry <pandry@wolverinefreight.ca>

Not too surprising.

Any exploit that claims to work with both BINDv8 and BINDv9 should be viewed
with a large grain of salt -- the only code the two packages share is the
openssl package and the stub resolver library (included in BINDv9 for
backwards compatibility and not made by default).

Rgds,
-drc

On 7/25/02 10:22 AM, "Jim Clausing" <clausing@ieee.org> wrote:

>
> Actually after analyzing this over on the handlers list, this
> looks like the same TSIG exploit/NAI DoS from Jan 2001 with a few strings
> modified in the source code. The exploit does not, in fact, actually work
> against bind-9.2.1.
>
> ---Jim
>
> On or about Thu, 25 Jul 2002, Patrick Andry pontificated thusly:
>
>> Probably an exploit based on this:
>> (from http://www.isc.org/products/BIND/bind-security.html )
>>
>>
>> Name: "libbind buffer overflow"
>> Versions affected: All versions of the stub resolver library from BIND 4
>> prior to 4.9.9.
>> All versions of the stub resolver library from BIND 8 prior to 8.2.6.
>> The stub resolver library from BIND version 8.3.0, 8.3.1, 8.3.2.
>> The BIND 8 compatibility stub resolver library (NOT the lwres library) from
>> BIND
>> versions 9.2.0, 9.2.1.
>> (Disabled by default in BIND 9, enabled if you added --enable-libbind to the
>> configure statement)
>> Severity: SERIOUS
>> Exploitable: Remotely
>> Type: Potential for execution of arbitrary code via buffer overflow.
>>
>> I don't think that you're seeing a 0-day exploit, but maybe someone at the
>> ISC
>> would want a copy of it to check it out.
>>
>>
>>
>>
>> ilker güvercin wrote:
>>>
>>> I found a tool on my compramised machine called
>>> bind9 and the source code is still there.
>>> its made by team teso bind9 Exploit by by scut of
>>> teso [http://teso.scene.at/]...
>>> Usage: ./bind remote_addr domainname target_id
>>> Targets:
>>> 0 - Linux RedHat 6.0 (9.2.x)
>>> 1 - Linux RedHat 6.2 (9.2.x)
>>> 2 - Linux RedHat 7.2 (9.2.x)
>>> 3 - Linux Slackware 8.0 (9.2.x)
>>> 4 - Linux Debian (all) (9.2.x)
>>> 5 - FreeBSD 3.4 (8.2.x)
>>> 6 - FreeBSD 3.5 (8.2.x)
>>> 7 - FreeBSD 4.x (8.2.x)
>>>
>>> Example usage:
>>> $ host -t ns domain.com
>>> domain.com name server dns1.domain.com
>>> $ ./bind9 dns1.domain.com domain.com 0
>>> [..expl output..]
>>> I didnt test it; its workin or not.
>>> Anybody have knowlegde about this.Sorry for my
>>> poor english:)
>>> if anyone wanna test it I can send the source code.
>>> holy@linuxmail.org
>>>
>>> ----------------------------------------------------------------------------
>>> This list is provided by the SecurityFocus ARIS analyzer service.
>>> For more information on this free incident handling, management
>>> and tracking system please see: http://aris.securityfocus.com
>>
>>
>>
>>
>> ----------------------------------------------------------------------------
>> This list is provided by the SecurityFocus ARIS analyzer service.
>> For more information on this free incident handling, management
>> and tracking system please see: http://aris.securityfocus.com
>>
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Jim Clausing: "Re: Bind 9.2.X exploit???"
• In reply to: Jim Clausing: "Re: Bind 9.2.X exploit???"
• Next in thread: Joseph: "Surge of attacks on ports 61127 & 61134"
• Reply: Joseph: "Surge of attacks on ports 61127 & 61134"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: PDL anti-spam blacklist ... >:> This list is provided by the SecurityFocus ARIS analyzer service. ... >:> For more information on this free incident handling, management ... >:> and tracking system please see: http://aris.securityfocus.com ... (Incidents) RE: Ip spoof from 0.0.0.0 ... > This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ... (Incidents) Re: [CERT] Re: Compromised FBSD/Apache ... >>>This list is provided by the SecurityFocus ARIS analyzer service. ... >>>For more information on this free incident handling, management ... (Incidents) RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis update ... >>> This list is provided by the SecurityFocus ARIS analyzer service. ... >>> For more information on this free incident handling, management ... (Incidents) RE: EBay Fraud Attempt ... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ... (Incidents)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2002-07