Security Incidents: Re: Bind 9.2.X exploit???

[David Conrad <david.conrad () nominum com>]

Not too surprising.

Any exploit that claims to work with both BINDv8 and BINDv9 should be viewed
with a large grain of salt -- the only code the two packages share is the
openssl package and the stub resolver library (included in BINDv9 for
backwards compatibility and not made by default).

Rgds,
-drc

On 7/25/02 10:22 AM, "Jim Clausing" <clausing () ieee org> wrote:

> Actually after analyzing this over on the handlers list, this
> looks like the same TSIG exploit/NAI DoS from Jan 2001 with a few strings
> modified in the source code.  The exploit does not, in fact, actually work
> against bind-9.2.1.
>
> ---Jim
>
> On or about Thu, 25 Jul 2002, Patrick Andry pontificated thusly:
>
> > Probably an exploit based on this:
> > (from http://www.isc.org/products/BIND/bind-security.html )
> >
> >
> > Name: "libbind buffer overflow"
> > Versions affected:     All versions of the stub resolver library from BIND 4
> > prior to 4.9.9.
> > All versions of the stub resolver library from BIND 8 prior to 8.2.6.
> > The stub resolver library from BIND version 8.3.0, 8.3.1, 8.3.2.
> > The BIND 8 compatibility stub resolver library (NOT the lwres library) from
> > BIND
> > versions 9.2.0, 9.2.1.
> > (Disabled by default in BIND 9, enabled if you added --enable-libbind to the
> > configure statement)
> > Severity:     SERIOUS
> > Exploitable:     Remotely
> > Type:     Potential for execution of arbitrary code via buffer overflow.
> >
> > I don't think that you're seeing a 0-day exploit, but maybe someone at the
> > ISC
> > would want a copy of it to check it out.
> >
> >
> >
> >
> > ilker güvercin wrote:
> > > I found a tool on my compramised machine called
> > > bind9 and the source code is still there.
> > > its made by team teso  bind9 Exploit by by scut of
> > > teso [http://teso.scene.at/]...
> > > Usage: ./bind remote_addr domainname target_id
> > > Targets:
> > >  0 - Linux RedHat 6.0 (9.2.x)
> > >  1 - Linux RedHat 6.2 (9.2.x)
> > >  2 - Linux RedHat 7.2 (9.2.x)
> > >  3 - Linux Slackware 8.0 (9.2.x)
> > >  4 - Linux Debian (all) (9.2.x)
> > >  5 - FreeBSD 3.4 (8.2.x)
> > >  6 - FreeBSD 3.5 (8.2.x)
> > >  7 - FreeBSD 4.x (8.2.x)
> > >
> > >  Example usage:
> > > $ host -t ns domain.com
> > > domain.com name server dns1.domain.com
> > > $ ./bind9 dns1.domain.com domain.com 0
> > >  [..expl output..]
> > > I didnt test it; its workin or not.
> > > Anybody have knowlegde about this.Sorry for my
> > > poor english:)
> > > if anyone wanna test it I can send the source code.
> > > holy () linuxmail org
> > >
> > > ----------------------------------------------------------------------------
> > > This list is provided by the SecurityFocus ARIS analyzer service.
> > > For more information on this free incident handling, management
> > > and tracking system please see: http://aris.securityfocus.com
> >
> >
> >
> > ----------------------------------------------------------------------------
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com