Remote Vulnerabilities in BIND versions 4 and 8
The Laughing Ghoul
>
Interesting in light of the recent DNS problems plaguing the net this
past week
>Internet Security Systems Security Alert
>January 29, 2001
>
>Remote Vulnerabilities in BIND versions 4 and 8
>
>Synopsis:
>
>ISS X-Force is aware of several vulnerabilities in current versions of
>Internet Software Consortiums Berkeley Internet Name Domain (BIND).
>There
>is a buffer overflow present in BIND version 8 that an attacker could
>use
>to remotely execute arbitrary code. Version 4 of BIND contains three
>vulnerabilities, a buffer overflow and a format string vulnerability,
>both
>of which allow a remote attacker to execute arbitrary code, and a
>vulnerability which can expose the environment variables of the BIND
>server. BIND is the most popular implementation of the Domain Name
>Service
>(DNS) protocol. DNS is the Internet protocol that converts host and
>domain
>names into their corresponding IP addresses and vice-versa.
>
>Description:
>
>ISC BIND 8 Buffer Overflow in Transaction Signature (TSIG) Handling
>Code:
>BIND 8 contains a vulnerability that may allow a remote attacker to
>compromise any server with a vulnerable version of BIND installed. The
>vulnerability is present in Transaction Signatures (TSIG) functionality.
>
>Most current versions up to version 9.x are vulnerable. It is not
>necessary for the remote attacker to control an authoritative DNS server
>
>to the target to exploit this vulnerability. Both recursive and
>non-recursive servers are vulnerable.
>
>ISC BIND 4 Buffer Overflow in nslookupComplain():
>A vulnerability exists in BIND 4 which under very specific circumstances
>
>may allow remote attackers to compromise servers running vulnerable
>versions of BIND 4. A buffer overflow condition in the
>nslookupComplain()
>function may be exploited to grant access to remote users. The attacker
>
>must have control of the targets authoritative nameserver to
>successfully
>exploit this vulnerability.
>
>ISC BIND 4 Input Validation Error in nslookupComplain():
>The second vulnerability present in BIND 4 is present in the
>nslookupComplain() function as well. A user-supplied format string may
>be
>manipulated to run arbitrary code. The attacker must have control of
>the
>targets authoritative nameserver to successfully exploit this
>vulnerability.
>
>ISC BIND 4 Exposure of Environment Variables:
>This vulnerability may allow a remote attacker to expose variables
>within
>the BIND server. By sending a malformed query to vulnerable BIND
>servers,
>a remote attacker can gain access to the program stack.
>
>Additional limitations to successful exploitation of this vulnerability
>include the use of a limited character set when constructing the
>overflow
>string, as well as dynamic conditions such as the layout and allocation
>of
>memory for the BIND process.
>
>Affected Systems:
>
>ISC BIND version 8:
>8.2, 8.2.1
>8.2.2 through 8.2.2-P7
>8.2.3-T1A through 8.2.3-T9B
>ISC Bind version 4:
>4.9.3 through 4.9.7
>
>Recommendations:
>
>It is recommended that all DNS administrators using BIND 4.9.x upgrade
>to
>BIND 4.9.8 and those using BIND 8.2.x upgrade to BIND 8.2.3. These
>upgrades may be found at: ftp://ftp.isc.org/isc/BIND/src/.
>
>DNS administrators should take precautions to limit the affects of
>permissions on their DNS server installations. The DNS server should
>never be executed with super-user privileges, and should also be
>sandboxed
>under a chroot environment.
>
>Please refer to the following URL for information on the use of chroot
>in order to provide an additional layer of security for exposed
>services:
>http://securityportal.com/cover/coverstory20001002.html
>
>ISS SAFEsuite intrusion detection system, RealSecure, and network
>security assessment product, Internet Scanner, will have signatures
>available to detect these vulnerabilities in the next X-Press Updates.
>
>Credits and References:
>
>CERT Advisory CA-201-02 Multiple Vulnerabities in BIND
>http://www.cert.org/advisories/CA-2001-02.html
>Network Associates Advisory
>http://www.pgp.com/research/covert/advisories.asp
>Internet Software Consortium
>http://www.isc.org/products/BIND/bind-security.html
>New BIND 4 and BIND 8 releases
>ftp://ftp.isc.org/isc/bind/src/
>BIND 9.1
>ftp://ftp.isc.org/isc/bind9/
>
>
The Laughing Ghoul
Emperor of alt.2600.archangel
Emperor of alt.fan.gumby
Emperor of alt.music.operation-ivy