|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Max Vision (vision
WHITEHATS.COM)Date: Mon Jan 29 2001 - 17:50:31 CST
Hi,
The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
chaos record called "authors". So now even if an admin changes or
suppresses their version reply string, a remote user can still determine
whether the server is running BIND 9.x. With the recent discovery of the
tsig bug in BIND there will probably be a huge rise in version
queries. Some attackers may remove ambiguity by skipping servers that
reply to authors.bind (inferring that it's bind 9.1.0 and not vulnerable).
% dig ns.example.com authors.bind chaos txt
or
% nslookup -q=txt -class=CHAOS authors.bind. ns.example.com
Server: ns.example.com
Address: 23.23.23.23
authors.bind text = "Bob Halley"
authors.bind text = "Mark Andrews"
authors.bind text = "James Brister"
authors.bind text = "Michael Graff"
authors.bind text = "David Lawrence"
authors.bind text = "Michael Sawyer"
authors.bind text = "Brian Wellington"
authors.bind text = "Andreas Gustafsson"
The following Snort signature will detect these probes:
alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS480/named-probe-authors";
content: "|07|authors|04|bind"; depth: 32; offset: 12; nocase;)
http://whitehats.com/info/IDS480
Max
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]