|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: David Conrad (david.conrad_at_nominum.com)
Date: Thu Jul 25 2002 - 12:56:31 CDT
Not too surprising.
Any exploit that claims to work with both BINDv8 and BINDv9 should be viewed
with a large grain of salt -- the only code the two packages share is the
openssl package and the stub resolver library (included in BINDv9 for
backwards compatibility and not made by default).
Rgds,
-drc
On 7/25/02 10:22 AM, "Jim Clausing" <clausing
ieee.org> wrote:
>
> Actually after analyzing this over on the handlers list, this
> looks like the same TSIG exploit/NAI DoS from Jan 2001 with a few strings
> modified in the source code. The exploit does not, in fact, actually work
> against bind-9.2.1.
>
> ---Jim
>
> On or about Thu, 25 Jul 2002, Patrick Andry pontificated thusly:
>
>> Probably an exploit based on this:
>> (from http://www.isc.org/products/BIND/bind-security.html )
>>
>>
>> Name: "libbind buffer overflow"
>> Versions affected: All versions of the stub resolver library from BIND 4
>> prior to 4.9.9.
>> All versions of the stub resolver library from BIND 8 prior to 8.2.6.
>> The stub resolver library from BIND version 8.3.0, 8.3.1, 8.3.2.
>> The BIND 8 compatibility stub resolver library (NOT the lwres library) from
>> BIND
>> versions 9.2.0, 9.2.1.
>> (Disabled by default in BIND 9, enabled if you added --enable-libbind to the
>> configure statement)
>> Severity: SERIOUS
>> Exploitable: Remotely
>> Type: Potential for execution of arbitrary code via buffer overflow.
>>
>> I don't think that you're seeing a 0-day exploit, but maybe someone at the
>> ISC
>> would want a copy of it to check it out.
>>
>>
>>
>>
>> ilker güvercin wrote:
>>>
>>> I found a tool on my compramised machine called
>>> bind9 and the source code is still there.
>>> its made by team teso bind9 Exploit by by scut of
>>> teso [http://teso.scene.at/]...
>>> Usage: ./bind remote_addr domainname target_id
>>> Targets:
>>> 0 - Linux RedHat 6.0 (9.2.x)
>>> 1 - Linux RedHat 6.2 (9.2.x)
>>> 2 - Linux RedHat 7.2 (9.2.x)
>>> 3 - Linux Slackware 8.0 (9.2.x)
>>> 4 - Linux Debian (all) (9.2.x)
>>> 5 - FreeBSD 3.4 (8.2.x)
>>> 6 - FreeBSD 3.5 (8.2.x)
>>> 7 - FreeBSD 4.x (8.2.x)
>>>
>>> Example usage:
>>> $ host -t ns domain.com
>>> domain.com name server dns1.domain.com
>>> $ ./bind9 dns1.domain.com domain.com 0
>>> [..expl output..]
>>> I didnt test it; its workin or not.
>>> Anybody have knowlegde about this.Sorry for my
>>> poor english:)
>>> if anyone wanna test it I can send the source code.
>>> holylinuxmail.org
>>>
>>> ----------------------------------------------------------------------------
>>> This list is provided by the SecurityFocus ARIS analyzer service.
>>> For more information on this free incident handling, management
>>> and tracking system please see: http://aris.securityfocus.com
>>
>>
>>
>>
>> ----------------------------------------------------------------------------
>> This list is provided by the SecurityFocus ARIS analyzer service.
>> For more information on this free incident handling, management
>> and tracking system please see: http://aris.securityfocus.com
>>
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]