OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: BIND 9.2.1 crashes

From: Benjamin Franz (snowharenihongo.org)
Date: Mon Oct 06 2003 - 12:17:48 CDT

On Mon, 6 Oct 2003, Keith Bergen wrote:

> Benjamin,
>
> My paranoia always assumes a buffer overflow and comprimise.
> BIND 9.2.1 appears to be vulnerable to a buffer overflow. I
> would recommend updating it. Typically the attackers will
> exploit the overflow, and then install their rootkits. Then
> they will disable the DNS so that you have to reboot the
> machine, thus permanently installing their root kits.
>
> Check out this page:
> http://www.isc.org/products/BIND/bind-security.html

Thanks. RedHat backpatches fixes and the current version of 9.2.1
distributed by them is not vulnerable to the items listed there AFAIK. I
am, and have been, running the latest version of BIND distributed by RH.

This is not to say that a _new_ vulnerability may not have been found.
This is why I posted this to Incidents - it feels like it could be a new 0
day.

> Next, download the Root Kit Checker and compile and run it:
> http://www.chkrootkit.org/

Done. Both machines checked out as clean according to it.

--
Benjamin Franz

>
> Hope this helps,
> Keith.
>
>
> ---- Original message ----
> >Date: Sun, 5 Oct 2003 14:06:34 -0700 (PDT)
> >From: Benjamin Franz <snowharenihongo.org>
> >Subject: BIND 9.2.1 crashes
> >To: incidentssecurityfocus.com
> >
> >
> >This is going to necessarily be sketchy on details because I
> don't have
> >many.
> >
> >In the last 48 hours I've had two nameservers on completely
> seperate
> >subnets crash with no indication as to what crashed them.
> Both nameservers
> >are running BIND 9.2.1 (One system is running RH 7.3, BIND
> 9.2.1-1.7x.2.
> >The other system is running RH 7.2, BIND 9.2.1-1.7x.2).
> >
> >The named on the RH7.3 system 'tied itself in a knot'
> without formally
> >dying - it just stopped doing name service after a lot
> of 'no more
> >recursive clients: quota reached' messages (related to a
> maillist mailing
> >I believe initially - but this had stopped before I was
> called in - at
> >which time the named was still refusing service, but hadn't
> logged
> >anything in 40 minutes). The named on the RH7.2 system
> completely died
> >with no logged messages at all about 18 hours after the
> RH7.3 system
> >problem, with no unusual activity preceding its death - it
> just stopped
> >for no apparent reason).
> >
> >The 7.2 system has been running for several months with no
> issues. The 7.3
> >system was brought online a week ago - and had no trouble
> until this.
> >
> >Has anyone else been seeing BIND crashes on previously
> stable systems in
> >the last week?
> >
> >--
> >Benamin Franz
> >
> >Gauss's law is always true, but it is not always useful.
> > -- David J. Griffiths, "Introduction to Electrodynamics"
> >
> >
> >
> >
> >-------------------------------------------------------------
> --------------
> >-------------------------------------------------------------
> ---------------
> >
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>

--
Jerry

Gauss's law is always true, but it is not always useful.
    -- David J. Griffiths, "Introduction to Electrodynamics"

---------------------------------------------------------------------------
----------------------------------------------------------------------------