SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   BIND Vendors:   ISC (Internet Software Consortium)
(OpenBSD Issues Fix) BIND4 and BIND8 Multiple Bugs Let Remote Users Crash the Service or Execute Arbitrary Code
SecurityTracker Alert ID:  1005635
SecurityTracker URL:  http://securitytracker.com/id/1005635
CVE Reference:   CVE-2002-1219, CVE-2002-1220, CVE-2002-1221   (Links to External Site)
Date:  Nov 15 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.3.3-REL and prior; 4.9.10-REL and prior
Description:   Several vulnerabilities were reported in BIND4 and BIND8 implementations of the Domain Name Service (DNS) protocol. A remote user can cause the service to crash. A remote user may be able to execute arbitrary code on the server.

Internet Security Systems reported that a remote user can cause the DNS service to execute arbitrary code or to crash, due to a buffer overflow vulnerability and two denial of service vulnerabilities.

A remote user with control of an authoritative DNS server may be able to cause BIND to cache certain DNS information if recursion is enabled on the target DNS server. According to the report, recursion is enabled by default. The remote user can then generate DNS responses containing malformed SIG resource records (RR) that can trigger a buffer overflow on the target server, executing the remote user's arbitrary code.

A remote user can also cause a BIND 8 server to crash when configured for recursion, due to two separate flaws; one due to a large OPT payload and one due to a null pointer deference.

A remote user can reportedly request a DNS lookup on a nonexistent sub-domain of a valid domain name and attach an large OPT resource record to trigger the crash. Queries performed against domains with unreachable authoritative DNS servers may also cause the target server to crash.

A remote user with control of an authoritative name server can try to cause a target DNS server to cache SIG RR elements that have invalid expiry times. According to the report, these elements will be removed from the BIND internal database, but may be improperly referenced later, causing a denial of service condition.

According to the report, BIND9 is not affected.

Impact:   A remote user could execute arbitrary code on the server. A remote user could cause the server to crash.
Solution:   OpenBSD has released the following patches:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/005_named.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/019_named.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/036_named.patch

The vendor reports that fix has been committed to OpenBSD-current as well as to the 3.2, 3.1 and 3.0 -stable branches.

Vendor URL:  www.isc.org/products/BIND/ (Links to External Site)
Cause:   Boundary error, Input validation error, State error
Underlying OS:  UNIX (OpenBSD)
Underlying OS Comments:  3.0, 3.1, 3.2

Message History:   This archive entry is a follow-up to the message listed below.
Nov 12 2002 BIND4 and BIND8 Multiple Bugs Let Remote Users Crash the Service or Execute Arbitrary Code



 Source Message Contents

Subject:  patch for named buffer overflow now available


A patch for the named buffer overflow is now available.  The bug
could allow an attacker to execute code as the user that named runs
as.  In the default OpenBSD named configuration, named runs as its
own, non-root, user in a chrooted jail.  This lessens the impact
of the bug to the level of a denial of service.  Anyone not running
named chrooted should start to do so immediately.

For more information on the bug, please see:
http://www.isc.org/products/BIND/bind-security.html
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469

The fix has been committed to OpenBSD-current as well as to the
3.2, 3.1 and 3.0 -stable branches.

The following patches are also available for OpenBSD 3.2, 3.1 and 3.0
respectively:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/005_named.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/019_named.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/036_named.patch

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC