AltaVista Firewall97

From: Jochen Thomas Bauer (jtbat_private-STUTTGART.DE)
Date: Thu Feb 25 1999 - 03:57:20 PST

Next message: David LeBlanc: "Re: [NTSEC] ALERT: SLMail 3.2 (and 3.1) with the Remote"

Previous message: mnemonix: "ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service"
Next in thread: Roger Baker: "Re: AltaVista Firewall97"
Reply: Roger Baker: "Re: AltaVista Firewall97"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello everyone,

Before I begin I want to make one thing clear:
I told AltaVista about this problem about 4 weeks ago. The next day I got
a reply saying that my message had been forwarded to engineering. Since
then nothing has happened, so I think it's time to send this to BUGTRAQ:


Abstract:

In their so called Knowledge Database, AltaVista Software states that
Firewall97 for Digital Unix is not affected by the well known buffer
overflow bug present in BIND versions prior to 4.9.7 since all DNS queries
are proxied through the Firewall's DNS proxy (dnsd), that can either relay
queries to name servers running on other hosts or to a name server running
on the Firewall itself.

See: http://support.altavista-software.com/kb/solutions/firewall/general/259-042398.asp

If the name server is running on the firewall itself (which is an approved
configuration described in the manual), then there is a very simple way to
circumvent the dnsd and attack the named on the Firewall directly. So,
everyone who relied on this assurance (given shortly after those BIND
problems were discovered) and did therefore not replace the named binary on
the firewall with a self compiled BIND-4.9.7 named had (and may still have)
a major security hole on his/her firewall.

This problem is worsened by the fact that installation of the firewall
software will alter some system files and therefore the Digital Unix patch
utility (dupatch) will, at least in  some cases, refuse to install several
operating system patches including those for BIND.


The Detailed Story:

To divide the DNS information available about the internal network into
information that is to be given to the outside world and information
that is meant for internal use only, the AltaVista Firewall97 uses a DNS
proxy (dnsd) running on port 53 on the firewall that redirects queries
appropriately: Queries from external hosts are redirected to a name server
that holds information to be given to the outside world, while queries from
internal hosts are redirected to a name server that holds information meant
for internal use only. Each of those two name servers may be running on another
host or on the firewall itself. If one chooses to run one of the two or both
name servers on the firewall, then the named(s) will be configured to listen
on port 8053 and/or port 8153 (Firewall97 + Service Pack 3). The secure_zone
statement

secure_zone     IN      TXT     127.0.0.1:H

in the zone files is then used to ensure that only queries from localhost
(coming from the dnsd) are answered.

The problem is that the named(s) running on port 8053/8153 will take input
from any host, logging these (unauthorized) queries like

named[22343]: Unauthorized request nowhere.example.org from [129.69.xxx.yyy].1945

So, if we want to attack the named on the firewall directly, we simply have
to aim at port 8053/8153 instead of aiming at port 53. As I had no exploit code
for Digital Unix I took a tool to exploit the named buffer overflow on ix86
machines from www.rootshell.com, changed the target port to 8053/8153 and
launched it against the firewall (running BIND-4.9.3). This caused a
segmentation fault with core dump of the named. It should be possible to get a
root shell out of that named with the appropriate exploit code for Digital Unix
4.0a and higher, where the stack is executable.

Let's turn to the patching problems now: I installed Firewall97 on Digital Unix
4.0b + patch kit DUV40BAS00005-19971009 shortly after those BIND problems had
been discovered last year. The Aggregate Selective patch kit duv40bas00008-19980821
released in August 1998 contained fixes for BIND. When I tried to apply this patch,
the dupatch utility found that several system files had changed due to the
installation of the firewall software and refused to install several patches to
ensure that no altered system file got overwritten by a new one from the patch
kit. Unfortunately, among the patches that were not installed was the patch for
BIND. I don't know if there is a single patch kit (not an Aggregate Selective patch
kit) for Digital Unix addressing only those BIND problems and if that one works.

The fix for the problems described above is quite simple: Compile a BIND-4.9.7
named for Digital Unix and replace the named on the firewall with that one.
However, what cannot be fixed is the fact that a lot of people were convinced
that their firewall is secure, while in reality everyone, who had this knowledge
about DNS on Firewall97 and the ability to write exploit code for Digital Unix,
was probably able to immediately root-compromise their firewall.

--
Jochen Bauer
Institute for Theoretical Physics
University of Stuttgart
Germany

PGP public key available from:
http://www.theo2.physik.uni-stuttgart.de/jtb.html

Next message: David LeBlanc: "Re: [NTSEC] ALERT: SLMail 3.2 (and 3.1) with the Remote"
Previous message: mnemonix: "ALERT: SLMail 3.2 (and 3.1) with the Remote Administration Service"
Next in thread: Roger Baker: "Re: AltaVista Firewall97"
Reply: Roger Baker: "Re: AltaVista Firewall97"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:32 PDT