On Thu, 11 Nov 1999, Anonymous wrote: > Ooh, those pesky NXT records. Like I process those every day. > Fascinating read in RFC 2535, but suppose I don't have any NXT > records in my own zones, under what circumstances will my DNS server > commit the sin of "the processing of NXT records"? In other words, > are all of us vulnerable (even caching-only name servers if so, I > imagine!), or only people with NXT records? This makes a big difference! I won't go into exact details of exploiting the vuln. because it gets kinda hairy, but it's a real threat. I can get EIP on multiple versions of BIND. tested so far: 812-t3b, 812-t4b, 812, and 821 exploit has failed on a particular 812 binary i have, but a recent 812 binary (both of these bins compiled from source retrieved from isc.org) was exploitable. go figure. i also have an 812-t3b binary which the exploit does not work on. so far, i can't find a pattern as to which versions of bind actually process NXT RR's. as i said, i had two binaries of 812 release--one processed NXT RR's and the other didn't. the overflow takes place processing *ANY* answer from another nameserver. all the answer needs to contain is a properly formatted NXT record. it doesn't matter whether it answers the question, but the answer name must match the queried name. nimrood
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:12:10 PDT