Re: Bind 9.2.X exploit???

From: Patrick Andry (pandryat_private)
Date: Thu Jul 25 2002 - 04:11:00 PDT

Next message: Steve Bougerolle: "Anyone know this rootkit (rootkits?)"

Previous message: Muhammad Faisal Rauf Danka: "Re: Bind 9.2.X exploit???"
In reply to: ilker : "Bind 9.2.X exploit???"
Next in thread: David Conrad: "Re: Bind 9.2.X exploit???"
Reply: David Conrad: "Re: Bind 9.2.X exploit???"
Reply: Jim Clausing: "Re: Bind 9.2.X exploit???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Probably an exploit based on this:
(from http://www.isc.org/products/BIND/bind-security.html )

Name: "libbind buffer overflow"
Versions affected:     All versions of the stub resolver library from BIND 4 
prior to 4.9.9.
All versions of the stub resolver library from BIND 8 prior to 8.2.6.
The stub resolver library from BIND version 8.3.0, 8.3.1, 8.3.2.
The BIND 8 compatibility stub resolver library (NOT the lwres library) from BIND 
versions 9.2.0, 9.2.1.
(Disabled by default in BIND 9, enabled if you added --enable-libbind to the 
configure statement)
Severity:     SERIOUS
Exploitable:     Remotely
Type:     Potential for execution of arbitrary code via buffer overflow.

I don't think that you're seeing a 0-day exploit, but maybe someone at the ISC 
would want a copy of it to check it out.

ilker güvercin wrote:
> 
> I found a tool on my compramised machine called 
> bind9 and the source code is still there.
> its made by team teso  bind9 Exploit by by scut of 
> teso [http://teso.scene.at/]...
> Usage: ./bind remote_addr domainname target_id
> Targets:
>  0 - Linux RedHat 6.0 (9.2.x)
>  1 - Linux RedHat 6.2 (9.2.x)
>  2 - Linux RedHat 7.2 (9.2.x)
>  3 - Linux Slackware 8.0 (9.2.x)
>  4 - Linux Debian (all) (9.2.x)
>  5 - FreeBSD 3.4 (8.2.x)
>  6 - FreeBSD 3.5 (8.2.x)
>  7 - FreeBSD 4.x (8.2.x)
> 
>  Example usage:
> $ host -t ns domain.com
> domain.com name server dns1.domain.com
> $ ./bind9 dns1.domain.com domain.com 0
>  [..expl output..]
> I didnt test it; its workin or not.
> Anybody have knowlegde about this.Sorry for my 
> poor english:)
> if anyone wanna test it I can send the source code.
> holyat_private
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Steve Bougerolle: "Anyone know this rootkit (rootkits?)"
Previous message: Muhammad Faisal Rauf Danka: "Re: Bind 9.2.X exploit???"
In reply to: ilker : "Bind 9.2.X exploit???"
Next in thread: David Conrad: "Re: Bind 9.2.X exploit???"
Reply: David Conrad: "Re: Bind 9.2.X exploit???"
Reply: Jim Clausing: "Re: Bind 9.2.X exploit???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 25 2002 - 08:21:52 PDT