Actually after analyzing this over on the handlers list, this looks like the same TSIG exploit/NAI DoS from Jan 2001 with a few strings modified in the source code. The exploit does not, in fact, actually work against bind-9.2.1. ---Jim On or about Thu, 25 Jul 2002, Patrick Andry pontificated thusly: > Probably an exploit based on this: > (from http://www.isc.org/products/BIND/bind-security.html ) > > > Name: "libbind buffer overflow" > Versions affected: All versions of the stub resolver library from BIND 4 > prior to 4.9.9. > All versions of the stub resolver library from BIND 8 prior to 8.2.6. > The stub resolver library from BIND version 8.3.0, 8.3.1, 8.3.2. > The BIND 8 compatibility stub resolver library (NOT the lwres library) from BIND > versions 9.2.0, 9.2.1. > (Disabled by default in BIND 9, enabled if you added --enable-libbind to the > configure statement) > Severity: SERIOUS > Exploitable: Remotely > Type: Potential for execution of arbitrary code via buffer overflow. > > I don't think that you're seeing a 0-day exploit, but maybe someone at the ISC > would want a copy of it to check it out. > > > > > ilker güvercin wrote: > > > > I found a tool on my compramised machine called > > bind9 and the source code is still there. > > its made by team teso bind9 Exploit by by scut of > > teso [http://teso.scene.at/]... > > Usage: ./bind remote_addr domainname target_id > > Targets: > > 0 - Linux RedHat 6.0 (9.2.x) > > 1 - Linux RedHat 6.2 (9.2.x) > > 2 - Linux RedHat 7.2 (9.2.x) > > 3 - Linux Slackware 8.0 (9.2.x) > > 4 - Linux Debian (all) (9.2.x) > > 5 - FreeBSD 3.4 (8.2.x) > > 6 - FreeBSD 3.5 (8.2.x) > > 7 - FreeBSD 4.x (8.2.x) > > > > Example usage: > > $ host -t ns domain.com > > domain.com name server dns1.domain.com > > $ ./bind9 dns1.domain.com domain.com 0 > > [..expl output..] > > I didnt test it; its workin or not. > > Anybody have knowlegde about this.Sorry for my > > poor english:) > > if anyone wanna test it I can send the source code. > > holyat_private > > > > ---------------------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 25 2002 - 10:47:19 PDT