Not too surprising. Any exploit that claims to work with both BINDv8 and BINDv9 should be viewed with a large grain of salt -- the only code the two packages share is the openssl package and the stub resolver library (included in BINDv9 for backwards compatibility and not made by default). Rgds, -drc On 7/25/02 10:22 AM, "Jim Clausing" <clausingat_private> wrote: > > Actually after analyzing this over on the handlers list, this > looks like the same TSIG exploit/NAI DoS from Jan 2001 with a few strings > modified in the source code. The exploit does not, in fact, actually work > against bind-9.2.1. > > ---Jim > > On or about Thu, 25 Jul 2002, Patrick Andry pontificated thusly: > >> Probably an exploit based on this: >> (from http://www.isc.org/products/BIND/bind-security.html ) >> >> >> Name: "libbind buffer overflow" >> Versions affected: All versions of the stub resolver library from BIND 4 >> prior to 4.9.9. >> All versions of the stub resolver library from BIND 8 prior to 8.2.6. >> The stub resolver library from BIND version 8.3.0, 8.3.1, 8.3.2. >> The BIND 8 compatibility stub resolver library (NOT the lwres library) from >> BIND >> versions 9.2.0, 9.2.1. >> (Disabled by default in BIND 9, enabled if you added --enable-libbind to the >> configure statement) >> Severity: SERIOUS >> Exploitable: Remotely >> Type: Potential for execution of arbitrary code via buffer overflow. >> >> I don't think that you're seeing a 0-day exploit, but maybe someone at the >> ISC >> would want a copy of it to check it out. >> >> >> >> >> ilker güvercin wrote: >>> >>> I found a tool on my compramised machine called >>> bind9 and the source code is still there. >>> its made by team teso bind9 Exploit by by scut of >>> teso [http://teso.scene.at/]... >>> Usage: ./bind remote_addr domainname target_id >>> Targets: >>> 0 - Linux RedHat 6.0 (9.2.x) >>> 1 - Linux RedHat 6.2 (9.2.x) >>> 2 - Linux RedHat 7.2 (9.2.x) >>> 3 - Linux Slackware 8.0 (9.2.x) >>> 4 - Linux Debian (all) (9.2.x) >>> 5 - FreeBSD 3.4 (8.2.x) >>> 6 - FreeBSD 3.5 (8.2.x) >>> 7 - FreeBSD 4.x (8.2.x) >>> >>> Example usage: >>> $ host -t ns domain.com >>> domain.com name server dns1.domain.com >>> $ ./bind9 dns1.domain.com domain.com 0 >>> [..expl output..] >>> I didnt test it; its workin or not. >>> Anybody have knowlegde about this.Sorry for my >>> poor english:) >>> if anyone wanna test it I can send the source code. >>> holyat_private >>> >>> ---------------------------------------------------------------------------- >>> This list is provided by the SecurityFocus ARIS analyzer service. >>> For more information on this free incident handling, management >>> and tracking system please see: http://aris.securityfocus.com >> >> >> >> >> ---------------------------------------------------------------------------- >> This list is provided by the SecurityFocus ARIS analyzer service. >> For more information on this free incident handling, management >> and tracking system please see: http://aris.securityfocus.com >> > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 25 2002 - 11:08:59 PDT