BIND Exploits

From: Dom De Vitto (domat_private)
Date: Wed Nov 13 2002 - 05:19:55 PST

Next message: Gary O'leary-Steele: "ColdFusion Heap Overflow"

Previous message: K. K. Mookhey: "[Full-Disclosure] Weak Password Encryption Scheme in MS SQL Server"
In reply to: Fyodor: "Re: Firewall bypassing tool"
Next in thread: h2g.sec.listat_private: "Re: BIND Exploits"
Next in thread: Jon: "Re: Firewall bypassing tool"
Reply: h2g.sec.listat_private: "Re: BIND Exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I take it everyone has seen the latest advisory from ISC?

Anyone got a idea exactly where the problem is, or got an exploit?

ISC do say that an exploit isn't available, but it's been a few hours
since then :-)

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto                                       Tel. 07855 805 271
http://www.devitto.com                         mailto:domat_private
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

-----Original Message-----
From: Fyodor [mailto:fyodorat_private] 
Sent: Monday, November 04, 2002 6:08 PM
To: Frank Knobbe
Cc: Michael Katz; vuln-devat_private; d_fenceat_private
Subject: Re: Firewall bypassing tool

On Sun, Nov 03, 2002 at 05:02:49PM -0600, Frank Knobbe wrote:
> On Fri, 2002-11-01 at 13:38, Michael Katz wrote:
> > At 11/1/2002 03:28 AM, d_fence wrote:
> > 
> > One of the options for scanning is -sF, which will send SYN-FIN
> > packets.  You can also use -sA, which will send SYN-ACK packets.
> 
> I was about to post the same, but thought I validate first. To me it 
> seemed that nmap sends a packet with the FIN flag set. I did not see 
> the SYN flag set in addition to FIN, so nmap is not an answer to his 
> question.

Nmap has an undocumented --scanflags option which allows you to specify
arbitrary flags using the flag names or a number.  Thus a SYN-FIN scan
can be done as follows:

felix~#nmap -sS --scanflags SYNFIN -O db

Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ ) Interesting ports
on db.yuma.net (192.168.0.4): (The 1601 ports scanned but not shown
below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
111/tcp    open        sunrpc                  
1024/tcp   open        kdm                     
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20 Uptime 58.471
days (since Fri Sep  6 23:45:12 2002)

Nmap run completed -- 1 IP address (1 host up) scanned in 10.651 seconds

Note that "-sS" causes this scan to use "SYN Scan" semantics (eg
treating SYN|ACK responses as open ports).  For FIN scan semantics
(dropped packets signify open ports, RST for closed ones) just specify
"-sF" instead.

Cheers,
Fyodor

Next message: Gary O'leary-Steele: "ColdFusion Heap Overflow"
Previous message: K. K. Mookhey: "[Full-Disclosure] Weak Password Encryption Scheme in MS SQL Server"
In reply to: Fyodor: "Re: Firewall bypassing tool"
Next in thread: h2g.sec.listat_private: "Re: BIND Exploits"
Next in thread: Jon: "Re: Firewall bypassing tool"
Reply: h2g.sec.listat_private: "Re: BIND Exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 13 2002 - 08:53:25 PST