Bug 20546 - bind 8.2.2-P5 remote DoS
bind 8.2.2-P5 remote DoS
Product: Red Hat Linux
Classification: Retired
Component: bind (Show other bugs)
All Linux
high Severity medium
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
Dale Lovelace
: Security
Depends On:
  Show dependency treegraph
Reported: 2000-11-08 18:32 EST by Daniel Roesen
Modified: 2007-03-26 23:37 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-11-10 04:37:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Daniel Roesen 2000-11-08 18:32:51 EST

 From: "Fabio Pietrosanti (naif)" <fabio@TELEMAIL.IT>
 Subject:      BIND 8.2.2-P5 Possible DOS
 Message-ID:  <Pine.LNX.4.30.0011071339510.29294-100000@naif.inet.it>
 Date:         Tue, 7 Nov 2000 13:40:49 +0100

I can reproduce that, but not 100% reliably. In strace im seeing SIGABORTs 

My preferred and mosts-times-working reproduce path is:

- start named
- issue the ZXFR named-xfer
- do a _recursive_ query via named (non-recursive queries seem not to
Comment 1 Daniel Roesen 2000-11-08 19:07:23 EST
the recursive queried data must NOT be in cache or in a zone that bind is 
authoritative for. These queries are answered and DON'T kill bind.

My now 100% reproducable testcase:

- machine is called "foo.whatever.de".
- local bind 8.2.2-P5, being authoritative for "whatever.de"
- named being open to zone transfers and doing recursive resolving by himself
- start named (==> empty caches)
- try ZXFR for "whatever.de"
- dig @localhost www.someelseoutthere.de A

=> crash

For a trace, hook up on named via strace -p `cat /var/run/named.pid` before the 
recursive query.
Comment 2 Daniel Roesen 2000-11-08 19:15:29 EST
workaround for the moment:

allow-transfer { trusted-hosts; };
Comment 3 Daniel Roesen 2000-11-08 22:25:15 EST
News: "8.2.2-P7 will be available shortly".

Answer from Mark.Andrews@nominum.com in response to my report to bind-
Comment 4 Daniel Roesen 2000-11-09 19:22:58 EST
The fix is to change:
./bin/named/ns_defs.h:#define STREAM_AXFRIXFR           0x22
./bin/named/ns_defs.h:#define STREAM_AXFRIXFR           0x40

Info from Mark and looks right.
Comment 5 Daniel Roesen 2000-11-10 00:45:44 EST
bind 8.2.2-P7 is released
Comment 6 Bernhard Rosenkraenzer 2000-11-10 04:37:12 EST
8.2.2-P7 has been built in our internal tree and is currently waiting for QA approval.
Comment 7 Daniel Roesen 2000-11-14 12:57:37 EST
OK, errata updates are out of the door, closing as RESOLVED/ERRATA.

Note You need to log in before you can comment on or make changes to this bug.