Bug 20546 - bind 8.2.2-P5 remote DoS
Summary: bind 8.2.2-P5 remote DoS
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: bind
Version: 6.2
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact: Dale Lovelace
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-11-08 23:32 UTC by Daniel Roesen
Modified: 2007-03-27 03:37 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2000-11-10 09:37:14 UTC


Attachments (Terms of Use)

Description Daniel Roesen 2000-11-08 23:32:51 UTC
see:

 From: "Fabio Pietrosanti (naif)" <fabio@TELEMAIL.IT>
 To: BUGTRAQ@SECURITYFOCUS.COM
 Subject:      BIND 8.2.2-P5 Possible DOS
 Message-ID:  <Pine.LNX.4.30.0011071339510.29294-100000@naif.inet.it>
 Date:         Tue, 7 Nov 2000 13:40:49 +0100

I can reproduce that, but not 100% reliably. In strace im seeing SIGABORTs 
and SIGSEGVs.

My preferred and mosts-times-working reproduce path is:

- start named
- issue the ZXFR named-xfer
- do a _recursive_ query via named (non-recursive queries seem not to
  harm).

Comment 1 Daniel Roesen 2000-11-09 00:07:23 UTC
the recursive queried data must NOT be in cache or in a zone that bind is 
authoritative for. These queries are answered and DON'T kill bind.

My now 100% reproducable testcase:

- machine is called "foo.whatever.de".
- local bind 8.2.2-P5, being authoritative for "whatever.de"
- named being open to zone transfers and doing recursive resolving by himself
- start named (==> empty caches)
- try ZXFR for "whatever.de"
- dig @localhost www.someelseoutthere.de A

=> crash

For a trace, hook up on named via strace -p `cat /var/run/named.pid` before the 
recursive query.

Comment 2 Daniel Roesen 2000-11-09 00:15:29 UTC
workaround for the moment:

allow-transfer { trusted-hosts; };

Comment 3 Daniel Roesen 2000-11-09 03:25:15 UTC
News: "8.2.2-P7 will be available shortly".

Answer from Mark.Andrews@nominum.com in response to my report to bind-
bugs@isc.org.

Comment 4 Daniel Roesen 2000-11-10 00:22:58 UTC
The fix is to change:
./bin/named/ns_defs.h:#define STREAM_AXFRIXFR           0x22
to:
./bin/named/ns_defs.h:#define STREAM_AXFRIXFR           0x40

Info from Mark and looks right.

Comment 5 Daniel Roesen 2000-11-10 05:45:44 UTC
bind 8.2.2-P7 is released

Comment 6 Bernhard Rosenkraenzer 2000-11-10 09:37:12 UTC
8.2.2-P7 has been built in our internal tree and is currently waiting for QA approval.


Comment 7 Daniel Roesen 2000-11-14 17:57:37 UTC
OK, errata updates are out of the door, closing as RESOLVED/ERRATA.


Note You need to log in before you can comment on or make changes to this bug.