COMMAND
Firewall97
SYSTEMS AFFECTED
Digital UNIX 4.0x
PROBLEM
Jochen Thomas Bauer found following. In their so called Knowledge
Database, AltaVista Software states that Firewall97 for Digital
Unix is not affected by the well known buffer overflow bug present
in BIND versions prior to 4.9.7 since all DNS queries are proxied
through the Firewall's DNS proxy (dnsd), that can either relay
queries to name servers running on other hosts or to a name server
running on the Firewall itself. See:
http://support.altavista-software.com/kb/solutions/firewall/general/259-042398.asp
If the name server is running on the firewall itself (which is an
approved configuration described in the manual), then there is a
very simple way to circumvent the dnsd and attack the named on the
Firewall directly. So, everyone who relied on this assurance
(given shortly after those BIND problems were discovered) and did
therefore not replace the named binary on the firewall with a self
compiled BIND-4.9.7 named had (and may still have) a major
security hole on his/her firewall. This problem is worsened by
the fact that installation of the firewall software will alter
some system files and therefore the Digital Unix patch utility
(dupatch) will, at least in some cases, refuse to install several
operating system patches including those for BIND.
To divide the DNS information available about the internal network
into information that is to be given to the outside world and
information that is meant for internal use only, the AltaVista
Firewall97 uses a DNS proxy (dnsd) running on port 53 on the
firewall that redirects queries appropriately: Queries from
external hosts are redirected to a name server that holds
information to be given to the outside world, while queries from
internal hosts are redirected to a name server that holds
information meant for internal use only. Each of those two name
servers may be running on another host or on the firewall itself.
If one chooses to run one of the two or both name servers on the
firewall, then the named(s) will be configured to listen on port
8053 and/or port 8153 (Firewall97 + Service Pack 3). The
secure_zone statement
secure_zone IN TXT 127.0.0.1:H
in the zone files is then used to ensure that only queries from
localhost (coming from the dnsd) are answered. The problem is
that the named(s) running on port 8053/8153 will take input from
any host, logging these (unauthorized) queries like
named[22343]: Unauthorized request nowhere.example.org from [129.69.xxx.yyy].1945
So, if we want to attack the named on the firewall directly, we
simply have to aim at port 8053/8153 instead of aiming at port 53.
With no exploit code for Digital Unix let's take a tool to exploit
the named buffer overflow on ix86 machines, change the target port
to 8053/8153 and launched it against the firewall (running
BIND-4.9.3). This will cause a segmentation fault with core dump of
the named. It should be possible to get a root shell out of that
named with the appropriate exploit code for Digital Unix 4.0a and
higher, where the stack is executable.
Let's turn to the patching problems now: JT Bauer installed
Firewall97 on Digital Unix 4.0b + patch kit DUV40BAS00005-19971009
shortly after those BIND problems had been discovered last year.
The Aggregate Selective patch kit duv40bas00008-19980821 released
in August 1998 contained fixes for BIND. When he tried to apply
this patch, the dupatch utility found that several system files
had changed due to the installation of the firewall software and
refused to install several patches to ensure that no altered
system file got overwritten by a new one from the patch kit.
Unfortunately, among the patches that were not installed was the
patch for BIND. Dunno if there is a single patch kit (not an
Aggregate Selective patch kit) for Digital Unix addressing only
those BIND problems and if that one works.
SOLUTION
The fix for the problems described above is quite simple: compile
a BIND-4.9.7 named for Digital Unix and replace the named on the
firewall with that one. To fix this problem do following:
1) Apply SP3 to Firewall97 to fix dnsd which connects the
internal and external named's together. There is a bug in
pre-SP3 dnsd. As was pointed out you still have to
upgrade named to 4.9.7.
2) Better yet upgrade to Firewall98 which fixes this problem.
Remember that older software is more likely to have bugs.
Firewall98 is more stable than Firewall97. The UNIX
version of the Firewall97 was having problems with DNS.
Firewall97 on DU brought secure DNS into the product.
This was quite a step. There is no comparison between
Firewall97 and Firewall98 on NT. Run, don't walk to
Firewall98 if you use NT. According to updated
information about the BIND problem available at
http://support.altavista-software.com/kb/solutions/firewall/general/259-042398.asp
Bind 4.9.7 was shipped as part of AltaVista Firewall 98
for DIGITAL UNIX but inadvertently was not being used.
So, after upgrading to Firewall 98 you will probably have
to follow the instructions given on that page to enable
the use of BIND-4.9.7.
3) The best solution is to upgrade named to 8.1.2. This
breaks the installation scripts, but they were not good
for DNS anyhow. The scripts do a poor job of setting up
the MX records. The people in product support recommend
8.1.2. There is no fancy GUI for this; just UNIX.