COMMAND
BIND
SYSTEMS AFFECTED
Bind 8.2.2-P5 (and P6) and earlier
PROBLEM
Fabio Pietrosanti (naif) found following. While playing with bind
and ZXFR feature (zone transfer compressed with a possible
insecure execlp("gzip", "gzip", NULL); ), he discovered a DoS
against Bind 8.2.2-P5.
By default Bind 8.2.2-P5 it's not compiled with ZXFR support
unless you define it with #define BIND_ZXFR so it will refuse any
ZXFR transfer, because it doesn't support it. But now what
happens? Look here...
################################
zone to transfer: zone.pippo.com
dns server: dns.pippo.com 192.168.1.1
me: naif.gatesux.com 10.10.10.10
We send a Zone Trasnfer request using "-Z" switch with means that
we wish to use ZXFR. dns.pippo.com does'nt support ZXFR and have
"allow-transfer{}" not configured, so everyone could ask him for
*.zone.pippo.com ...
<naif@naif> [~/bind/src822p5/bin/named-xfer] $ ./named-xfer -z zone.pippo.com -d 9 -f pics -Z dns.pippo.com
named-xfer[29297]: send AXFR query 0 to 192.168.1.1
named-xfer[29297]: premature EOF, fetching "zone.pippo.com"
On the server's log:
Nov 7 11:19:09 dns.pippo.com: named[188510]: approved ZXFR from [10.10.10.10].2284 for "zone.pippo.com"
Nov 7 11:19:09 dns.pippo.com: named[188510]: unsupported XFR (type ZXFR) of "zone.pippo.com" (IN) to [10.10.10.10].2284
Then the server will "*** CRASH ***".
A lot of DNS Server are misconfigured, and allow zone-transfer to
any, so they are dossable...
This has been tested against bind 8.2.2-P5 compiled on:
AIX 4.3.3
Slackware 4.0
FreeBSD 3.3
Debian potato
Solaris7
RedHat 6.2
Mandrake 7.1
and after some second all crash! Note that this even happend
with bind-8.2.2-P6 (?) from ports on OpenBSD2.7/sparc.
Olaf Kirch found the same thing and reported it to BIND team.
The problem seems to be that named sets a flag called
STREAM_AXFRIXFR when it is about to send an AXFR. This flag
(0x22) is just the same as setting the flags 0x20 (we have valid
AXFR info, which is not true at this point), and 0x02 (we're
selecting for write events, which isn't true either at this
point).
What happens is that in the normal AXFR case, it happens sooner or
later that we _do_ want to select for a write, and assert the
STREAM_WRITE_EV flag 0x2, and put a valid pointer in evID_w.
Later, when the stream is closed, that pointer is freed properly.
In the case of a ZXFR though, ns_xfr() jumps straight to a call to
sq_remove(), which cleans the struct associated with this TCP
stream. It comes across the flag that assert STREAM_WRITE_EV,
and releases the pointer contained in evID_w, which is essentially
garbage.
SOLUTION
Bind-9.0.0 has no support for ZXFR. This will be patched in
8.2.2-P7.
If you have secured your named daemon from zone transfers from
unauthorized locations, it appears that requesting a zone transfer
in this manner (which fails because of the security restrictions)
doesn't have the same DoS potential. Tests shows that You
couldn't get the server to crash if an acl restricted the zone
transfer.
It seems to work and crash the server if:
1. You have zone transfers open to the entire universe. (The
logic of which is debatable and almost certainly stupid).
2. A zone transfer is being requested from a location that's
already allowed to do zone transfers. Authorized zone
transfers can crash the server at will.
FreeBSD 4-STABLE and 5-CURRENT with BIND 8.2.3-T5B and T6B plus
aa_patch and the described `DoS/exploit' will not work. The logs
show that it got a zonetransfer type which was unsupported, but
the named just keeps on ticking. Patch:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/bind-8.2.2p7.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/bind-8.2.2p7.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/bind-8.2.2p7.tgz
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/bind-8.2.2P7-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/bind-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/bind-devel-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/bind-doc-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/bind-utils-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/bind-8.2.2P7-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/bind-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/bind-devel-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/bind-doc-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/bind-utils-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/bind-8.2.2P7-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/bind-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/bind-devel-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/bind-doc-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/bind-utils-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/bind-8.2.2P7-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/bind-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/bind-devel-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/bind-doc-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/bind-utils-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/bind-8.2.2P7-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/bind-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/bind-devel-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/bind-doc-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/bind-utils-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/bind-8.2.2P7-2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/bind-8.2.2P7-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/bind-devel-8.2.2P7-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/bind-doc-8.2.2P7-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/bind-utils-8.2.2P7-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/bind-8.2.2P7-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/bind-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/bind-devel-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/bind-doc-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/bind-utils-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/bind-8.2.2P7-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/bind-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/bind-devel-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/bind-doc-8.2.2P7-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/bind-utils-8.2.2P7-1cl.i386.rpm
For Linux-Mandrake:
Linux-Mandrake 6.0: 6.0/RPMS/bind-8.2.2P7-1.3mdk.i586.rpm
6.0/RPMS/bind-devel-8.2.2P7-1.3mdk.i586.rpm
6.0/RPMS/bind-utils-8.2.2P7-1.3mdk.i586.rpm
6.0/SRPMS/bind-8.2.2P7-1.3mdk.src.rpm
Linux-Mandrake 6.1: 6.1/RPMS/bind-8.2.2P7-1.2mdk.i586.rpm
6.1/RPMS/bind-devel-8.2.2P7-1.2mdk.i586.rpm
6.1/RPMS/bind-utils-8.2.2P7-1.2mdk.i586.rpm
6.1/SRPMS/bind-8.2.2P7-1.2mdk.src.rpm
Linux-Mandrake 7.0: 7.0/RPMS/bind-8.2.2P7-1.2mdk.i586.rpm
7.0/RPMS/bind-devel-8.2.2P7-1.2mdk.i586.rpm
7.0/RPMS/bind-utils-8.2.2P7-1.2mdk.i586.rpm
7.0/SRPMS/bind-8.2.2P7-1.2mdk.src.rpm
Linux-Mandrake 7.1: 7.1/RPMS/bind-8.2.2P7-1.2mdk.i586.rpm
7.1/RPMS/bind-devel-8.2.2P7-1.2mdk.i586.rpm
7.1/RPMS/bind-utils-8.2.2P7-1.2mdk.i586.rpm
7.1/SRPMS/bind-8.2.2P7-1.2mdk.src.rpm
Linux-Mandrake 7.2: 7.2/RPMS/bind-8.2.2P7-1.1mdk.i586.rpm
7.2/RPMS/bind-devel-8.2.2P7-1.1mdk.i586.rpm
7.2/RPMS/bind-utils-8.2.2P7-1.1mdk.i586.rpm
7.2/SRPMS/bind-8.2.2P7-1.1mdk.src.rpm
For Caldera Systems as a minimum, you should restrict zone
transfers to those hosts that actually act as your secondary name
servers. You can do this by adding an "allow-transfer" statement
to each zone you act as a primary for. For instance,
zone "foobar.com" {
type master;
file "foobar.com";
allow-transfer { 192.168.1.1; 192.168.3.17 };
}
This will not completely protect you from the ZXFR attack, but
now the only sites able to perform it are those listed in the
allow-transfer clause.
For Caldera Systems fixes:
- OpenLinux Desktop 2.3
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
RPMS/bind-8.2.2p7-1.i386.rpm
RPMS/bind-doc-8.2.2p7-1.i386.rpm
RPMS/bind-utils-8.2.2p7-1.i386.rpm
SRPMS/bind-8.2.2p7-1.src.rpm
- OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
RPMS/bind-8.2.2p7-1.i386.rpm
RPMS/bind-doc-8.2.2p7-1.i386.rpm
RPMS/bind-utils-8.2.2p7-1.i386.rpm
SRPMS/bind-8.2.2p7-1.src.rpm
- OpenLinux eDesktop 2.4
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
RPMS/bind-8.2.2p7-1.i386.rpm
RPMS/bind-doc-8.2.2p7-1.i386.rpm
RPMS/bind-utils-8.2.2p7-1.i386.rpm
SRPMS/bind-8.2.2p7-1.src.rpm
For Debian:
http://security.debian.org/dists/potato/updates/main/source/bind_8.2.2p7-1.diff.gz
http://security.debian.org/dists/potato/updates/main/source/bind_8.2.2p7-1.dsc
http://security.debian.org/dists/potato/updates/main/source/bind_8.2.2p7.orig.tar.gz
http://security.debian.org/dists/potato/updates/main/binary-alpha/bind-dev_8.2.2p7-1_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/bind_8.2.2p7-1_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/dnsutils_8.2.2p7-1_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/bind-dev_8.2.2p7-1_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/bind_8.2.2p7-1_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/dnsutils_8.2.2p7-1_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/bind-dev_8.2.2p7-1_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/bind_8.2.2p7-1_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/dnsutils_8.2.2p7-1_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/bind-dev_8.2.2p7-1_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/bind_8.2.2p7-1_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/dnsutils_8.2.2p7-1_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/bind-dev_8.2.2p7-1_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/bind_8.2.2p7-1_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/dnsutils_8.2.2p7-1_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/bind-dev_8.2.2p7-1_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/bind_8.2.2p7-1_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/dnsutils_8.2.2p7-1_sparc.deb
For Red Hat:
ftp://updates.redhat.com/5.2/alpha/bind-8.2.2_P7-0.5.2.alpha.rpm
ftp://updates.redhat.com/5.2/sparc/bind-8.2.2_P7-0.5.2.sparc.rpm
ftp://updates.redhat.com/5.2/i386/bind-8.2.2_P7-0.5.2.i386.rpm
ftp://updates.redhat.com/5.2/SRPMS/bind-8.2.2_P7-0.5.2.src.rpm
ftp://updates.redhat.com/6.0/sparc/bind-8.2.2_P7-0.6.2.sparc.rpm
ftp://updates.redhat.com/6.0/i386/bind-8.2.2_P7-0.6.2.i386.rpm
ftp://updates.redhat.com/6.0/alpha/bind-8.2.2_P7-0.6.2.alpha.rpm
ftp://updates.redhat.com/6.0/SRPMS/bind-8.2.2_P7-0.6.2.src.rpm
ftp://updates.redhat.com/6.1/sparc/bind-8.2.2_P7-0.6.2.sparc.rpm
ftp://updates.redhat.com/6.1/i386/bind-8.2.2_P7-0.6.2.i386.rpm
ftp://updates.redhat.com/6.1/alpha/bind-8.2.2_P7-0.6.2.alpha.rpm
ftp://updates.redhat.com/6.1/SRPMS/bind-8.2.2_P7-0.6.2.src.rpm
ftp://updates.redhat.com/6.2/alpha/bind-8.2.2_P7-0.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/sparc/bind-8.2.2_P7-0.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/i386/bind-8.2.2_P7-0.6.2.i386.rpm
ftp://updates.redhat.com/6.2/SRPMS/bind-8.2.2_P7-0.6.2.src.rpm
ftp://updates.redhat.com/7.0/alpha/bind-8.2.2_P7-1.alpha.rpm
ftp://updates.redhat.com/7.0/sparc/bind-8.2.2_P7-1.sparc.rpm
ftp://updates.redhat.com/7.0/i386/bind-8.2.2_P7-1.i386.rpm
ftp://updates.redhat.com/7.0/SRPMS/bind-8.2.2_P7-1.src.rpm
For Immunix OS:
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/bind-8.2.2_P7-0.6.2_StackGuard.i386.rpm
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/bind-devel-8.2.2_P7-0.6.2_StackGuard.i386.rpm
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/bind-utils-8.2.2_P7-0.6.2_StackGuard.i386.rpm
http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/bind-8.2.2_P7-0.6.2_StackGuard.src.rpm
http://www.immunix.org:8080/ImmunixOS/7.0-beta/updates/RPMS/bind-8.2.2_P 7 - 1 _StackGuard.i386.rpm
http://www.immunix.org:8080/ImmunixOS/7.0-beta/updates/RPMS/bind-devel-8.2.2_P7-1_StackGuard.i386.rpm
http://www.immunix.org:8080/ImmunixOS/7.0-beta/updates/RPMS/bind-utils-8.2.2_P7-1_StackGuard.i386.rpm
http://www.immunix.org:8080/ImmunixOS/7.0-beta/updates/SRPMS/bind-8.2.2_P7-1_StackGuard.src.rpm
Compaq Tru64/UNIX Operating Systems Software are not vulnerable to
these reported problems.
HP is vulnerable to these problems and is working to correct them.
Microsoft is currently investigating these issues.
NetBSD is believed to be vulnerable to these problems; in response
NetBSD-current has been upgraded to 8.2.2-P7 and 8.2.2-P7 will be
present in the forthcoming NetBSD 1.5 release.
Updated Slackware distributions for bind may be found at:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/bind.tgz
For Trustix OS:
bind-8.2.2_P7-2tr.i586.rpm
bind-devel-8.2.2_P7-2tr.i586.rpm
bind-utils-8.2.2_P7-2tr.i586.rpm
http://www.trustix.net/download/Trustix/updates/1.1/RPMS/
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/
For SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/bind8-8.2.2-139.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/bind8-8.2.2-139.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/bind8-8.2.2-139.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/bind8-8.2.2-139.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/bind8-8.2.2-139.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/bind8-8.2.2-139.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/n1/bind8-8.2.2-139.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/bind8-8.2.2-139.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/bind8-8.2.2-139.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/bind8-8.2.2-139.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/bind8-8.2.2-139.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/bind8-8.2.2-139.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.1/n1/bind8-8.2.2-139.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.1/zq1/bind8-8.2.2-139.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/bind8-8.2.2-139.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/bind8-8.2.2-139.src.rpm
IBM is working on the following fix which will be available soon:
AIX 4.3.x: APAR IY14512
Fix will not be provided for versions prior to 4.3 as these are
no longer supported by IBM. Affected customers are urged to
upgrade to 4.3, or higher. A temporary fix for AIX 4.3.x systems
is available. The temporary fix can be downloaded via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/named8_DoS_efix.tar.Z