Re: tlug: On being hacked (was: [Q] chgrp 3.15 GNU Utils)

["Stephen J. Turnbull" <turnbull@example.com>]

--------------------------------------------------------
tlug note from "Stephen J. Turnbull" <turnbull@example.com>
--------------------------------------------------------
>>>>> "Paul" == Paul Gampe <paulg@example.com> writes:

    Paul> On Wed, 30 Jul 1997, Stephen J. Turnbull wrote:

    turnbull> I don't know whether it's possible to add records to an
    turnbull> authoritative server without obtaining root or other

    Paul> Unfortunately it is possible to add records to a domain name
    Paul> cache.  A vast majority of domain name servers on the net
    Paul> are running bind 4.9.5 or earlier, and all these versions
    Paul> are vulnerable.  It took me a while to grasp the concept so
    Paul> I'm attaching an excellent explanation of the problem,
    Paul> posted to BugTraq.

Thanks for the pointer.

[Headers and attribution elided]

    Paul> Problem Description

    Paul> This advisory contains descriptions and solutions for two
    Paul> vulnerabilities present in current BIND distributions.
    Paul> These vulnerabilities are actively being exploited on the
    Paul> Internet.

I can attest to that....

    Paul> I.  The usage of predictable IDs in queries and recursed
    Paul> queries allows for remote cache corruption.  This allows
    Paul> malicious users to alter domain name server caches to change
    Paul> the addresses and hostnames of hosts on the internet.

Ah, a sequence number attack.  (That's a joke---I just know the	
jargon....)

Well, in the case in question I made a direct request for an
authoritative response from the authoritative server for the domain
("dig host @example.com +aa").  That doesn't sound like "cache
contamination" to me.  I'm probably getting the right nameserver
because it's the same IP as in the whois database, although it's
theoretically possible an intermediate router's been suborned.

    Paul> II. A failure to check whether hostname lengths exceed
    Paul> MAXHOSTNAMELEN in size.  This results in potential buffer
    Paul> overflows in programs which expect the BIND resolver to only
    Paul> return a maximum hostname length of MAXHOSTNAMELEN.

This doesn't look like it directly offers ways to contaminate the
cache, either.  My guess is that that domain's DNS database, not just
the cache, really is contaminated (also assuming I can trust the guy
who says he doesn't even run his own WWW host to know what hosts are
registered under his domain).

Oh well.  The records are still there, and the nameserver still
responds to requests for zone transfers.  I guess I should just not
worry about their problems.

Thanks again for the information about the BIND holes.

Steve

-- 
                            Stephen J. Turnbull
Institute of Policy and Planning Sciences                    Yaseppochi-Gumi
University of Tsukuba                      http://turnbull.sk.tsukuba.ac.jp/
Tel: +81 (298) 53-5091;  Fax: 55-3849              turnbull@example.com

-----------------------------------------------------------------
a word from the sponsor will appear below
-----------------------------------------------------------------
The TLUG mailing list is proudly sponsored by TWICS - Japan's First
Public-Access Internet System.  Now offering 20,000 yen/year flat
rate Internet access with no time charges.  Full line of corporate
Internet and intranet products are available.   info@example.com
Tel: 03-3351-5977   Fax: 03-3353-6096