Buffer overflow reported by sscan
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Fri Mar 10 02:25:10 UTC 2000
> I'm a new bind admin and while learning about security I ran sscan
> (http://www.ben2.ucla.edu/~jsbach/) against my server. It reported :
> --<[ *VULN*: localhost: linux bind/iquery remote buffer overflow
The code generates false positives. It just attempts a
valid inverse query of 1.2.3.4 and if it succeeds then says
that the server is vulnerable. Given that vulnerable servers
and fixed ones both respond the same way to this query all
it really is saying is that the server has fake inverse
queries turned on (unless you are using net 1 internally).
> and in /var/log/messages I found the following:
> Mar 9 14:03:02 3gig modprobe: can't locate module üôÿ¿?
Unrelated to BIND.
>
> I am running redhat linux 6.0 with bind upgraded to the vendor supplied
> rpm (bind-8.2.2_P3-1) `named -v` shows:
> named 8.2.2-P3 Thu Nov 11 00:04:50 EST 1999
>
> root at porky.devel.redhat.com:/usr/src/bs/BUILD/bind-8.2.2_P3/src/bin/named
>
> I downloaded the latest source from www.isc.org compiled and replaced
> the named binary and reran sscan with the same results.
>
> Is this a known problem? I was not able to find any more info about it
> on the web.
This was fixed in the BIND 8.1.2-T3B release. From src/CHANGES
365. [security] Missing bounds checking in inverse query handling
allowed an attacker to overwrite the server's stack.
Mark
--
Mark Andrews, Nominum Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list