Date: Thu, 22 Feb 2001 02:32:33 -0600 From: Christopher Farley <chris@northernbrewer.com> To: freebsd-security@freebsd.org Subject: Bind TSIG exploit Message-ID: <20010222023233.A629@northernbrewer.com>
next in thread | raw e-mail | index | archive | help
This is what I get for not subscribing to freebsd-security (until now): On Feb 7, named dumped core (running bind 8.2.3 beta). I didn't catch it until recently. While searching the archives, I came across information on the well-known bind vulnerabilities. My non-technical armchair analysis of the core dump indicates the TSIG exploit (based on the presence of ';; TSIG invalid (%s)' at the top of the core file -- how's that for non-technial?). Is there any way to analyze the core dump to find out what 'arbitrary code' may have been executed? I've taken the usual steps to detect a root compromise, but found nothing obvious. I've upgraded named to 8.2.3-REL, but I'm guessing I should decommission and rebuild the server as a precaution... unless I can be convinced this not necessary. There have been a couple of messages in recent days on -questions about named dumping core, so I suspect this vulnerability is being widely exploited at present. Congratulations if you patched the hole two or three weeks ago, you escaped... ----------------- I don't know if this is interesting or not: # strings - named.core | head -45 FreeBSD FreeBSD 833333 FreeBSD named named /home /home /var/mail /dev /var/spool /usr/tmp /tmp /var/log/lastlog /var/log/wtmp /var/log/messages /dev/random mtime->tv_usec >= 0 && mtime->tv_usec < 1000000 /usr/src/lib/libbind/../../contrib/bind/lib/dst/prandom.c /proc/ $Id: res_update.c,v 1.24 1999/10/15 19:49:12 vixie Exp $ res_findzonecut failed (%d) malloc failed res_mkupdrec failed res_mkupdate -> %d res_nsend: send error, n=%d (%s) ;; res_nupdate: HMAC-MD5.SIG-ALG.REG.INT ;; TSIG invalid (%s) ;; TSIG ok ;; res_query(%s, %d, %d) ;; res_query: mkquery failed ;; res_query: send error ;; rcode = %d, ancount=%d <Nil> ;; res_nquerydomain(%s, %s, %d, %d) %s.%s HOSTALIASES /etc/networks /etc/hosts getservent getservbyname %s %s getservbyport %d %s setservent setservent failed: %s -- Christopher Farley www.northernbrewer.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010222023233.A629>