Date: Thu, 22 Feb 2001 13:50:04 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Christopher Farley <chris@northernbrewer.com> Cc: freebsd-security@freebsd.org Subject: Re: Bind TSIG exploit Message-ID: <20010222135004.A7884@mollari.cthul.hu> In-Reply-To: <20010222023233.A629@northernbrewer.com>; from chris@northernbrewer.com on Thu, Feb 22, 2001 at 02:32:33AM -0600 References: <20010222023233.A629@northernbrewer.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 22, 2001 at 02:32:33AM -0600, Christopher Farley wrote: > On Feb 7, named dumped core (running bind 8.2.3 beta). I didn't catch it > until recently. While searching the archives, I came across information > on the well-known bind vulnerabilities. Subscribe to one of the mailing list where FreeBSD security advisories get distributed, and you would have found this out weeks ago and saved yourself a possible root compromise. > My non-technical armchair analysis of the core dump indicates the > TSIG exploit (based on the presence of ';; TSIG invalid (%s)' at the=20 > top of the core file -- how's that for non-technial?). Well, that's probably just an error string from the binary, not an indication of state. > Is there any way to analyze the core dump to find out what 'arbitrary > code' may have been executed? I've taken the usual steps to detect You'd need to use the usual debugging gdb magic. It's certainly possible but beyond the scope of this message :-) > a root compromise, but found nothing obvious. I've upgraded named > to 8.2.3-REL, but I'm guessing I should decommission and rebuild > the server as a precaution... unless I can be convinced this not > necessary. Safest to treat it as compromised and do a full rebuild, then take the lesson and subscribe to security-notifications and be more reactive in future :-) Kris --4Ckj6UjgE2iN1+kY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6lYmLWry0BWjoQKURAvfxAKDBWKffFc+po+0OT5OIP9/VGB5DqgCeJR9B L35LZUTwn3PkNmJUWt+YL1E= =sAg3 -----END PGP SIGNATURE----- --4Ckj6UjgE2iN1+kY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010222135004.A7884>