From owner-freebsd-security Fri Feb 23 22: 9:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 423DE37B503 for ; Fri, 23 Feb 2001 22:09:51 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f1O69gh75959; Sat, 24 Feb 2001 01:09:42 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Sat, 24 Feb 2001 01:09:42 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Christopher Farley Cc: freebsd-security@freebsd.org Subject: Re: Bind TSIG exploit In-Reply-To: <20010222023233.A629@northernbrewer.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 22 Feb 2001, Christopher Farley wrote: > My non-technical armchair analysis of the core dump indicates the TSIG > exploit (based on the presence of ';; TSIG invalid (%s)' at the top of > the core file -- how's that for non-technial?). A coredump generally corresponds with a failed attempt to exploit a bug present -- a successful exploit will not result in the process being killed and dumped, instead it generally results in a /bin/sh with I/O bound to the socket. However, that doesn't mean that you weren't compromised: the unsuccessful compromise could be a result of using an exploit targetted at another operating system and/or hardware platform (probably Linux or Solaris, as those are popular targets), or it could be the result of an incorrect offset being used when overflowing the buffer, in which case they might have the right exploit for your machine, they just need to work through the offset space to find the right one for your machine. As Kris recommended, you probably want to reinstall the machine from scratch, and subscribe to the FreeBSD security-notifications mailing list if you haven't already. Extracting the exploit is probably not a useful exercise as (unless it exploits a new/different bug), an exploit has already been posted and is widely circulated, so chances are it is the same one. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message