From owner-freebsd-security Sun Mar 9 14:37:06 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA16960 for security-outgoing; Sun, 9 Mar 1997 14:37:06 -0800 (PST) Received: from smtp.connectnet.com (smtp.connectnet.com [207.110.0.12]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA16955 for ; Sun, 9 Mar 1997 14:37:04 -0800 (PST) Received: from wink.connectnet.com (Studded@wink.connectnet.com [206.251.156.23]) by smtp.connectnet.com (8.8.5/Connectnet-2.2) with SMTP id OAA14069; Sun, 9 Mar 1997 14:37:58 -0800 (PST) Message-Id: <199703092237.OAA14069@smtp.connectnet.com> From: "That Doug Guy" To: "namedroppers@internic.net" Cc: "freebsd-security@freebsd.org" Date: Sun, 09 Mar 97 14:36:53 -0800 Reply-To: "That Doug Guy" Priority: Normal X-Mailer: That Doug Guy's Registered PMMail 1.9 For OS/2 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Fwd: BIND-4.9.5-P1 Denial of service attack Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This is forwarded here with permission. I run a secondary dns that uses 4.9.4-P1, so I'm wondering if this vulnerability exists there as well. Thank you, Doug PS, also forwarded to freebsd-security since the upcoming 2.2-Release version makes use of Bind 4.9.5-P1 to my knowledge. ==================BEGIN FORWARDED MESSAGE================== >Date: Sun, 9 Mar 1997 03:22:59 -0500 >Reply-To: Jared Mauch >From: Jared Mauch >Subject: BIND-4.9.5-P1 DoS Attack >To: BUGTRAQ@NETSPACE.ORG From the bind-workers list. This includes the relevant patch to fix the problem. - Jared ----- Forwarded message from Mark.Andrews@cmis.csiro.au ----- >From bind-workers-request@vix.com Sun Mar 9 03:21:17 1997 Message-Id: <9703090551.AA14395@dmssyd.syd.dms.CSIRO.AU> To: Irwin Tillman Cc: bind-workers@vix.com From: Mark.Andrews@cmis.csiro.au Subject: Re: BIND-4.9.5-P1 possible denial of service attack In-Reply-To: Your message of "Wed, 05 Mar 1997 09:48:20 EST." <199703051448.JAA06909@scramble.Princeton.EDU> Date: Sun, 09 Mar 1997 16:51:11 +1100 Sender: Precedence: bulk Reply-To: Mark.Andrews@cmis.csiro.au > I'm forwarding this to bind-workers, since I've just seen > a report related to this bug in comp.protocols.tcp-ip-domains. > > /irwin > > ------- Forwarded Message > > Date: Mon, 24 Feb 1997 16:47:50 -0500 > From: Irwin Tillman > To: Paul Vixie > Subject: BIND-4.9.5-P1 possible denial of service attack > > I ran into what looks like a bug in BIND-4.9.5-P1. I apologize in > advance for mailing this to you rather than to bind-workers. I thought > I should try this first, since the bug looks like it opens a potential > denial of service attack, as well as a way to cause performance > problems on hosts running named. If you feel I should send this > to bind-workers or somewhere else instead, just let me know. > > > To reproduce: > > From a SunOS client, I telnetted to port 53 of a host running BIND-4.9.5-P1. > Once the connection was open, entered "foobar", hit return, then closed > the telnet connection (control-rightbracket 'quit'). > > The symptoms you see on the server is that named will no longer accept any > TCP connections (zone transfers from the server fail, as well as simple > TCP-based queries). The named process may also consume lots of CPU now, > affecting the rest of the system. > > Tracing the named process shows that when it receives this bogus message, it > tries (and keeps trying) to read and write this socket, first resulting in > a ECONNRESET, and then result in repeated EPIPE. It appears to be in a prett > y > tight loop, presumably accounting for the system-wide impact. > > BIND-4.9.3-P1 doesn't have this problem. It just closed the socket and went > back to the main polling loop. > > > I tested on the following platform: > Sun SPARCstation 5 running SunOS 4.1.4 > BIND-4.9.5-P1 > Default options.h file > Default Makefile, with the standard sunos4.1.x section in the Makefile > uncommented, using /usr/bin/cc, and not building the shared library version > > of libresolv. > (Also tested on Solaris 2.5.1 with gcc.) > > > -- > > Irwin Tillman, irwin@princeton.edu > CIT Network Systems, Princeton University > > > > ------- End of Forwarded Message > > > > Apply the following patch. This is from inspection of the code. If the socket has a non blocking error or EOF is detected just close rather than trying to send a error message on the socket. Mark *** ns_main.c.001 Tue Jan 7 15:06:17 1997 --- ns_main.c Sun Mar 9 16:46:53 1997 *************** *** 866,871 **** --- 866,877 ---- sp->s_bufp += n; sp->s_size -= n; } + if ((n == -1) && (errno == PORT_WOULDBLK)) + continue; + if (n <= 0) { + sqrm(sp); + continue; + } /* * we don't have enough memory for the query. * if we have a query id, then we will send an *************** *** 909,920 **** HFIXEDSZ); } continue; - } - if ((n == -1) && (errno == PORT_WOULDBLK)) - continue; - if (n <= 0) { - sqrm(sp); - continue; } /* * Consult database to get the answer. --- 915,920 ---- -- Mark Andrews, CSIRO Mathematical and Information Sciences Locked Bag 17, North Ryde, NSW 2113, Australia. PHONE: +61 2 9325 3148 INTERNET: Mark.Andrews@cmis.csiro.au MOBIL: +61 41 442 9884 UUCP:....!uunet!cmis.csiro.au!mark.andrews ----- End of forwarded message from Mark.Andrews@cmis.csiro.au ----- -- To err is human, to forgive is Not Company Policy. -- Jared Mauch - CICNet - jared@cic.net - http://www.cic.net/ - visit my personal page at http://puck.nether.net/~jared/ ===================END FORWARDED MESSAGE===================