bind qinv

DOVES Vulnerability V-00102

DOVES Project
Computer Security Laboratory
Department of Computer Science
University of California at Davis

Description

Brief summary: BIND Inverse-Query buffer overflow

Detailed description: BIND does not check the bounds of a memory copy when building a response to an inverse query request. By sending an appropriately formatted inverse-query on a TCP stream, an attacker can overwrite the stack and execute commands with the privilege of the BIND daemon, namely root.

Components: bind 8.1.1 and earlier, bind 4.9.6 and earlier

Operating system(s): Caldera OpenLinux; IBM AIX 4.3.x and earlier; NEC UX/4899 R11.x, R13.x; NetBSD 1.3, 1.3.1, -current before 19980408 Red Hat Linux 5.0, 4.2; SCO Open Desktop/Open Server 3.0, SCO UNIX 3.2v4, SGI IRIX 3.X-6.X; OpenServer 5.0 (also SCO Internet FastStart), UnixWare 2.1, UnixWare 7; Solaris 5.3, 5.4, 5.5, 5.5.1, 5.6; Data General earlier than R4.20MU04; not vulnerable: BSD/OS 3.0/3.1 as shipped, and later; Data General R4.20MU04 and later; FreeBSD 2.2.0 and later; SCO CMW+ 3.0> The attacker can execute code with the privileges of the BIND daemon

How to detect:

BIND version 8:
1. Look at the options block in the configuration file for BIND. If the line
```
fake-iquery yes;
```
  is there, you are vulnerable.
BIND version 4.9:
1. Look at the options block in the configuration file for BIND. If the line
```
fake-iquery yes;
```
  is there, you are vulnerable.
2. Check the source header file "conf/options.h". If the line
```
#defining INVQ
```
  is there, you are vulnerable.

How to fix:

Upgrade to the latest version of BIND or apply the relevant patch.
Disable inverse queries.
1. Edit the config file, either deleting the following line of changing the "yes" to "no":
```
fake-iquery yes;
```
2. If you are running BIND 4.9, also edit the source header file "conf/options.h" and delete or comment out the line
```
#defining INVQ
```

Other information:

Keywords

buffer overflow, BIND, named, network, stack overflow

Cataloguing Information

PA Classification:

RISOS Classification:

Davis Classification:

Common Vulnerability Exposure: Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases [CVE-1999-0009]

Exploits

Attacks: See Doves exploit #102 and Doves exploit #103.

Related Information

Advisories:

ISS X-Force database entry bind-bo ; CERT Advisory CA-98.05, Multiple Vulnerabilities in BIND: 1. Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 Releases;
CIAC Advisory I-044A: BIND Vulnerabilities ;
Security Focus database entry 134 ;
SGI Advisory 19980603-02-PX, IRIX BIND DNS Vulnerabilities ;

Related DOVES entries:

History

Who reported it: CERT in CERT Advisory CA-98.05, Multiple Vulnerabilities in BIND: 1. Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 Releases on Apr. 8, 1998; gut@SHELL.CDC.NET in Bugtraq on May 31, 1998: the exploit

Revision #1

Stacey Anderson on 7/29/2000
Initial entry

Send email to doves@cs.ucdavis.edu

Department of Computer Science
University of California at Davis
One Shields Ave.
Davis, CA 95616-8562

Page created August 28, 2000 at 16:41:45 GMT