[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : BIND remotely exploitable buffer overflow

Title: BIND remotely exploitable buffer overflow
Released by: FreeBSD
Date: 31st January 2001
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----



=============================================================================

FreeBSD-SA-01:18                                           Security Advisory

                                                                FreeBSD, Inc.



Topic:          BIND remotely exploitable buffer overflow



Category:       core, ports

Module:         bind

Announced:      2001-01-31

Credits: COVERT Labs 

                Claudio Musmarra

Affects:        All released versions of FreeBSD 3.x, 4.x.

FreeBSD 3.5-STABLE prior to the correction date.

FreeBSD 4.2-STABLE prior to the correction date.

Ports collection prior to the correction date.

Corrected:      2001-01-30 (FreeBSD 3.5-STABLE)

2001-01-29 (FreeBSD 4.2-STABLE)

2001-01-29 (Ports collection)

Vendor status:  Updated version released

FreeBSD only:   NO



I.   Background



BIND is an implementation of the Domain Name Service (DNS) protocols.



II.  Problem Description



An overflowable buffer related to the processing of transaction

signatures (TSIG) exists in all versions of BIND prior to

8.2.3-RELEASE.  The vulnerability is exploitable regardless of

configuration options and affects both recursive and non-recursive DNS

servers.



Additional vulnerabilities allow the leaking of environment variables

and the contents of the program stack.  These vulnerabilities may

assist the ability of attackers to exploit the primary vulnerability

described above, and make provide additional information about the

state or configuration of the system.



All previous versions of BIND 8, such as the beta versions included in

FreeBSD 4.x prior to the correction date (designated the version

number BIND 8.2.3-T<#>B) are vulnerable to this problem.  Systems

running versions of BIND 9.x (available in the FreeBSD ports

collection) are unaffected.



Further information about the vulnerabilities is contained in the CERT

advisory located at:



http://www.cert.org/advisories/CA-2001-02.html



Note that this advisory also describes vulnerabilities in the BIND 4.x

software, which is not included in any recent version of FreeBSD.



All versions of FreeBSD 3.x and 4.x prior to the correction date

including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this

problem, if they have been configued to run named (this is not enabled

by default).  In addition, the bind8 port in the ports collection

(versions prior to 8.2.3) is also vulnerable.



To check whether a DNS server is running a vulnerable version of BIND,

perform the following command as any user:



% dig @serverip version.bind. CHAOS TXT



The following segment of output indicates a non-vulnerable server

running BIND 8.2.3-RELEASE:



...

;; ANSWER SECTION:

VERSION.BIND.           0S CHAOS TXT    "8.2.3-REL"

...



III. Impact



Malicious remote users can cause arbitrary code to be executed as the

user running the named daemon.  This is often the root user, although

FreeBSD provides built-in support for the execution of named as an

unprivileged 'bind' user, which greatly limits the scope of the

vulnerability should a successful penetration take place.



IV.  Workaround



There is no known practical workaround to prevent the vulnerability

from being exploited, short of upgrading the software.  A partial

workaround to limit the impact of the vulnerability should it be

exploited is to run named as an unprivileged user.



Add the following line to /etc/rc.conf:



named_flags="-u bind -g bind"  # Flags for named



Add the following line to your /etc/namedb/named.conf file, in the

"options" section:



pid-file "/var/named/named.pid";



See the named.conf(5) manual page for more details about configuring

named.



Perform the following commands as root:



Create a directory writable by the bind user where named can store its

pid file:



# mkdir /var/named

# chown bind:bind /var/named



Shut down the DNS server:



# ndc stop



Restart it using the non-privileged user and group:



# ndc -p /var/named/named.pid start -u bind -g bind



Note that when not running as the root user, named will lose the

ability to re-bind to interfaces which change address, or which are

added to the system after named has been started.  If such an event

takes place, named will need to be stopped and restarted in order to

re-bind to the interface(s).  See the ndc(8) manual page for more

information about how to do this.



Use of the -t option to named will also increase security when run as

a non-privileged user by confining the named process to a chroot

environment and thereby partially limiting the access it has to the

rest of the system.  Configuration of these options is beyond the

scope of the advisory.  The following website contains information

which may be useful to administrators wishing to perform this step:



http://www.losurs.org/docs/howto/Chroot-BIND.html



Note that this tutorial does not specifically relate to FreeBSD, and

the information contained therein may need to be modified for FreeBSD

systems.



Note that such a penetration of the unprivileged bind user may still

allow the attacker to take advantage of a local security vulnerability

or misconfiguration to further increase privileges.  Therefore this

should only be considered a temporary workaround while preparations

can be made to upgrade permanently.



It is recommended that all affected users upgrade their systems

immediately as described in the following section.



V.   Solution



Note that BIND 8.2.3-RELEASE is more strict about invalid zone file

syntax than older versions.  DNS zones which contain errors may need

to be corrected before the new version can be run.



[Base system]



Upgrade your vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE

after the respective correction dates.



A binary tarball containing the updated BIND files may be released in

a few days, but is being held back for quality assurance reasons.  In

the meantime an unofficial tarball is available from the following

location.  Users are advised that the following tarball has not been

tested on a production system, and those wishing to perform an upgrade

without upgrading the entire OS are advised to use the bind8 port as

described below.



http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz

http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz.asc



To fetch and install it, perform the following actions as root:



# fetch http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz

# fetch http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz.asc



Verify the detached PGP signature using your PGP utility.



# cd /

# tar xvfz /path/to/bind-8.2.3-4.x.tgz



Stop and restart the named process as shown:



# ndc restart



See the note in the previous section about how to restart ndc as a

non-privileged user if it has been configued to run that way.



[Ports collection]



If you have chosen to install BIND from the ports collection and are

using it instead of the version in the base system, perform one of the

following steps:



1) Update your entire ports collection and rebuild the bind8 port.



If you are installing the port for the first time, be sure to edit the

named_program variable in /etc/rc.conf to point to the installed

location of the named executable.



The bind8 port can be configured to install itself in /usr and read

configuration data from /etc so that it is drop-in compatible with the

system version of BIND.  Install the port as follows:



# cd /usr/ports/net/bind8

# make PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/namedb \

 DESTRUN=/var/run all install clean



If you install the BIND port over the top of the system version in

this way, be sure to add the following line to /etc/make.conf to

prevent the future rebuilding of the system version during 'make

world':



NO_BIND=       true    # do not build BIND



2) Deinstall the old package and install a new package dated after the

correction date, obtained from:



[i386]

http://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/bind-8.2.3.tgz

http://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/bind-8.2.3.tgz

http://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/bind-8.2.3.tgz



NOTE: It may be several days before updated packages are available.



[alpha]

Packages are not automatically generated for the alpha architecture at

this time due to lack of build resources.



3) download a new port skeleton for the bind8 port from:



http://www.freebsd.org/ports/



and use it to rebuild the port.



4) Use the portcheckout utility to automate option (3) above.  The

portcheckout port is available in /usr/ports/devel/portcheckout or the

package can be obtained from:



http://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz

http://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz

http://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz

http://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz

http://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz



-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.0.4 (FreeBSD)

Comment: For info see http://www.gnupg.org



iQCVAwUBOniArlUuHi5z0oilAQGE+AQAiwizuORMqyzOw21QFyap2Z7lv7BkYuiC

9zZ97X3WR+i8AujTfIrhwK1UdO6KFbp5Rjc54f3XHtaMotoRcp3x24xADpGQDP4s

Xyw267ZoV7ZYuG6VcAgBzq9pqiCnU9rqRQy2aRn/8iCvcl/G5249B3DuMMtLiMw+

Iuz0OOxWeLM=

=hanM

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.