bind.nxt.txt

1999-11-12T00:00:00
ID PACKETSTORM:11507
Type packetstorm
Reporter Packet Storm
Modified 1999-11-12T00:00:00

Description

                                        
                                            `http://www.isc.org/products/BIND/bind-security-19991108.html  
  
  
Name: "nxt bug"  
  
Versions affected: 8.2, 8.2 patchlevel 1, 8.2.1  
Severity: CRITICAL  
Exploitable: Remotely  
Type: Access possible  
  
Description:  
  
A bug in the processing of NXT records can theoretically allow an  
attacker to gain access to the system running the DNS server at  
whatever privilege level the DNS server runs at.  
  
Workarounds:  
  
None.  
  
Active Exploits:  
  
At this time, ISC is unaware of any active exploits of this  
vulnerability however given the potential access this vulnerability  
represents, it is probable scripts will be created in the near future  
that make use of this vulnerability.  
  
  
  
Reply-To: Anonymous <nobody@REPLAY.COM>  
Comments: This message did not originate from the Sender address above.  
It  
was remailed automatically by anonymizing remailer software.  
Please report problems or inappropriate use to the remailer  
administrator at <abuse@replay.com>.  
X-To: BUGTRAQ@SECURITYFOCUS.COM  
To: BUGTRAQ@SECURITYFOCUS.COM  
  
Ooh, those pesky NXT records. Like I process those every day.  
Fascinating read in RFC 2535, but suppose I don't have any NXT  
records in my own zones, under what circumstances will my DNS server  
commit the sin of "the processing of NXT records"? In other words,  
are all of us vulnerable (even caching-only name servers if so, I  
imagine!), or only people with NXT records? This makes a big difference!  
  
  
Subject: Re: your mail  
X-To: BUGTRAQ@SECURITYFOCUS.COM  
To: BUGTRAQ@SECURITYFOCUS.COM  
  
On Thu, 11 Nov 1999, Anonymous wrote:  
  
> Ooh, those pesky NXT records. Like I process those every day.  
> Fascinating read in RFC 2535, but suppose I don't have any NXT  
> records in my own zones, under what circumstances will my DNS server  
> commit the sin of "the processing of NXT records"? In other words,  
> are all of us vulnerable (even caching-only name servers if so, I  
> imagine!), or only people with NXT records? This makes a big difference!  
  
Caching-only servers are also vulnerable. The NXT record is no different  
that any other DNS record in this case. If someone is able to make your  
server fetch a maliciously-constructed NXT record, it will cause problems.  
A query to a caching server will force the server to send a recursive  
query, which makes the caching server vulnerable.  
  
Brian  
  
  
Date: Fri, 12 Nov 1999 05:20:55 +0100  
From: Alain Thivillon <Alain.Thivillon@HSC.FR>  
Subject: Re: your mail  
To: BUGTRAQ@SECURITYFOCUS.COM  
  
---Executing: shownonascii  
This message contains non-ASCII text, but the iso-8859-1 font  
has apparently not yet been installed on this machine.  
(There is no directory named /usr/X11R6/lib/X11/fonts/misc.)  
What follows may be partially unreadable, but the English (ASCII) parts  
should still be readable.  
  
Anonymous <nobody@REPLAY.COM> écrivait (wrote) :  
  
> commit the sin of "the processing of NXT records"? In other words,  
> are all of us vulnerable (even caching-only name servers if so, I  
> imagine!), or only people with NXT records? This makes a big difference!  
  
[ NB : I can be wrong, don't flame me :) ]  
  
Examing diffs between 8.2.1 and 8.2.2PL3 show rewrite of code handling  
external response to an NXT query coming from bind himself (see  
bin/named/ns_resp.c). So i suppose, if your name server is public and  
recusive, external attacker can query your bind for NXT record in  
another zone. If he has control of name server of this zone, he can  
send offending responses and trigger bug.  
  
I suspect every public server with 8.2 <= bind < 8.2.3PL3 is vulnerable.  
  
  
  
Reply-To: "David R. Conrad" <David_Conrad@ISC.ORG>  
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>  
Organization: Internet Software Consortium  
X-To: Anonymous <nobody@REPLAY.COM>  
X-cc: BUGTRAQ@SECURITYFOCUS.COM  
To: BUGTRAQ@SECURITYFOCUS.COM  
  
Hi,  
  
The problem is with the reception of NXT records, so it doesn't matter what  
you have in your own zone files. Any nameserver running versions 8.2, 8.2  
patchlevel 1, or 8.2.1 can be susceptible to the attack (albeit there are  
some  
pre-conditions that must be met for the issue to even come up). We, of  
course, recommend upgrading. In addition, we recommend running your  
nameserver as non-root and chrooted (I know setting this up is non-trivial --  
it'll be much, much easier in BINDv9).  
  
Rgds,  
-drc  
  
Anonymous wrote:  
> Ooh, those pesky NXT records. Like I process those every day.  
> Fascinating read in RFC 2535, but suppose I don't have any NXT  
> records in my own zones, under what circumstances will my DNS server  
> commit the sin of "the processing of NXT records"? In other words,  
> are all of us vulnerable (even caching-only name servers if so, I  
> imagine!), or only people with NXT records? This makes a big difference!  
  
  
  
`